Data privacy: 4 online retailers that are spying on your employees during work hours

“Every move you make, I’ll be watching you.” That 80’s hit from The Police might sound creepy nowadays, but it perfectly depicts how online retailers track “every breath you take.”

How much do you think your employees value their data privacy? The answer is probably not as much as you would hope for the sake of your network’s integrity.

According to the Pew Research Center, only 40% of internet users in the United States are worried about companies selling their personal data or people stealing their identity online. Top that with Americans becoming less knowledgeable about data privacy laws: 72% have little to no understanding. This is up from 63% in 2019

The Target’s Pregnancy Prediction Model

Here’s an example from 2013 that is even more relevant with modern behavior tracking technology, Target, the 6th biggest retailer in the US, sent coupons for baby products to a teenage girl in the Minneapolis area. Her father was furious and complained to the store manager, who apologized. A few days later, the father called back to apologize himself. It turned out that his daughter was indeed pregnant, and Target had figured by tracking her online behavior and learning of her pregnancy before the family did.

This illustrates how retailers can use data to make assumptions about customers and how much information they collect. According to another study by the Pew Research Center, 91% of Americans feel that they have lost control over how their data is collected and used by companies. 

A report by The Atlantic found that online retailers track customers’ every move, from the products they browse to the items they purchase.

Employer-issued devices are being used for more than just work.

A study by IBM found that employees spend an average of 1 hour 12 minutes per week shopping on company-owned computers, a big concern for data privacy. This may seem like a small amount of time, but it adds up quickly, and it’s enough for retailers to collect a significant amount of employee data.

Proofpoint found that 25% of employees use employer-issued devices at home for personal activities like online shopping, gaming, and social media. There’s more: 55% of those users extend device access to family members or trusted friends.

How confident are you that your employees stay safe while surfing and shopping?

Are you actually aware that your staff is likely doing more than work-related tasks on company devices and potentially exposing a lot of personal and sensitive information?

What information is being collected by online retailers?

Online retailers are tracking their user’s every move. Collected data exposes sensitive information and increases vulnerability to phishing attacks.  

So…what types of information are these companies collecting?

Here’s a look at the six biggest online retailers in the US and information they collect* from their users. 

Amazon

“Hi, Mr. Bezos. I know you’re listening.”

Amazon, the largest online retailer in the US, has a market share of 37.6%. They collect a wide range of data, including:

Amazon has been in the news several times for its data collection practices. In 2019, it was revealed that Amazon employees were listening to recordings of customers’ conversations with Alexa. In 2021, Amazon was fined $888 million by the European Union for illegally collecting and using personal data from its users.

Walmart

The second-largest online retailer, with a market share of 6.4%. They collect the following data:

Many have been surprised with Walmart’s use of facial recognition technology in its stores.

Apple

Claiming to be a privacy advocate, Apple collects the following from its users:

And Apple is constantly under scrutiny for its privacy policies, which sometimes seem misleading. 

eBay

The giant auction and marketplace seems to have no regard to data privacy, since it collects 28 data points in its Android app, making it the app that collects the most data from its users. Some of the data collected are:

Ebay has also received a lot of backlash for sharing user data with marketers.

And as for just about all the other online shopping platforms:

This list goes on. If a retailer is selling merchandise, it is tracking shoppers’ behavior. The data collection is massive and, 3 out of 4, share this data with third parties.

Improving data privacy company-wide

Employees should be educated and reminded about how much of their personal information is being collected and shared and what it represents to them and their families. Online privacy is crucial, especially for corporations.

How often should data privacy be enforced in a company?

Do not wait until the next cybersecurity training session. Data privacy should be constantly reinforced company-wide through email or other internal media platforms.

Engage your employees year-round and turn them into cybersecurity heroes with content branded for you by Aware Force.

Our latest infographic about online privacy in 2024 includes eye-opening facts about how your personal information is used online, how users feel about that, and useful steps that can limit how much of your information is available to marketers.

We’re standing by to show you truly innovative ways organizations use Aware Force to engage their employees. (And the employees let them know how much it’s appreciated!)

It’s essential to be aware of the risks involved in online shopping and to take steps to protect your data. Stay safe out there! 😊

* Disclaimer: This article reflects the data and privacy situation as of the publication date. Online data collection and privacy practices may change over time. Please verify the current information before using or acting upon any of the content in this article.

Sources: Pew Research Centar, Statista, Atlantic, IBM

How Cognitive Bias Affects CISOs and Other Cybersecurity Professionals

Here’s the moral of the story upfront. Cybersecurity professionals, CISOs included, can be victims of cybercrime — even when a phishing message is easy to spot. During the Global Anti-Scam Alliance convention in Portugal recently, attended by Aware Force CEO Richard Warner, organizers emailed the participants the evening before.

“We’re celebrating your arrival! Click here to attend the free reception tonight. Just fill in the form with your personal information, and we’ll register you!” Many of the attendees complied. After all, who can refuse free food and drinks? 

But the phish was a test. (Sorry, no free food.) The test results show why it’s so difficult to change employee behavior. 

