Data breaches have become so common that it can be difficult to catch the public attention, but we all sat up and took notice when we heard about the Equifax breach.
We expect companies like Equifax to have defenses as tight as six feet of reinforced concrete with round-the-clock, heavily armed guards at every entrance. So, it’s disappointing when the weakness that leads to a breach of this size turns out to be something as simple as not keeping up with a security patch.
A breach of this magnitude caused by a weak point so tiny invites some interesting questions:
- Why aren’t patches updated in a timely fashion to cover all weaknesses?
- Why do (and don’t) companies have good security?
- How do we protect ourselves?
Questions like these can open up a dialogue to find real, actionable solutions to lessen the frequency and impact of data breaches. So, let’s take a look.
The IT Struggle to Cover All Weaknesses
Although we like to picture something akin to the six-foot reinforced concrete wall guarding our data, it’s a pretty inaccurate metaphor of what IT teams are actually able to construct and maintain.
Security systems have a million tiny vulnerabilities. The larger the corporation is, the harder it is to keep pace with all of the attacks trying to exploit those vulnerabilities.
A lot of the vulnerabilities come with the struggle to keep everything updated with the latest patches. There are so many virtual and physical machines that need to be monitored and updated, and not all of the patches can be done automatically.
Sometimes, whole systems have to be taken offline to deploy a patch. That can impact customers, which is generally regarded as a bad thing for the business.
On top of the scope of the problem, IT professionals coping with the vast number of patches to coordinate and deploy may not have the support they need from executives. This often comes down to a communication issue.
While the IT pro is talking technical, the executive is talking business. That disconnect can lead to updates being pushed back to a later date, which compromises security.
Why Businesses Do (Or Don’t) Have Good Security
A language disconnect happens between the technical security side and the business side because they have similar but different end goals.
From a business standpoint, the dollar amount required to even approximate airtight data security often doesn’t look worthwhile.
Who wants to spend $100,000 to protect something that’s only a $10,000 liability? From a purely business dollars perspective, it doesn’t make sense to do that.
However, executives have to consider legal and ethical factors, too.
To give this a more tangible picture, let’s use a physical, rather than technical, example. If a company dumps toxic waste irresponsibly, they may be fined by the Environmental Protection Agency.
From a dollars perspective, the cost of the fines versus the cost of getting rid of the waste responsibly may not weigh in the favor of responsibility. So, the legal and fiscal reasons aren’t enough, but there is still an ethical component to think about.
For data protection, there aren’t really any laws in place to hold companies accountable for lackluster security. Of course, that will change in May 2018 when the General Data Protection Regulation (GDPR) takes full effect in the European Union.
Even so, the legal and fiscal implications of compliance may not be enough on their own. At that point, companies have to decide: What are the ethical implications?
How to Protect Yourself
Those are the big questions that need to be a focal point of discussion for data protection moving forward. But, they deal more with company actions to protect data than for end-point users.
We hope that companies will get it together and deal with these issues before another large data breach occurs, but until then, we have to be able to protect ourselves.
With that in mind, here are four tips from David Monahan, Research Director at Enterprise Management Associates for how to protect your personal data.
- Contact the three major credit reporting agencies (Equifax, Transcentra, and Experian) and place a lock on your account. This keeps anyone else from opening accounts using your information.
- Monitor your credit history regularly. Even with a lock in place, if someone has enough of your personal data, they could impersonate you and have that lock removed. Monitoring your history means you can catch nasty surprises like that much more quickly.
- Secret questions should be non-historical, and non-public information. A quick Google search of a person’s name and city pulls up a ton of publicly-available information about them. Make sure your security questions don’t reference anything that easy to find.
- Use different username and password combinations across accounts. Then, even if someone obtains access to one account, they don’t have them all.
The best way to keep a breach from happening a second time is to learn from the past and analyze what really caused the problem to begin with.
If we understand why companies struggle to keep patches updated to cover all weaknesses and why businesses do or don’t have good security, we can start to figure out how to mitigate those issues. Until then, there are ways that we can mitigate the potential damage of having our personal data exposed.