Failure to protect data will cost business in the end
Billions spent in the security sector are failing to deliver as effectively as the underground hacker community
The Black Hat hacker conference in Las Vegas last week, where speakers asserted their ability to tap into and manipulate everything from airport security systems to the lights in your hotel room. Photograph: Steve Marcus/Reuters
Facebook was in touch the other day. “Help your friends recognise you,” they wrote. “Add a profile picture.”
My instinctive reaction was: Why? So it could be added to the pile of data on me and others that is left out there for the unscrupulous to access?
Of course, my picture sits with this piece on the website, so that particular horse has probably bolted. However, we still work generally under the assumption that, in transacting business with reputable agencies or retailers, we are operating over secure networks. Events over the past week have thrown a harsh light on the fault lines in that assumption.
First it emerged that a Russian crime ring had collated the largest “known” collection of personal data stolen over the internet – including 1.2 billion username and password combinations and more than 500 million email addresses.
Then US authorities disclosed the existence of a new, pernicious form of malware, called Backoff, which uses a backdoor to capture customer names, mail and email addresses and account numbers (including expiration dates and pin numbers) as shoppers swipe their credit or debit cards at store and restaurant tills.
And at the annual Black Hat internet security conference in Las Vegas, speakers asserted their ability to tap into and manipulate everything from airport security systems to the lights in your hotel room through what they said were gaping holes in online security.
And the industry reaction to this litany of catastrophic security breaches? Little more than a figurative shrug of the shoulders.
Some argue that keeping information out of the hands of cyberthieves is a losing battle: others, including some at Black Hat, would prefer to keep consumers even further in the dark, questioning whether companies should be forced to disclose cyber attacks.
The 650,000 customers of bookmaker Paddy Power whose details were stolen four years before the company notified the Data Protection Commission of the attack might beg to differ. And US retailer Target will presumably not be conceding the battle as lost as it faces a bill reported to be $148 million and counting in relation to a data breach last year that saw it lose the details of 70 million customers.
Fancy featuresSecurity researcher Jesus Molina, also speaking at Black Hat, warned that, when they are rolling out new technologies, companies needed to make sure their security was as sophisticated as their fancy features.
And that goes to the heart of the issue.
A report out today from Cisco states that just 8.3 per cent of websites are properly protected from hackers. Security lapses range from using outdated software, bad code, “abandoned digital properties” and user error.
Players in the hardware and software sectors – companies such as Apple, Dell, Microsoft, Oracle and others – need to feel that they will pay a price for delivering buggy machines or applications rather than relying on the fig leaf of patches.
All the billions of euro spent in the sector are failing to deliver as effectively as an underground hacker community that, largely, cannot hope for such investment, even with their criminal links. And as tech sector blue-chips battle to secure the services of the brightest brains in the sector, nobody seems able to explain why this should be so.
For their part, small businesses need to be more discerning, more demanding of their technology suppliers, and considerably more caring of their relationship with their customers. Karl Sigler, a director at Trustwave, the security company that claims to have discovered Backoff, was reported recently as saying: “A lot of retailers still aren’t concerned about security, they are not even implementing best practices properly.”
When it announced details of the Backoff malware, the US department of homeland security warned that it could damage businesses’ brands and reputations. And, as Sigler noted: “There’s a lot of finger-pointing between the retailers and the point-of-sales vendors as no one wants to take responsibility for security.”
Convenience has seen people sacrifice quality in areas such as telephony and photography, my colleague Karlin Lillington recently noted in this space. Once the sheen of the new toy – online engagement – dulls, they might be less forgiving on security.