We live in a world where security and secrecy are inextricably linked. The safeguarding of data and systems relies on the premise that those who are authorised to access them are in possession of something only they know. They then recall and share this secret every time they want to gain access. The problem with this approach is that these secrets need to be kept somewhere, so when the person who wants access attempts to login, they need to have their answer matched by the system. Therefore, in essence, it isn’t a secret at all.
And we are seeing more major data breaches happen every month, just look at the Facebook scandal if you want an example! But these are only the big top 100 companies that are being reported on so you can imagine how much of an issue data breaches are in small businesses. The industries that need to take extra care are those that handle very sensitive information, like law firms. This is why so many are looking for companies that offer it outsourcing for law firms because this will reduce the chances of a breach happening.
With the value of data on the black market so great (especially financial data), is it any wonder that data breaches are making headlines seemingly every day? Just today Talk Talk advised that hackers may have accessed data of 4m customers. My instinct and anecdotal evidence tells me that whilst in all probability data breaches are on the rise, the scale of reporting in the media still does not reflect the size of the problem, or volume of incidents. Ultimately, cybersecurity threats such as data breaches can have a devastating impact on companies of all sizes, as this blog post that covers a small business data breach cost explains.
At a recent gathering of identity professionals Senior Analyst at KuppingerCole, Amar Singh, walked around the room and asked each person in turn if they would buy from an organisation that had been the subject of an attack. The overwhelming response was yes. Again, these are sceptical identity professionals and not the “typical” consumer!
Some seemed resigned to the fact breaches are occurring so frequently that even if it had not been reported there was a good chance that an organisation would have fallen foul at some point. Others used the common line that security will be heightened post attack so it would be an even better time to shop with the organisation. This logic people apply when talking about getting on a plane after a terror attack or plane crash. There is some logic to this response, although conversely why did they wait until the breach to make improvements!
It is all about trust. How much do we trust the people in charge of our data to have the right safeguards in place to protect it? This is also one of the reasons we are reading about these breaches more often. Organisations have recognised that as part of their crisis planning and mitigating the long-term impact on the business (which can be severe and in some cases fatal) they need to be more proactive and open in engaging with stakeholders, holding their hands up about what has happened and why, and most importantly what they are doing to put things right. This may include compensating their customers who have had data stolen or hiring Digital Forensic Experts to investigate how this breach was possible.
But it is also about desire. Sometimes even when everything points to it being a bad decision, our compulsion to have a particular product or service, or a great deal will make it seem like a risk worth taking. It is not until we suffer the consequences of identity theft, payment fraud and other fraudulent activities that we really appreciate what is at stake and the inconvenience. Compensation may help to ease the pain and the final ruling in the case of the US luxury retailer, Neiman Marcus, in which damages are being sought for consumers who had payment card data exposed as a result of a breach in 2013, will undoubtedly have ramifications around the world.
For me the blame game doesn’t do anything to solve the problem of rising data breaches, whether publicised or not. I want and expect a high a level of confidence, so that when I engage with an organisation, whether through choice, such as shopping, or through necessity and lack of options such as public services, I will be protected.
So, for me the very heart of the problem is secrecy, moreover the way in which it is applied. If you remove the need for consumers, citizens and/or employees to create and remember a conventional password, you also by default eliminate the requirement for such information to be stored by the organisation, thus making it much harder to steal or leak. The issue is that society in general and IT professionals have accepted the traditional ways of doing things for too long, in large part due to the lack of viable options, but this is no longer the case and there are some fantastically innovative, tried and tested password alternatives available on the market right now.
The threat of data theft is not going to diminish whilst it can be accomplished with relative ease and the chances of being caught are slim (especially when done cross-borders), so new ways to reduce the chances of success must be sought out and embraced. The list of organisations that have fallen foul to data breaches is growing by the day but we cannot wait until it reaches critical mass. The digital economy is one of the greatest global success stories of recent times and if confidence is allowed to plummet further all of that hard work could be put in jeopardy. Then the simple password really will have something to answer for!