Everything, everyone, whenever they like. Why data breaches keep happening.

Everyone everywhere is talking about the incredible Oscar winning movie, Everything Everywhere all at Once. I loved every second of it. You should see it if you haven’t already! But I couldn’t help but notice the title almost perfectly explains why major data breaches continue to happen.

I won’t bore you with stats on the rapid increase and sophistication of data breaches. You know that already. I’m also not going to try and scare you. If you understand the stakes, you’re already terrified.

What I am going to tell you is why many data breaches happen in the first place. And what must happen next if we want the onslaught to stop.

Everything: Too much data and for too long

Virtually all organisations store too much personal data. Perhaps it’s for identity verification or simply for keeping past customers on file in the hope that they will someday return. Either way, keeping data around for longer than is necessary increases the risk of a breach.

Many organisations are required to keep personal identification data (like drivers licenses). Requirements vary and can require retention of up to 7 years but is often much less (2 years under the Australian Department of Home Affairs rules for Telcos as one example). We have seen many times that records are frequently retained for far longer.

Everyone: Too many people have access

According to a survey conducted by the Ponemon Institute in 2021, 70% of employees have access to data they should not see, and 62% of IT security professionals say their organizations have suffered a data breach due to employee access.

Not only are appropriate access controls not being implemented, the controls that are implemented are often ineffective. While there are many products available for access control management, even the best SecOps teams will tell you that ensuring every system has exactly the right controls applied is practically impossible. A task made even more difficult when data is constantly on the move.

Amazon's infamous Identity and Access Management (IAM) platform, while incredibly powerful, has become so unwieldy, the company is actively researching how to mathematically prove that a control has been applied correctly. If top AWS engineers need to use high-level formal provers to know systems are secure, what hope has the average DevOps team?

If top AWS engineers need to use high-level formal provers to know systems are secure, what hope has the average DevOps team?

Worse still, a significant number of data breaches start with the compromise of an individual who happens to have legitimate access to systems that store sensitive information. So it begs the question, should that person have had access in the first place?

Whenever they like...?

There’s something about human nature: when we know we are being recorded, we’re on our best behaviour. But the case for recording every time a sensitive record is accessed goes much deeper than that.

It might start with a simple phishing scam but stealing credentials is all too often used to siphon millions of records from a customer database. Imagine a castle wall where only a single guard stands between the invading army and the crown jewels. That's the reality of most corporate systems.

Imagine a castle wall where only a single guard stands between the invading army and the crown jewels. That's the reality of most corporate systems.

Recording exactly what is accessed, when, where and by who serves a dual purpose. If an attacker is successful in pulling off the aforementioned smash and grab for data, then now at the very least, the job of identifying and notifying the affected individuals is straightforward.

Such access logs play an even bigger role in prevention by enabling periodic access review. When combined with a Security Information and Event Management tool (SIEM), security teams can identify and stop breaches before they take hold.

Effective data access logging is a deceptively hard problem. It might seem straightforward to enable query logging for a SQL database but then most of these systems don’t include the identity of the end user in such logs. Worse still, nothing is logged once the data leaves the database. Say it is exported to a spreadsheet, an employees laptop or a 3rd party vendors database. What then?

Apathy or naivety?

When I made a serious error in my first startup way back in 2005, an investor asked me if the reason was because of apathy or ignorance. For a young man still trying to find his place in the world, this seemed like an unfair question. Of course I cared but did not want to admit I was ignorant either!

Thankfully, these days I'm happy to admit when I'm wrong but I'm not sure that collectively, the business world has recognised their own blindspots when it comes to data security. When faced with a tradeoff between improving cyber resilience or some other business goal, it is usually the former that suffers.

Investing in security is often a hard sell because the payoff isn't immediately apparent. And if you do invest sufficiently, then the best case is that literally nothing happens! Business just continues as normal.

In Australia, the sudden increase and ferocity in data breaches has caught many organizations off guard. Driven by major geopolitical changes and a strengthening of its bonds with the US, Australia has become a bigger target for nation states and cyber crime.

At the same time, many of the sophisticated tools used to break into systems, or socially engineer people have become so readily available, a teenager with even a mild curiosity of hacking into things can cause irreparable damage.

Reputation Paranoia

Data breaches are no fun for anyone. They have real and lasting effects on the individuals who's data is lost. They also have damaging affects on the reputation of any company who suffers one. And because a damaged reputation will often result in lost business, lost revenue or a big hit to the stock price, it is understandable that most breaches become exercises in PR damage control.

Tragically, however, fixating on a bruised reputation leads to secrecy around the breaches cause — particularly if carelessness or the compromise of a senior staff member was involved. Security professionals are often left speculating over exactly what goes wrong. The opportunity to learn from the mistake and assist other organizations in the process is missed.

The Existential. The Absurd. And the human.

When Evelyn has an existential epiphany in Everything Everywhere all at Once, she realises that she has the ability to save her family, her business and herself. But to do so she needed to alter the way she saw everything around her.

Threats to our data security put at risk our institutions, our organizations and our livelihoods. Likewise, mounting effective defence will require a universal change in thinking.

It starts with technology. Current approaches are manifestly inadequate and any organization serious about data security must adopt new technology to keep pace with attackers. Counterintuitively, this can mean taking a risk on something less established and without years of proof in the market. Such is the rate of development.

Current approaches are manifestly inadequate and any organization serious about data security must adopt new technology to keep pace with attackers.

Governments need to get smart about data privacy regulation and wield not only the stick but the carrot as well. Meaningful penalties for negligence are important but must be counterbalanced with grants and skills programs to uplift cyber resilience industry wide.

The people at the coalface of data protection must start coordinating their efforts and they must be able to do so in a safe way without affecting company reputation or being personally liable.

In reality none of these will provide the security uplift needed to prevent data breaches. Only the combination of all these things and more will achieve the goal. To truly change things we will require Everything Everywhere all at Once.