If we look at the past few years, we can observe two distinct trends: firstly, data breaches are way more common than they used to be. Secondly, they’re getting bigger, and it’s not uncommon to find data dumps that encompass literally hundreds of millions of people.
In August of this year, we hit an all-time record, when a spambot mailing list found its way to the darknet. The list contained over 711 million people, which is almost the combined population of the EU and the United States. Madness!
In January, River City Media – a sketchy internet marketing business in Wyoming – lost the details of over 393 million people. These ‘megadumps’ make the likes of the 2012 LinkedIn leak, which entrapped ‘only’ 164 million people, look positively tame in comparison.
Are we only scratching the service though? How many other breaches have occurred without us knowing, as a consequence of the company either paying so-called ‘hush money’ or deciding to wait it out and see what happens? Earlier this month, it transpired that controversial ridesharing service Uber paid $100,000 to hackers as an incentive for them to delete data they had stolen.
This divided opinion; should Uber have ‘fessed up’, or were they right to pay the ransom?
I’m going to put my cards on the table: concealing breaches is risky behavior, and is likely to blow up in the face of anyone who does it, as was the case with Uber. There’s virtue in transparency.
Hacks are inevitable, and breaches are almost always headline news. Nobody wants egg on their face, but in the mire, there’s an opportunity to reframe the security conversation into something positive.
I imagine that many non-technical employees regard information security staff as a sort-of chimera: a hybrid of the ‘computer says no’ person from Little Britain, and Chicken Little, constantly claiming that the “sky is falling in.”
We are experts, but if we don’t present our expertise in a way that’s relatable and easy to understand, we might as well not bother.
"We are experts, but if we don’t present our expertise in a way that’s relatable and easy to understand, we might as well not bother"
If you tell a senior individual that the company website has a gaping SQL injection vulnerability, they’ll probably know that it ‘sounds’ bad, but it won’t move them to actually do something about it.
In fact, it probably has the opposite effect. You may end up with the reputation of someone who understands the technical side of the business, but has little concern for the everyday corporate practicalities.
Often, there’s a certain myopia when it comes to the actual value of the data businesses hold. They can be forgiven for thinking that personal biographical information – like names, phone numbers and addresses – isn’t worth much, and that therefore makes them an unappealing target. They often fail to understand the breadth of personal data that’s already been leaked to the internet, and the power of combining disparate, stolen datasets.
As our lives become more intertwined with technology, information and access become vastly more powerful. If someone gained unfettered access to your phone, for example, they could easily dismantle your life. It’s scary.
The most striking thing is that the answers aren’t that complex. Two-factor authentication is becoming increasingly ubiquitous, and most vendors issue patches after an attack. Indeed, most monitoring and threat-detection services have all the information you need to mitigate against an attack, long before it’s even happened.
Yet, many companies fail to make these very basic and cost-effective measures. Why is this?
You can attribute a lot to the fact that decision makers lack both the right incentives, and the proper understanding of contemporary information security risks.
So, as information security professionals, there are things we can do better.
Firstly, rather than issuing edicts, we should guide those decision makers into understanding our world. This is about changing our role from being decision makers, to where we create the right choice of architecture.
Moreover, we need to learn to pick our battles, and know our limits. We will never have a 100% success rate when it comes to defeating phishing, or protecting our organization from external threats. Instead, we should settle for ‘good enough’, where we balance reasonable security measures against the everyday requirements of the business, and move on.
Finally, we need to educate corporate decision makers on the fact that breaches are an inevitable part of doing business in the 21st century. They might not strike now, but as Chuck Palahniuk wrote in Fight Club, “on a long enough timeline the survival rate for everyone drops to zero.”
If you promise the impossible, you lose credibility. This is as true for security professionals as it is for everyone else. Instead, focus on detection, damage limitation and having a solid incident response strategy.
Positivity doesn’t stop hackers, but it can play a role in helping security professionals communicate realistic risks, and teach the business how to behave when disaster strikes.
Our biggest challenge isn’t the lack of technical solutions or know-how. Our field is booming, both in terms of market size, and of those employed in it. What’s truly absent is motivation, incentives and understanding.
The biggest takeaway from all the breaches in 2017 should be this: Infosec pros need to stop thinking as technologists and hackers, stop chasing after the unicorn threats and instead think more like businesspeople to take advantage of the tools already at their disposal, and be realistic in what can be achieved.