Lately, we have been hearing a steady refrain concerning cybersecurity:
“It is impossible to guarantee security. Breaches are inevitable.”
Is it really so because it is asserted with authority and confidence? Is it so because it is oft repeated?
Inevitably, we are humans, and so our ability to guarantee anything concrete and enduring is similar to our ability to guarantee our own individual existence. In the sense that I cannot even assure myself that I will be alive tomorrow, or in a week, I can agree that I cannot ensure that my network won’t be breached. Fine.
So, is that the end of the discussion?
The reason that I ask this question is this: while many security professionals are riding the “breaches are inevitable” bandwagon, security vendors continue to suggest that their product or service will help organizations – to one degree or another – avoid or delay the inevitable breach. Seems inconsistent to me.
Yes, security is primarily about reducing, not eliminating, risk. But how much risk reduction is enough? Who gets to say what is the right amount of funding, resourcing and attention on this issue for a given situation?
To pick on one recent victim, Capital One allowed 106 million records to be obtained by at least one unauthorized person, and they only learned that they were breached because they received a tip from an external party. Had that person not cared, or had the alleged hacker been less sloppy, we might not yet be aware of this breach. That is not encouraging.
Now, I’m not privy to Capital One’s security team staffing, operational processes or budget, so I cannot assert negligence or limited budget or incompetence or malfeasance, nor can I state with any certainty that the security team was at the top of their game but ignored or maligned by business units. Over the years, I have seen various combinations of the above scenarios. But what can be said with some assurance, given that Capital One has admitted it openly, is the fact that they were not aware of this issue until July 19, 2019, and that they were alerted to it by someone outside their organization.
The extent to which security breaches are inevitable is proportionate to the following:
- The strong desire and inclination of consumers towards convenience and ease of use.
- The incessant fascination of businesses and consumers with new features, functions, and capabilities (and shiny things in general) regardless of need or risk.
- The speed with which we forget something like the Capital One breach, especially if we are not directly impacted in the most negative fashion (i.e. major ID theft impact that damages ones credit and takes months or more to resolve)
As a commentary on our attention span, when is the last time you heard anyone mention the First American Financial Corporation breach which occurred in May 2019?
As long as we consumers rate convenience and features over data security or privacy, organizations will continue to prioritize their efforts towards delivering the former over the latter.
As long as organizations rate ease of use, features, and customer acquisition over data security or privacy, attackers are going to have a field day with corporate networks/applications, and with the corporate and/or personal data that they contain.
And breaches will consistently occur.
This will only begin to change when the pain of breaches becomes more significant for more people (and for the right people). When we start to see breaches where 50% of more of the consumers impacted have a real consequence, such as loss of dollars/euros/etc in the thousands, plus broken credit that takes 3-6 months to begin to fix, then we will see consumers start to make choices that affect the existence of the breached entities, and sends clear messages to those organizations who yet breached (or not yet aware of a potential breach). And when that starts to happen, and organizations realize that a breach will have real and lasting consequences to their top and bottom lines – such as the defection of 30-60% of their customers in a single bound – then we will start to see changes made that will greatly reduce the scope, impact and frequency of corporate data breaches.
I suspect that we are one or two years away from breach legislation passing that will put a bottom limit on what must be paid to consumers whose data is lost in a breach. Imagine if that number was $500.00 or $1000.00? Do you think organizations would behave differently then, if they had to guarantee a payout of $1000 to every individual whose records were lost in a breach??
But, of course, we’ll never get there until the breaches get big enough, with enough impact, against enough people – and affecting the right people.
To the extent that breaches are inevitable today, it is because we are collectively unwilling to do more to lower the risk that they will occur.
Don’t believe me? Let me ask you a simple question:
Are you using multi-factor authentication on all of your accounts that support it?
No? Perhaps you don’t care enough either. Well, until you do, don’t expect many organizations to care that much, either. After all, this breach stuff is inevitable…