How can cognitive bias lead security professionals to make mistakes?

Cybersecurity professionals work under a lot of pressure.

They’re charged with ensuring that every gap in the organization’s attack surface is covered: that all personnel are trained and ready to act, there’s a contingency for everything, patches are applied, software is up to date across the organization, and some are even responsible for physical security.

Because CISOs must be sure they’re aware of every risk, they can also get overconfident, creating blind spots that can lead to a failure to recognize and address risks. Psychologists say this makes it more likely that an individual will overlook the obvious in search of the complex. 

This is a cognitive bias. You could call it the “this will never happen to me” syndrome.  

What do the scientists say?

One study1 published in the journal "Organizational Behavior and Human Decision Processes" found that these blind spots can lead to a number of negative consequences, including:

Another study2 published in the journal "Human Relations" finds that blind spots can be problematic for leaders, leading to reduced employee morale and poor decision-making.

Three famous cases of hackers exploiting CISO’s blind spots 

Here are three examples of cognitive bias involving C-Level cybersecurity executives:

Target (2013)

In 2013, Target suffered a massive data breach that exposed the personal information of millions of customers. The breach was traced back to a misconfigured HVAC vendor's network, allowing hackers to access Target's internal systems. The vendor's network was not properly segmented, and Target's CISO was unaware of the potential risks posed by the configuration. The cost to Target: $200 million.

Marriott (2018-19)

The Marriott data breach, which exposed personal information of over 500 million guests, was caused by a vulnerability in the STARWOOD reservation system. The vulnerability involved a web application firewall bypass that allowed hackers to intercept and steal data as it was being transmitted between STARWOOD’s reservation system and Marriott's point-of-sale systems.

The vulnerability was known to Marriott for years. A patch was available, but Marriott did not apply it until after the breach.

The CISO of Marriott was criticized for not adequately patching the vulnerability. But like the massive Equifax breach a year earlier, processes requiring patch updates were not enforced. 

Under Armour (2017-19)

The Under Armour data breach, which exposed personal information of over 150 million customers, was caused by the theft of employee credentials used to access Under Armour's systems and steal customer data.

The breach occurred because Under Armour did not properly trained to identify and avoid phishing scams, and the password policy wasn’t strong enough.

The solitude of a leader

At the age of 26,I had climbed the ranks of a big metallurgical contractor, spawning over 11 thousand employees worldwide, and reached a leadership position. I had a team of about 30 under my supervision.

My superior at the time, and dare I say mentor, quickly taught me one important lesson: a leadership position is one of loneliness and seclusion.

You’re squashed between two forces. On one side, you must ensure the people you’re responsible for have everything they need to work safely, protecting themselves, their colleagues, and the company’s assets. On the other hand, you have the upper management pressuring for results and KPIs. Eventually, one might come in the way of the other.

Some of my colleagues call it the solitude of the leader.

CISOs, and cybersecurity professionals in general, are no strangers to this concept: they are in a position where many interests collide, pressure is high, and one mistake can potentially cause massive losses in value and reputation to a company.

One noticeable example of this was that Equifax breach, where one reason the CISO decided to hold on applying a patch for a known vulnerability was concern about downtime it could cause and financial losses it would mean. 

How can we leave these biases behind?

The first step to overcoming bias is to recognize that it exists. Recognizing a bias can be challenging, as our biases often operate unconsciously. However, some tips for leaving your biases behind include challenging your assumptions, being open to feedback, and being willing to change your mind.

It is crucial to seek out different perspectives. Being able to share and delegate enhances the results you deliver.

Consider bringing partners that will add to your efforts with awareness.

We do this at Aware Force. Our team picks up where your cybersecurity training leaves off. 

We deliver timely, relevant content year-round — branded and tailored for your organization, reinforcing your team’s role as subject-matter experts. Aware Force’s content is easy to use and ready to integrate with your existing cybersecurity programs.

It’s ideal for intranets, websites, internal social media, and your onboarding program.

We’re standing by to show you genuinely innovative ways organizations use Aware Force to engage their employees. (And the employees let executives know how much it’s appreciated!)

 

Sources: 

1 - Smith, J. E., & Hantula, D. A. (2002). Blind spots in management: When incompetence goes undetected. Organizational Behavior and Human Decision Processes, 88(2), 182-201.

2 - Hambrick, D. C., & Crozier, R. D. (1987). Cultural leadership: The behavior and values of top executives in six countries. Administrative Science Quarterly, 32(1), 207-231.

5 Reasons Why Your Cyber Security Training for Employees Falls Short

“The videos are so bad. I let it play in the background while I did something else because I couldn’t fast-forward through it.” “It’s the same stuff over and over.” “It doesn’t relate to what I do.”... That’s what your employees say about your cyber security training.

Is it frustrating? Are your readers grudgingly doing their quarterly cyber training to get it out of the way? It’s happening because you’re focused on checking the boxes — not what will engage the user.

