Monday, March 13, 2017
Flashback ! 15 years on, security breaches have only gotten worse
Rummaging through my archives I came across a presentation I had made in a large IT conference fifteen years back to the date. The subject line had me wondering if I had made a fool of myself in the gathering considering that the topic was not my core expertise, though I was a bit enamored by the discipline. Memory is kind and there is no recollection of being booed off stage or being in an uncomfortable position. The presumptuous title of the presentation was “How to protect your enterprise from being hacked”!
Organizations get hacked for many reasons, though most of the hacks in recent times were attributable to human error, lapse in controls, malice towards existing or ex-coworkers or bosses and finally social engineering resulting in compromised data which allowed nefarious elements to gain access and control of information assets for potential future misuse. There were also few brute force attacks as well as skilled hackers who could break the firewall and other technologies that protect the digital ecosystem.
The past decade and half has seen exponential growth in devices connecting to the internet; what started as basic email on mobile, extranets and the surge with the dotcom bubble has grown beyond the predictions of all kind of futurists and consultants surviving the blips due to dot bust and many years later the subprime crisis. M2M, IoT and connected consumer devices have already added to the exposed digital fabric available, vulnerable to attacks as well as errors and omissions by people who configure and monitor.
Back then before the turn of the century reported security incidents were a handful; current reality is 10X of that and for clarity these are reported numbers. Guestimates on the actual number portray a similar multiplier on the reported number. The difference lies in BYOD which has removed the mobile end user compute from purview of the enterprise subduing the number. Smartphones and Tablets, wireless hotspots, public internet kiosks and free terminals at airports, all have helped in accessing information anytime, anywhere.
For IT organizations threat vectors multiplied sending them on a quest for better security and balancing the demand and need for access to corporate systems. Controls and checks soon became bureaucratic with everyone wanting to connect as a result of undue corporate pressures. The number of breaches continues to rise with IT security playing catchup. MDM anyone ? Locked USB ports, containerized phones, IRM enabled documents, the world has changed while we continue to stay exposed with cookies/mobile app trackers.
Globally, Governments have giving a thrust to digital e-governance and citizen services; identities and records of interactions with Government, tax filing, health records, bank statements, what have you, almost everything is digitized across most countries with varied degrees of information security policies, processes and technology. Access via mobiles and apps is the base expectation which needs to be fulfilled; feature phones too have been enabled using USSD (Unstructured Supplementary Service Data) which can be compromised.
Interestingly time to uncover a breach has now increased from weeks to many months and in rare cases more than a year; this rise is despite availability of plethora of solutions. Software is getting bulkier, crammed with features; integration with other solutions is now the norm exposing solutions with potentially unfixed or insecure APIs (application programming interface) from third parties. Unfortunately security wrappers and multi-factor authentication make solutions unwieldy or complex to end users.
Fifteen years back the discussion was about security policies, management endorsement and budget allocation; it was about protection from insiders – disgruntled employees and contractors. One of the key elements of an information security strategy was education of involved stakeholders, their responsibilities, dos and don’ts. Today is still about security policies, more controlled that clearly separate the personal from enterprise; earlier digital access was controlled by hierarchy and exception, today exceptions to the rule for business is the norm.
I wish I could give a presentation today with the same confidence and aplomb that I did decade and a half back; technology has swamped our lives with blurring boundaries between technology at work and personal use. The continuum with high dependence on devices and tether to the internet for almost everything, logs our daily activities in the background only to be used against us. Enterprises struggle to create a balance between storing data on the cloud and enterprise vaults only to discover that neither are safe.
Reality is that most of your data is out there available for pennies to whosoever wants it whether you like it or not !