Let’s say there was a bank that locked the front door at night but left all its money sitting out on a table instead of securing it in the vault. That would be incredibly stupid — an invitation for thieves to break in and make off with the loot.
And it’s precisely what nearly every big company and government agency does with people’s personal data.
Barely a week goes by without news of yet another security breach involving a corporate or government database. On Wednesday, the burger chain Sonic said its payment system had been hacked, with millions of customer credit-card numbers reportedly being snatched by bad cyber-hombres.
Consumers are still reeling from the massive breach of credit agency Equifax, which exposed 143 million people to potential fraud and identity theft.
The company on Thursday said it would allow consumers to “lock” their credit files for free — basically the same as a credit freeze but easier to use — and the interim chief executive, Paulino do Rego Barros Jr., expressed his “sincere and total apology.”
Experts generally acknowledge that it’s impossible to keep hackers at bay. The black hats are just too clever and too determined.
“There’s no such thing as a totally secure network,” said Nick Mancini, managing partner of the Tech Consultants, a Woodland Hills technology firm. “As long as things are interconnected, security will always be compromised.”
So the question becomes: Why do businesses and agencies make it so easy for hackers to make off with their digital assets?
Some companies conclude that it’s cheaper to accept losses than upgrade security.
Relatively few databases are protected by strong encryption — software that turns the contents into gibberish for anyone lacking digital keys to unlock all the goodies. As a result, once hackers break through a network’s defenses, they gain access to everything.
The Privacy Rights Clearinghouse in San Diego estimates that just over 7,700 security breaches have been made public since 2005, resulting in more than a billion records being compromised.
Data at stake in many such incidents can represent some of the most sensitive details of a person’s life — Social Security numbers, driver’s license numbers, credit card numbers, bank account numbers, medical files, legal files, confidential correspondence, and on and on.
And frequently, as in the case of Equifax, the company never even asked permission to maintain such records. It just collected people’s personal information and profited by selling it to business partners.
“If they’re holding personally identifiable information, it should absolutely be encrypted,” said Pablo Garcia, chief executive of Aliso Viejo’s FFRI North America, a maker of cybersecurity software. “I’m almost at the point where I expect my personal information to be stolen every now and then.”
The main problem, he and other tech-security experts say, is one of convenience.
Most businesses view strong safeguards such as top-of-the-line encryption as an impediment to getting things done and being competitive. Because info frequently moves from one place to another, the requirement that all people accessing the network have digital keys can slow things down significantly.
Strong encryption also can slow entire network systems and websites, again impacting ease of use.
Anything that impedes commerce or a transaction obviously can have a material impact on a company’s bottom line. Meanwhile, the annual cost to a large business of maintaining extensive security measures can run in the hundreds of thousands if not millions of dollars.
“Compared to that, businesses look at the actual losses they might suffer in a breach as minimal,” said John Gunn, chief marketing officer of Chicago’s Vasco Data Security, which focuses primarily on the banking industry. “Some companies conclude that it’s cheaper to accept losses than upgrade security.”
This is, of course, completely unacceptable.
Here’s Equifax: “Safeguarding the privacy and security of information, both online and offline, is a top priority for Equifax.”
The idea that a company in the digital age can’t be bothered to do everything possible to keep a lid on people’s data is no less reprehensible than car makers arguing, as they did for decades, that airbags in vehicles are unnecessary because they’re too expensive and cumbersome. Federal authorities say mandatory airbags now save thousands of lives a year.
As with airbags and other safety measures, it appears that industry won’t take the necessary steps to protect databases until required to do so.
So I propose a regulation that any company or government agency with a database containing more than 10,000 names be required to encrypt all stored data. If that’s inconvenient, boo-hoo. Standing in line for a security check at the airport is inconvenient, but we all do it because we have to.
To give the regulation some teeth, I propose a fine of $100 for every person affected by a security breach, up to $100 million.
This strikes me as a sufficiently persuasive incentive for organizations to step up their games and take the necessary steps to prove they really do care about customers’ privacy.
It also provides a level playing field, allowing companies that take information security seriously to gain a competitive advantage over those that don’t. Again, an incentive for good behavior.
“The internet wasn’t built for security,” said Willy Leichter, vice president of marketing for Virsec Systems, a San Jose cybersecurity firm. “It was built for openness.”
Times change. And the guardians of our personal information have to change with them.
That’s a polite way of saying, “Put the money in the damn vault, you fools.”
MORE FROM DAVID LAZARUS