Data Breaches: Let’s Drop the “If” and Pick Up the “When”

Build a better mouse trap and you get smarter mice.

By Shawn Allaway, CEO

It struck me reading a recent article on the latest security breach, this time at Yahoo, that if companies like Yahoo, Target, Adobe, and Neiman Marcus, all of whom presumably spend millions of dollars on security, have suffered security breaches where sensitive (and valuable) data has been stolen, what would make any business feel remotely comfortable about the safety of their data?

Is it hubris?

ConverterTechnology has worked with some of the world’s largest companies over the past decade, all who have very talented technical teams. However, some of those enterprises may be overly confident. Can any large company confidently stand up and proclaim their systems are impenetrable? Or, at the very least, that they will be able to quickly detect a breach and be able to stop it before the data loss is widespread?

I’m not sure.

However, I am sure that there are businesses who think “I’m too small for anyone to hack” or “we don’t have any credit card or other personal data that would entice a hacker to break into our network” as a way to comfort themselves through the night.  But that logic should hardly provide for a restful slumber.

All organizations, big and small, have valuable information contained within their network. It could be strategic intellectual property or other propriety information that could cause damage if it wound up in the hands of a competitor – or in China. But, it may be as simple as user names and passwords. Think about it – people tend to use only a couple of passwords for all their online accounts, and THOSE accounts might have personal data. It seems that virtually all entities, private and public, are under attack from a wide array of assailants, some organized while others doing more “freelance.”

Despite the millions spent on prevention, it doesn’t appear to be enough to deter brilliant and creative hackers, so it is time to drop the pretense of “if we get hacked” and replace it with the mindset of “when we get hacked.”

Since computer systems are designed by humans, it’s almost certain that there will always be a flaw that can be exploited. Apparently in some cases, the NSA (and presumably other shadowy government agencies) have asked for back doors to spy on users which I assume could be used for nefarious purposes.

I am not saying that spending time and resources on prevention isn’t important – it is – but we need to heavily complement these systems with equally robust detection and monitoring solutions. It would be extremely helpful if people would use highly randomized and unique passwords that change frequently, but that’s probably not realistic given human behavior. So, if a breach is inevitable, then how fast we detect it and how quickly the organization’s security protocols are enacted will be paramount to minimize any data loss.  After all, it is the data the bad guys are after.

It is a little bit like the radar guns and detectors. For a while, drivers have the advantage and felt emboldened to disregard posted speed limits, but then the police get new technology and lots of tickets are written. The same pattern will repeat here. Regardless of how big and bad the safe is, there always seems to be a crook to crack it. Instead of tumblers and thick steel, it is firewalls, zero trust and multi-factor authentication.

So where do we go from here?

As security architects look at ways to design and modify systems to protect data, they must be constantly vigilant and open to new approaches to best mitigate the risk. In addition to the zero trust mindset, we must accept a zero complacent attitude.