All organisations who DO know how to protect private data but could not be bothered to do so or allowed employees to act in such sloppy fashion as to effectively give it all away. The list of ways in which data is disclosed is long and varied but one simple truth runs through all – lack of care by the organisation concerned.
IT security – the simple explanation
This acticle is also posted on LinkedIn at https://www.linkedin.com/pulse/security-simple-explanation-george-perfect/?trackingId=1IdV0RNtSsiZ0BVP2a0wgQ%3D%3D
This article arises out of a post made by David Morton relating a Guardian article that described a major Internet issue that wasn’t (for once) caused by an IT security breach but was nevertheless a good example of what happens when people who don’t understand the workings of technology make simple, uninformed decisions.
I am writing this the day after it was revealed that a trawl of 80 billion passwords and personal data records had just been released openly on the web for anyone to look through. Yes, that figure is 80,000,000,000 data records each containing personal, private and sensitive information entrusted to organisations to keep safe – now made public.
Take a moment to consider that the global population is less than 80 billion – by a factor of TEN – and the current number of people with access to the Internet is some TWENTY times lower than the number of records published and you get an inkling into the amount of personal misery and workload imposed on individuals now tasked with changing their logins to a number of businesses and organisations they previously trusted. Spare a thought for the millions of individuals whose bank accounts have already been emptied or been subjected to identity theft and the life-long horrors that follow.
80 billion personal records did not come from ‘mom & pop’ stores who have no idea how to protect a web server, implement a firewall let alone implement a zero-trust policy or multi-factor access controls across every part of a complex IT system. These records were taken (I cannot bring myself to use the word “stolen” as in the majority of cases the data was just left ot in the open for any passing individual to help themselves) from some of the very largest corporations on the planet.
Private sector, public sector, NGO – matters not one jot. Big or small you are an equally attractive target. If you do not protect yourself adequately you are asking to be closed down.
Successful attacks have been perpetrated against multi-national enterprises, financial services institutions, nation-wide health services, even government departments as sensitive as vital military, national security, infrastructure and public services.
It may be starting to occur to you that companies responsible for allowing personal data to “escape” faced not only a major financial cost to clean up the mess they caused (or just allowed to happen) but face a far higher cost in reputational or brand damage … and loss of customers.
In my experience the reaction of most consumers and business customers faced with such a breach in trust is to close their accounts with the guilty business and take their custom elsewhere. Many is the example of long-standing, expensively built brands who have been forced to change their company and brand names in an attempt to escape such loss of business as their original names are forever toxicly linked to their behaviour that broke simple trust.
The U.S. is still reeling and recovering from the recent ransomware attack perpetrated against the oil pipeline operator Colonial Pipeline. I encourage you to read the testimony the company’s CEO gave to the U.S. Congress. Embarrassing, negligent, incompetent are just three words that come to mind.
More importantly, the damage could have been orders of magnitude worse.
The hackers *chose* to only attack the company’s accounting and management systems. They could just have easily attacked the systems controlling the pipelines and critical flow of oil across the U.S. They actually apologised explaining they didn’t mean to cause such mayhem – just get a $40 million payout from the company to let it get back to its normal operational state.
That would be the state that invited hackers to walk through the front door, change the locks and deny the company access to its essential property.
IT security is not hard or difficult
IT security is a problem I’ve been banging on about for many years. David will recall the level of constant security, audit and anti-fraud detection we built in to the big financial services product he was involved with when at Byline and compare that decades-old approach to the fact that the recent Colonial Pipeline ransomware attack that triggered a federal state of emergency across the U.S eastern states was ENABLED by use of a single password shared among numerous employees that gave instant access to critical systems.
Or read my blog article (on the biznik.co.uk web site) using Credit Agricole (a major French bank) as an example of close to criminal disregard for customer facing security … which leads one to question what security exists over the bank’s internal systems. This company only got round to changing the encryption on its essential web security certificate from the long broken and deprecated standard it was still using (just ten years after the encryption was broken) after I told it it had to be done – and then only months after I wrote to the company’s board and mere weeks before all browsers were about to refuse connections to sites using such certificates.
To anyone who does not know, a web security certificate can be purchased (they are even available for free these days) using nothing more complex than a web browser, credit card and ability to fill in a simple form. The process of obtaining the certificate takes a few minutes and the process of implementing it (even across the most complex of multi-server / implementation systems) takes a few hours on a bad day.
When I write that continued use of a long deprecated web standard (one that would have seen the company disappear from the Internet had it not been addressed in time) was the very least of the company’s problems you may get an idea of the scale of insecurity and open privacy exposure the company allowed.
Beggars belief doesn’t cover it.
IT security requires deep and wide and constant thought, implementation and maintenance in every corner of an enterprise. It is a full time job that requires a full time individual and supporting team sized to the scale of the potential attack surface to identify and avoid potential threats and remain ever alert.
This is not a task to be thrown at a consultancy for a quick fix and “tick the box” job to “satisfy” auditors or regulators.
But most large enterprises that I have seen (and I have been inside many) pay such scant regard to security they may as well leave an expensive car in an inner city neighbourhood with the doors open and keys in the ignition.
Honestly, accessing many critical IT systems – even those operated by multi-national or infrastructure related businesses and organisations – is trivial to a teenager with a laptop and a bedroom wi-fi connection.
Though *everyone* inside a business needs to be trained and made to comply with IT security measures the problem first needs to be addressed at board level.
As most boards have the same understanding of how complex IT systems work as they do of what causes their chauffeur driven limousines to move the problem is, in my humble view, beyond a campaign of director education and requires a specific board level appointment of an IT security specialist whose sole task is to implement and embed IT security at root and branch then upwards.
The existing IT director in most organisations is not the person for this job in my experience.
It’s not hard people – it requires a little money and correct delegation of responsibility and necessary authority to ensure that open doors are closed, systems are always rapidly patched with updates, the CVE database is regularly reviewed for critical bugs that might affect your systems and a culture that (under the most extreme circumstances) shuts off systems until they can be secured. Better to be “off-line” for a while than destroy the oh-so valuable trust and the attendant risks of blackmail, loss of corporate secrets, ransom and existential threat.
To all main board directors out there take a bit of advice from someone who has been there, seen it and watched the resulting mayhem too many times – place IT security at the top of your next board meeting agenda and, if you do nothing else and have only the same understanding of IT security as you have of how the company limo or corporate jet works, appoint someone who truly does with the task of shutting the door and keeping it shut to keep the bad guys out.
The job-spec for the person wanted is a deep understanding of IT technology from chip level through every operating system to every piece of application software used in an organisation and an equally deep understanding of the stupidity so often displayed by humans, known to board members as “employees”, who are the most frequent conduit to gain access inside companies.
People with this skill set are expensive. Or, they are ridiculously cheap compared to the cost of the smallest data breach or intrusion into corporate systems.
There. That’s not hard – in fact it’s extremely simple.
Don’t delay – do it today.
Either that or be sure your turn will come and start putting a huge contingency budget in your accounts to pay for the ransom, clean-up costs and change of company and brand names alongside the large and unwelcome deep dip in revenues you are asking for. Or the loss of company secrets and privileged information which could pose an existential risk to an organisation.