True or False? You Only Get the Data Security You Can Afford

I recently ran across a 2007 Car and Driver article about auto safety.  One sentence, in particular, struck me.

“Like prime real estate and good medical care, the safest cars go first to those who can pay for them.”

In a related article from Consumer Reports, I saw a statement that, in a head on collision between a sedan and an SUV, the passengers and driver of the SUV are 8 times more likely to survive.  While not 8 times more expensive, there is little doubt that, on average, SUV’s carry with them higher sticker prices than sedans, weigh more and have a higher center of gravity.  So, it’s not difficult to imagine the outcome of even a moderate speed head-on encounter between an average size compact sedan and even a typical size SUV.

Does this price-tag-to-safety advantage apply to data security as well?  Is the safest data security only available to those organizations that can most afford it?”

Well, not totally

Here are some contrarian thoughts on that affordability-security statement:

The Federal Government, whose budget is over $3,000,000,000,000 (that’s trillion in case you lost count of the zeros), is experiencing an increasing number of embarrassing data and security breaches.  The Office of Personnel Management (2 breaches), the Department of Veterans Affairs and the IRS have been compromised at one time or another in the recent past – not to mention the whole Wiki leaks thing.

The Office of Personnel Management hack especially hit home.  As a Veteran, who formerly held a high security clearance, and having a son with a currently active clearance, it is likely that information regarding both of us and our immediate families was compromised.

JP Morgan Chase, with assets of $2,600,000,000,000 (that’s trillion too) has had the data regarding 76 million households and 7 million small businesses compromised.

Target, Wells Fargo, Home Depot, Anthem and eBay data, all very large companieso, have also been compromised. 

It appears that independent of the ability to pay, data and information remain disturbingly vulnerable.  Fool-proof security, at any cost, remains elusive.  That does not mean you should throw up your hands and give up.  There is a lot that can be done.

Security is not all about external hacking:

In fact, sophisticated hacking schemes are only one of the 7 categories of data security breach. The other 6 include:

• Insider Theft
• Data on the Move
• Accidental Exposure
• Subcontractor leaks
• Employee Negligence, and
• Physical Theft

Ubiquiti, a $350M high-tech company was bilked of an estimated $47 Million through an email scheme in which the fraudsters pretended to be company executives requesting checks be generated per the firm’s normal authorization policies.  The theft required only the use of company’s standard communications systems and financial processes acted upon by legitimate employees.

Contributing to this $47M debacle:

1. Processes, procedures, controls, training and standards were not in place.

2. Processes, procedures, controls, training and standards were not in place

3. Backup, testing and audits of those processes and procedures did not exist.

4. Tools that are commonly used by front line employees were either exploited or used without critical thinking – just following orders.

5. Executives spoke like executives; assuming team members would request clarity where needed, use critical thinking skills and act within the “principles of good practice” guiding their profession.

The Highest-Return Security Investment is Behavioral Discipline

It is easy to blame executive management for data security breaches.  There is no question that corporate executives set the culture, tone and expectations of the employees of a firm.  But, corporate cultures range from highly regimented “Do what your told and don’t ask questions!” to venture-funded millennial startups where employees are encouraged to follow their creative muses.  Whatever the culture, individual employee data management and handling discipline is essential.

Quoting the Car and Driver article once more, “the single greatest variable in vehicle safety is the loose nut behind the steering wheel.” 

Four Ways to Secure Loose Nuts

1. Apply Systems Thinking  

Systems is an approach to problem solving that views "problems" as parts of an overall system, rather than specific negative incidents.  Systems thinking requires understanding how specific actions and activities influence one another within the larger context.  Using systems thinking solutions avoid unintended consequences.

An example:  An administrator solves the problem of remembering her password by taping it to the bottom of her keyboard.  While this may solve that specific problem, it puts in jeopardy the larger objective of rigorous data and information security.

2. Deploy Proper and Reasonable Controls 

By controls we mean authorizations, validations and check points.  Identifying the proper targets and robustness of these controls requires both vulnerability and implications assessments based on systems thinking.  Thus the word reasonable - or perhaps proportionate controls. You need the highest levels of controls on those systems that are the most vulnerable, and whose vulnerability represents the greatest negative implications on the whole system.

3. Deploy Sound Basic Security Disciplines and Policies

Writing security policies to reduce or eliminate data vulnerability is only as good as the training and daily practice discipline of following them. 

In sports there are two types of training. There are a) basic physical-conditioning training and b) circumstance-specific training.  Both are required. You can’t effectively run a play or play a match if you or the team are out of condition.  Conversely, even if you and the team are in great condition, you won’t succeed unless you execute well-coordinated, circumstance-specific plays - whether its doubles tennis or football

Basic security training is like basic physical conditioning.  It just doesn’t occur once, it needs to be reinforced frequently.  Training must be frequently repeated and reinforced. 

In the "essential" daily practice discipline category, changing privileged passwords frequently is critical and basic.

4. Build a Critical Thinking Culture

In the context of data and systems security the most applicable definition of critical thinking is, the skill or propensity to engage in a task with analytic curiosity.

Under this definition, an employee in a critical thinking mode, is not only focused on “what” they are doing, but also asking “why” and thinking about its implications several steps afterwards.

In reality, not every employee can, or should be expected to do that 100% of the time.  Imagine what a Starbuck’s experience would be like if each employee in every franchise location took the time on every order to think about what they were doing in this critical thinking way before preparing your morning coffee fix.  Productivity requires a certain degree of controlled, yet soundly designed, rote.

Nonetheless, at minimum the people that design the jobs, map out the tasks, design the systems, layout the flows and define the outputs should be thinking critically and in a systems way.

The employee?  They should be encouraged and rewarded to think too - and offer their concerns, ideas and observations frequently.  But, at the foundational level of security, it is IT’s role to lay the groundwork and influence the culture to make asking questions/seeking clarity OK.

Final Thoughts:

When it comes right down to it, few data and systems security approaches that exists have proven completely impenetrable no matter the economic ability of the organization to invest in security.  Furthermore, only 1 of the 7 reasons for security breaches listed above is truly systems related. Nonetheless, that’s what seems to get all the attention and investment. 

As the graphic says, the most significant security exposure is from poor organizational rigor and discipline, rather than weak encryption.  In the words of the late Jim Rohn, entrepreneur, author and motivational speaker:

 “We must all suffer one of two things, the pain of discipline or the pain of regret and disappointment”

 *******