Good: Companies Care About Data Privacy Bad: No Idea How To Protect It

Esther Schindler writes: Research performed by Dimensional Research demonstrated something most of us know: Just about every business cares about data privacy, and intends to do something to protect sensitive information. But when you cross-tabulate the results to look more closely at what organizations are actually doing to ensure that private data stays private, the results are sadly predictable: While smaller companies care about data privacy just as much as big ones do, they're ill-equipped to respond. What's different is not the perceived urgency of data privacy and other privacy/security matters. It's what companies are prepared (and funded) to do about it. For instance: "When it comes to training employees on data privacy, 82% of the largest organizations do tell the people who work for them the right way to handle personally identifiable data and other sensitive information. Similarly, 71% of the businesses with 1,000-5,000 employees offer such training. However, even though smaller companies are equally concerned about the subject, that concern does not trickle down to the employees quite so effectively. Half of the midsize businesses offer no such training; just 39% of organizations with under 100 employees regularly train employees on data privacy."

Re:Fairly easy way to protect data.

1) Stop using cloud-infrastructure for storage.
Essentially the reason stuff gets stolen in the first place is because someone's client is compromised, which is a lot easier to do than hacking into the cloud storage itself.
2) Stop using virtual machines on "the real network", because it's a lot easier to just pull a virtual machine image, and run it on a "hostile" machine, all the well impersonating the hypervisor of the real machine. Why bruteforce over the network when you can just patch the login process to accept any password or key by accessing the storage itself.

Those are the most important "painting ourselves into a corner" we are doing to ourselves right now for both privacy and security. The average data leak right now is a result of using off-the-shelf open-source software like Wordpress, and not keeping on top of security updates to the entire *AMP stack. Nobody has time for this, and letting the computer update itself is an even WORSE prospect as it will restart itself and open itself to MiM attacks in the process, it doesn't matter if an update is signed if you can just hijack the entire update process to change the expected checksums.

Like right now, the weakest thing I have to deal with in linux is the auto-update process that doesn't work at all. Why does the yum have to take up 500MB of ram just to stay resident checking for updates. That is ass-backwards wrong and needs to stop. Someone please figure out how to make an auto-update process not grind the machine to a halt why they are at it.

So how do we protect privacy?
1) Stop outsourcing. This includes both "clouding" information, and hiring people outside the organization, or outside the country that need access to that data to do their job. Your phone company should not be outsourcing customer service to a third party, let alone a third party in India. The Indians in this case don't value privacy and will sell your private information for a nickel just because they can and can't be held responsible for it since they aren't in the US.
2) Make US Privacy laws explicitly prohibit the "clouding" or "outsourcing" of customer information. That information needs to be stored on company-owned-and-maintained hardware that has the safegaurds. There is no reason why a customer at Target should have their privacy information available to the check-out clerk by indexing their credit card number. That's beyond stupid. Every time we make things more convienent to a customer, we are putting their private information at risk. De-centralize data storage so that data acquired at one location isn't shared with other locations unless that customer opt's in to connecting it. That's how banks work. Banks somehow are less stupid on this front, but are still stupid about verification.
3) Social engineering... quit hiring morons. Instead of pushing down wages by constantly trying to poach smart people from other businesses to avoid training people to not be morons. Actually have internal security audits from "customers" that are really security people check that the representatives are doing their job properly and not just blindly believing every stupid thing someone says.