How to have a trusted Internet? The security of websites themselves and of workstations is an extensively treated subject, but far less is the security of the communications themselves. Their encryption with SSL is not sufficient for some business.
The issue: the traceability of your users (customers) by third parties
The tracing of your users by operators is inevitable: telcos, ISPs, mobile operators, etc. almost all retain detailed audit trails. In most countries, this obligation is legal (in Europe for instance, a EU directive requires such a conservation between 6 months and 2 years from any operator). Without adequate measures, there is nothing that your organization can do to prevent this.
These data kept by operators represent a complete history of what your customers do on your site. At minimum, it will feature your client's unique ID, the visited sites, the date and duration of connections, the amount of data exchanged... These data are easily searchable, by using queries. For example: who has been connecting to your company's website and how often those two years?
The risk: the disclosure of the identity of your users
These connection traces are poorly protected by telecom operators and ISPs: they generally consider them as non-strategic and non-sensitive, as a cost centre; their business culture is seldomly based on data protection; finally, they traditionally resort to many subcontractors with a high turnover, increasing the likelihood of uncontrolled access to these data as regularly shown in the news.
What are the possible impacts of such disclosures?
- Identity theft and use by criminal groups.
- Public campaign of denigration, pressure, blackmail. These risks may be high depending on the countries.
- Reputational and commercial risk for the enterprise itself.
- Vector of economic espionage.
A risk sharply increasing
Identity disclosure is a booming risk and business, as a result of criminal groups who see this as an accessible growth driver and due to an increasing number of dishonest employees especially among telecom operators. Little risky for its author because it involves no money flow, it is also more rewarding because of its potential impacts and of the fees offered by principals.
These risks are clearly underestimated by many targeted organizations. However, they can:
- Occur very rapidly: an identity theft at an operator level can simply consist in taking away a poorly protected computer file from the operator.
- And multiply: a single file out can involve a lot of your users / customers, and this with great details (all their history).
Our advice as professionals: Treat this risk before it happens! Our solutions are designed for it.