Today, hacking and data breaches, where groups or individuals have forced their way into an organization’s computer systems and stolen user information from these systems, are a daily standard. Let’s not get in to the rights or wrongs of those hacking these systems, as some could make a case that they are doing it to show a lack of importance given to the security of information. Whatever the reasons, hacking and the stealing of private individuals’ and corporate information happens – even expected now – and most organizations still seem to have a laissez-faire attitude to it.
Cybersecurity protection efforts have largely fallen on private sector institutions, but many government officials and security experts believe not enough is being done and more standard and legal regulations are needed. To be fair, there are some regulations in place like HIPAA, PCI DSS, and ISO that offer standards for organizations to understand how to conduct security, and there are also industry best practices that have become accepted as proper procedures; however, many of the current federal regulations don’t specify what cybersecurity measures must be implemented and require only a “reasonable” level of security, which leaves room for interpretation and loopholes for companies to rely upon.
This is unsustainable. The information that is taken is often personal information: email addresses, telephone numbers, physical addresses, login details, and so on. This is all information that should never be available on a web server, a web server connected database, or on any computer that has a web connection. This is all information that is highly sensitive and often can’t even have a maximum monetary value put on it; nevertheless, when a breach happens, most organizations simply downplay the impact to those affected or merely offer an apology and say they will “evaluate” their current policies and then simply move on to business as normal. This lack of respect for confidential information highlights how deeply the security industry is broken.
Let’s just look at the fallout from the 2017 Equifax breach that affected over 145 million customers. It has been more than half a year since the breach was first revealed, and the company has been under legal investigation for months now, yet just a mere week ago more details on the depth of the breach came out. The company revealed that attackers may have also stolen very sensitive information including tax identification numbers, additional driver’s license and credit card details, in addition to phone numbers and email addresses. This is all highly personal information that hackers can leverage to impersonate people, yet Equifax has not been forthcoming with details and tried to cover up how deep the breach went. Yes, the company has already incurred financial loss from the breach and will most likely receive a large fine, but this has not seemed to deter them from trying to downplay the situation even today.
This is unacceptable. When will enterprises start taking data security seriously?
More industry push is coming to create better legal parameters for how vendors protect customer data such as the GDPR regulations. These are a first step to bring more responsibility to enterprises, but despite almost a two-year transition period, research suggests that a majority of companies are still not ready for enforceable compliance starting in late May 2018. More importantly, this is a European law that is merely affecting many US companies, not a US law looking to hold US companies responsible for their data security policies.
When you think about the value of the information customers and users are submitting to organizations that is highly sought after by hackers to capitalize on and sell to the black market, it surely is not too much to ask that organizations have a responsibility in protecting this data. After all, customers are generally paying organizations for a service or product. Shouldn’t part of that payment be for the safe keeping of their information? As the number of security breaches and threats continue to rise, it is time vendors start taking data protection more seriously and viewing it as a legal responsibility, not just a suggested industry policy or even a priority. Enterprises must take a closer look at the security protocols they are using, how and where they store data, and re-evaluate what tools are needed to keep user information protected from hackers ready to access and steal their information and use it how they wish.
No comments:
Post a Comment