As seemingly everyone is moving toward working online, security concerns are being thrown to the wayside with troubling consequences. A recent occurrence at a hot start-up made me seriously think twice about how safe our online data is from malicious eyes.
One of the main themes of Web 2.0 is the large-scale migration to the ‘cloud’. Many work-related tasks such as email, word processing, day planning, and idea sharing are being done online rather than on the desktop or across the desk. Hordes of users and technologists sing unmitigated praises of online applications and collaboration services. I too love the ability to quickly and easily collaborate on an online documents with my co-workers or clients.
We are so focused on the benefits of working online that we often forget the serious drawbacks which include access and data security. The chief drawback for me is the fact that my data is sometimes only one login screen or checkbox away from being seen by anyone, including those that would use the information in egregious ways. In some cases, my data is even more exposed than that.
A Story of Prying Eyes
Some time ago, the subject of security of online applications came up as I spoke to a CEO of a hot internet start-up that had a typically modern, hand-wavy policy on storing and sharing data online. Most people at the start-up were happy to take advantage of the benefits that various online applications offered.
At one point, the start-up and one of the online services that was frequently used internally (let’s call it ShareDataOnline Inc.), entered partnership talks because certain synergies existed between the two. Soon after, the partnership came to a rocky end, when the start-up realized that ShareDataOnline Inc. was entering the marketplace with a competing product. All the meanwhile, the start-up was storing vital data on ShareDataOnline’s online service.
The first thought that crossed my mind when hearing this was whether ShareDataOnline Inc. stole product ideas and details or other critical information that they could have used for their own gain. Later, when I compared the two, I noticed eerily close similarities between them. Needless to say, the start-up halted using ShareDataOnline’s service, but as far as I know, the practice of online data storage and sharing in various capacities continues at the company.
Security Considerations for Anyone Using Online Applications
I find it disturbing to see many companies continuing to store critical data on third-party online services like Google Docs, Google Sites, Zoho, Basecamp, and so on. Sometimes, the companies hosting the said data are competitors of those companies using their online services. Call me jaded, but it seems quite naive to have absolute faith that the service providers will not ‘peek’ at data that can help them stay ahead of their competition and make vasts amounts of money in the process.
Privacy and security on online websites go far beyond a user’s personal information or usage data. It often involves critical data such as sales numbers, strategy documents, business outlooks, and internal dialogue surrounding sensitive issues. By using online sites to facilitate the storing and sharing of such information, users can unintentionally make it visible to individuals, competitors, business partners, and others that would otherwise be prohibited from seeing it.
Online data can be unintentionally made visible in three main ways. It can be exposed by
User error. I personally once ‘made public’ an internal strategy document of my firm by accidentally selecting a ‘Make public’ checkbox. Luckily, I quickly realized my error before it was seen by our competitors or was indexed by a search engine like Google, which keeps archives of web pages.
Prying eyes. If your organization is or can be a competitor of or is otherwise doing business with the online service hosting your information, you should consider the possibility that someone may peek at your data. I once considered the online service that I mentioned in the above story to be very reputable.
Technical error. This may be shocking to some readers, but on some online services making a page ‘private’ means leaving it out of the index and kindly asking spiders to omit those pages. These ‘private’ pages do not even lie behind login.
Danger also lies in the actual code of the web application. Some online services are simply poorly developed and do not adequately secure private pages. Novice hackers can easily break password-protected pages with simple SQL injections and by other archaic means.
Also, some development platforms have known security susceptibilities that can be exploited by more advanced hackers-say ones that your competition can hire.
Despite security concerns, using online applications can improve productivity in an organization. It is important to understand when it makes sense to put data at risk. You should NOT share and store data on an online service unless:
- You don’t mind that critical data can be compromised by a user in your organization accidentally making it publicly visible
- You don’t mind the hosting service ‘peeking’ at your data
- You don’t mind your data being accidentally made public due to a technical reason
If you do mind any of the above, you should take a long hard look at your online data storing and sharing practices.
Why did I chose to write about security of online applications on a blog about user experience? User experience professionals usually work on critical product strategy and should always take care to keep data confidential and safe from malicious eyes. Make sure to clear it with your client anytime you put data online.