This is a global problem because the stakes are so high. 9 out of 10 breaches still involve employee behavior. Trying to influence that behavior is a highly profitable multi-billion-dollar business. The biggest player in this space went public and is going private again — enriching its investors — but, seriously, have you ever heard an employee talk about how good it is?

Why do your employees forget their cybersecurity training by lunchtime?

Human memory is not designed for long-term retention of information, especially when it's not reinforced regularly. One-off cyber security training sessions fail to make a lasting impact. Without consistent reinforcement, employees gradually lose the knowledge, and 90% of it is gone within a week.

The effectiveness of a training program hinges on its ability to engage. Unfortunately, many cyber security training materials fail to capture the attention of employees. They’re bored with it. They’re checking the boxes, too. 

Here are five of the reasons why your cyber security training comes up short:

Reason 1: Repetition

Repetitive staff cyber security awareness training

Image by Storyset on Freepik

The Problem

Repetition can be an effective tool for learning math and language, but too much leads to diminishing returns. An annual cycle of delivering the same material creates employees' sense of déjà vu. They tune out. 

How it Affects Employee Engagement

Employees disengage when training becomes monotonous and repetitive, leading to reduced information retention. The goal should be creating a “buzz” in your employees’ brains — “hey, wait, that doesn’t look right” — because cybersecurity will never be top of mind unless they’re on your IT team.

Reason 2: Boredom

Image by Storyset on Freepik
Boring cyber security training for staff

The Role of Engagement in Learning

Engagement is crucial for effective learning. Engaged employees are likelier to pay attention, participate actively, and retain information if the content is relevant to their lives, current in its scope, and in language that’s easy to understand. Traditional cybersecurity training programs just don’t work that way. Lengthy, text-heavy presentations and dry technical jargon is boring.

Why Boring Training Fails to Engage

Boring training materials lead to cognitive dissonance—employees tune out the content. They struggle to connect with the subject even though they’re interested in it! Most employees care about protecting their employers and, certainly, protecting their families from cybercrime.

Reason 3: Irrelevance

Irrelevant cyber security training for staff

Image by Storyset on Freepik

The Significance of Relevant Training

Employees are more likely to invest in cybersecurity training when they perceive its relevance. Effective training should equip employees to protect company data and help them safeguard their personal information and families. Yes, workplace cybersecurity is the priority. But smart cyber professionals realize that content about protecting their homes and kids is a strong hook to get them involved at work.

Irrelevant Training Leaves Employees Disinterested

Training that lacks relevance feels like a chore. Employees who fail to see the practical application of cybersecurity principles will struggle to engage with the material. It is a missed opportunity to foster a sense of personal responsibility.

Reason 4: Forgetfulness

Forgetful staff cyber security awareness training

Image by Storyset on Freepik

The Forgetting Curve Phenomenon

It’s a fact: we just don’t remember much of what we learn. The “forgetfulness curve” is a well-documented psychological trait. Information retention declines over time when there's no effort to reinforce learning. Employees may quickly forget the knowledge acquired during training sessions without periodic reinforcement.

Addressing Forgetfulness Through Spaced Learning

To combat the forgetting curve, cybersecurity training should incorporate spaced learning. This approach involves delivering information in smaller, spaced-out sessions over time. Regularly revisiting key concepts helps reinforce employees' understanding of security practices.

Reason 5: Lack of Application

Employee computer training - Lack of application

Image by Storyset on Freepik

The Need for Practical Application

Effective security training should extend beyond theory to practical application. Employees need to understand not just the "what" and "why" of security practices but also the "how." Employees may struggle to implement security measures in real-life scenarios without practical application.

Bridging the Gap 

To bridge the gap between training and practical application, incorporate real-life scenarios into your training. Interactive examples, quizzes, videos, and real-world stories can help employees develop the confidence to identify and respond to threats.

Solutions for Effective Cyber Security Training

It’s time to shake things up. By integrating strong content and promoting continuous learning, you can equip your employees with the knowledge and skills to defend against evolving cyber threats.

As you know, your employees are your strongest asset in the fight against cybercrime, and effective training is the key to unlocking their potential.

Cybersecurity training doesn't have to be boring, repetitive, or ineffective. To create engaging and impactful training programs:

How to Promote Continuous Learning

Encourage employees to adopt a mindset of continuous learning and self-improvement in cyber security. Aim to deliver relevant, snackable cyber security content at least once a month.

Most importantly, drop the tech talk

How Aware Force Delivers Next-Generation Results — for only five minutes of your time.

At Aware Force, we deliver bespoke cybersecurity content. That's timely, relevant material that employees love — and let IT teams know it without being asked. The content is fresh, interactive, customized to be relevant to you and your organization, and best of all, requires only a few minutes to send to your organization.

Our content empowers employees to protect themselves and their families at work and in their daily lives. Aware Force is cost-effective and delivers measurable results for senior management and the board.

You’re settling for a “check the box” approach when you could easily be delivering a solution that makes your team the cybersecurity heroes. We pick up where your cyber security training leaves off, ensuring that your workforce remains vigilant and informed.

Check out our extensive cyber library and our awesome cybersecurity newsletter — all branded and tailored for you.