There is no vaccine for data breach
Veterans Affairs is the latest organization in the never ending list of those that have experienced data breach. The problem is well understood but the desire to weed out the root cause is little among organizations. In their own words:
A preliminary review indicates these unauthorized users gained access to the application to change financial information and divert payments from VA by using social engineering techniques and exploiting authentication protocols.
Lets dissect this statement a bit and try and understand what possibly happened. The details of course will emerge in due course of time. So, for a government agency that spends millions in tax dollars to secure and maintain these systems, it was possible to carry out social engineering attacks against them, which often means fooling people to click on links that they shouldn't and these systems were protected by authentication protocols which could be exploited, possibly easily.
I understand that for every breach the current solution is to provide free credit monitoring. All this limited free credit monitoring does is alert you if someone steals your identity in the next few months. What if the identity is stolen after the period? Is there any recourse? What about the dollars spent over the last many years towards compliance costs, security testing, and consultant fees? Should there be any accountability there?
If you store pots of gold in your house, sooner of later someone will figure out how to steal it. Why not focus on reducing the amount of sensitive data that is kept? How about decentralizing it and letting the actual owner of the data have a say on how and where its kept? How about wiping it out after its use? How about rethinking your authentication and access management systems? Do you need to keep all your credentials in one place?
I have no intentions of singling out Veterans Affairs. Its not an outlier. In fact its part of a growing list of organizations in the public and private sector that have experienced unauthorized access and data breach recently. This list is going to become longer over the next few months and years unless organizations start acting today. Not by buying bigger locks but by rethinking how they store credentials and data, increasing internal accountability, and involving their users and customers, who's data they store. Each of these incidents should act as a wake up call for every single company. No one is immune.
Head of Business Technology & Automation Engineering at BILL
11 个月Shashank, Incredible ??
Digital Marketing Strategy: SEO hacking | Content marketing | Crowd | Lead generation | PPC | CRO | Web-development & Design
1 年Shashank, thanks for sharing!
Life Sciences leader | Regulatory Validation & Compliance Risk | Real World Analytics
4 年Getting right the potential for misuse & overuse of data and loss of value due to its underuse has been a particular challenge in healthcare. Creation of secure, industry data trusts (some have a decentralised approach) are evolving and could provide control to owners of the data while provide value to the public.