Urban myths exist in every aspect of our lives, even our professional one. Every industry has popular myths and I’ve heard my share of data privacy and data security myths in the online community engagement space – from using a simple website to a one-time installation of security software as ways to address security and privacy.
Online community engagement can be incredibly effective in building trust, reaching a wider audience and achieving greater citizen participation in the matters that affect them. Organizations, both public and private, need to prioritize protection of citizens’ information when considering online engagement options, and efforts to protect online information shouldn’t be derailed by belief in common misconceptions.
Here are the four of the most commonly held misconceptions related to the security of online community engagement and the truth about them.
Myth 1: A simple website is all that’s needed for a secure, online public engagement platform
It depends. It can be very tempting to sign up on a simple website-hosting platform and create a space to engage with communities online. User interfaces look relatively easy to comprehend and navigate. Additionally, there are third-party plugins and widgets that can be added in order to create a survey or invite comments when required. This is a perfectly reasonable and cost-effective option for small bloggers, personal websites and start-ups looking to shape an online presence for themselves.
Oftentimes, these common website builders rely on individual users to update and add security features. Plugins and widgets added to a website like a comments section or a survey tool can be useful features, but they are often open-source and can serve as entry points for hackers. Then there is all of the work that goes into managing the hosting and operations of the service.
Any organization that collects or handles an individual’s personal data will need to pay greater attention to the security measures in place to protect said information. In the case of a private institution, like a bank, individuals can simply move their account to another if they feel their information is not secure. However, in the case of public engagement platforms, citizens of a community must be able to access and participate in civic issues that affect them in a safe environment.
Underestimating the need for stronger security measures initially may prove to be a much bigger headache at a later time. Dealing with data breaches or malicious attacks that can potentially corrupt an entire system is extremely difficult to deal with after the attack has occurred. Recovery of this data may prove more expensive in the long-run and sometimes, valuable information could be irrevocably lost. Additionally, regaining trust in the organization after a breach is an uphill battle.
Myth 2: Hackers don’t care about small- and mid-sized communities’ data online. They’re out to catch the big fish.
This is a huge misconception. Large-scale jewelry and bank heists may capture our attention and the headlines but we are well aware that regular pickpockets, muggers, and robbers cause their own brand of mayhem in our communities. And when it’s personal property at stake, the fear of privacy being violated and assets lost is real.
Similarly, the world wide web has its varying levels of criminals with their own type of targets. Hackers that look for smaller and relatively easy targets do exist and are active online. They regularly seek easy-to-breach websites and ineffective security software that is not tested and patched regularly. Having robust security protocols in place is important to protect data – no matter the size of the organization or the scale of projects online.
Myth 3: Having a security policy in place will deter wrongdoers and protect data
This is false. A good rule of thumb when implementing security measures is to hope for the best but prepare for the worst. Yes, the presence of a good security policy indicates that an organization is focussed on protecting assets. It communicates to internal and external stakeholders, as well as customers that security is not an afterthought but a central thread through the organization’s operations.
However, relying on the security policy to do the heavy lifting involved in protecting data is as effective as believing that a “Trespassers will be prosecuted” sign is enough to prevent burglaries. Having a fence, adequate locks, and perhaps even a camera or an advanced security system in place is still required to fortify homes. Similarly, apart from a security policy, investing in tight security measures is needed to protect citizen data online effectively.
Myth 4: A one-time installation of security software is enough to protect data
While absolutely not true, it is often believed simply because it is convenient. Constant vigilance is necessary. The world of cybersecurity is constantly changing. Sophisticated malware is constantly being developed to find weak points and bypass existing security features.
Organizations committed to data security ensure their online platforms are tested and fortified on a regular basis. Continuous improvement is in their DNA – and they reap the benefits by ensuring their data is secure.
In fact, continuous improvement is an integral part of the International Standard for Information Security Management – ISO 27001. An organization that is ISO-27001 certified conducts strong internal audits at regular intervals to identify opportunities for improvement, mitigate risk, patch software and more.
In summary, when asked, “do I need to care about strong data security measures for my organization?”, the answer is, “it depends”. Bloggers or organizations that do not collect or process personal data online could make do with simple websites.
Dismissing the importance of data security for any other organization, in particular, a public one, can be very risky. Active civic engagement online depends, in a large part, on citizen trust in their government. Upholding that trust with secure engagement platforms and operational practices go a long way in increasing participation.