I recently read that the President is expected to announce national cyber security guidelines and rules at the upcoming State of the Union Address. While I am typically not a fan of more government regulations, I do think that the time has come for such regulations. Uniformity is certainly helpful in any industry particularly when it comes to cyber security. I believe there will be a benefit to releasing a national set of guidelines/requirements given that there are 47 states with a varying level of cyber security related laws that cover data breaches, so having a uniform federal regulation will provide the necessary clarity.
2014 was a break out year, or break down year depending on how you look at it, for so called ‘mega’ level breaches. As a result, millions of credit card numbers and millions of individuals’ personal information have been leaked into the wrong hands from a variety of sources crossing industry verticals sourced from companies of all sizes. I think many consumers are resigned to the fact that it’s not a question of if, but when.
The main question to answer is how did we get here? How did we arrive at this point? We arrived here mainly due to a couple of reasons that include organizations consistently failed to secure precious personal data; confusion among the 47 states with similar laws; and an underestimation of the perpetrators who seek to breach privileged information.
So why are there so many breaches? While there are several major and minor reasons, one of the drivers that I see is the explosion of on-line transactions from now a seemingly endless supply of Internet connected devices such as your phone, tablet, phablet, refrigerator, etc. For example, remember how music was purchased in 1980 versus today? Not only can you perform this task from your smartphone today, you can also pay for it electronically versus the old credit card carbon copy machines (remember those?). Ironically, a few retailers including P.F. Chang’s, have gone back to using these devices after recent data breaches. Other drivers are that some companies who possess personal information are not taking this threat serious because they are not implementing the necessary steps that are needed to mitigate against these threats.
Too often I speak with many organizations who want to do everything they can to protect sensitive data, but there is not enough budget or more importantly the time and resources needed to review all nefarious traffic. Consequently, they become easy prey for hackers who stop at nothing until they succeed.
Here are a few pointed thoughts:
- Steps need to be taken in order to properly identify what type of personal information is needed to conduct the transaction or business. For example, is it really necessary to obtain my phone number to access a free music streaming service? Consumers should have the option to “opt out” of having to provide non-pertinent personal data for such transactions.
- On the Federal level, significant fines/costs must be imposed on those organizations who do not take the appropriate steps to secure personal data.
- Find a way to further secure data via encrypting it and then implement a method to copy or translate that data in a way that does not lose its content, but allows the deletion of the source data. This would be similar to what tokenization does for credit card transactions.
- Of course no organization wants to be breached however, it is imperative that this stigma needs be removed if we are to effectively tackle this problem. This does not mean remove all consequences however, sharing this type of information is a major step in the right direction and hackers hope and bet this doesn’t happen. Think of it like doctors who share best practices (thankfully), why not encourage the sharing of best practices as much as possible.
While there are no silver bullets, I do believe that if this challenge is met with vigilance, consistency and thought, it can be addressed.
I welcome your thoughts and feedback.
Patrick Zanella : AVP / Security, Compliance and Product Practice Head, Zensar Technologies