By Greg Scott, CTO, Infrasupport Corporation
I was in a Barnes and Noble bookstore last summer, pitching my new book, “Bullseye Breach.” It’s an educational book about IT security disguised as an international thriller story about how Russians invade a corporate network and steal 40 million customer credit card numbers. The young man behind the counter was unimpressed. But a lady in the store wearing a pink jacket overheard me making my case. After a while, she stepped up and said, “It’s such a shame that our greatest companies are sitting ducks for all these attacks and there’s nothing we can do about it.”
I told her that wasn’t true, there are lots of things companies can do, and they don’t cost a fortune. I don’t remember everything I said for the next few minutes, but after a while, I realized everyone in the store was watching my harangue and I decided it was time to shut up.
This is where it gets good. She smiled and said, “I can see you’re passionate about this,” and she bought the copy of my book I was carrying on the spot. I interpreted that as a hopeful sign.
Since then, I’ve given away more books than I’ve sold. I need to learn more about marketing.
I’m a gravel in the belly IT professional and I’ve been fascinated by security for a long time. Sometimes people ask me, why do all these data breaches keep happening? My answer is always the same – because the business leaders in charge don’t care enough about the problem to do anything about it. And that’s why so much of the general public shares the mistaken belief as the lady I met at Barnes and Noble.
Just a few examples of organizations plundered because their leaders didn’t care:
- Back in 2007, TJ Maxx lost thousands of customer credit cards when crooks invaded a wide open store wifi network from the parking lot.
- For a time, credit reporting agency Experian unknowingly funded an identity theft service.
- We all remember the Target breach, when the corporate IT Department ignored warnings from the multimillion monitoring software it installed and from its own security center in India, and 40 million customer credit card numbers traveled to Russia over the Internet.
- In 2014, Home Depot lost 56 million credit card numbers. According to news reports, the chief security engineer at Home Depot was apparently himself a crook – he’d been fired from his previous job for sabotaging his previous employer’s computer systems.
- North Korea destroyed 30,000 computers and shut down Sony Pictures because of a dumb movie and apathetic management.
- In the US Office of Personnel Management breach, the Chinese stole confidential information about millions of US Government employees, including everyone who applied for a security clearance. This happened after an Inspector General report recommended OPM shut down several key systems because they had so many security vulnerabilities. And then OPM made the problem worse by sending “Click Here” emails to victims, some of whom were further victimized by scammers who impersonated OPM’s emails.
- Anyone who stayed at a Trump Hotel during several key months in 2014 and 2015 had their credit card numbers stolen.
- Granting equal time to the other side of the isle, nobody knows if Hillary Clinton’s emails were compromised while she was Secretary of State.
I could fill a book with examples. And the common theme among all of them is an executive suite either too complacent or too apathetic.
Wonderful. So how do we fix the problem? The security industry has lots of great advice, but start with two words for business leaders that rhyme, so they’re easy to remember: Care and share. Care enough about security to invest more than lip service and share what you’re doing about it with peers and the public. Present it at conferences and subject it to rigorous peer review.
The sharing part is counter-intuitive and I already hear objections. Nobody wants to be embarrassed after a breach by sharing details. Sharing just gives away information to bad guys, right? Well, no, it doesn’t. And this debate has been going on since at least 1853 when the famous American locksmith, Alfred Charles Hobbs, published his authoritative and controversial book, “Locks and Safes: The Construction of Locks.”
In fictional “Bullseye Breach,” crooks are loosely organized into an entire global value chain. This mirrors the real world, where crooks communicate and collaborate via underground Internet discussion forums every day. Bad guys already know how to penetrate you. Why not level the playing field and give good guys some weapons?
“Bullseye Breach” is available at all the major booksellers. You can find more information at the book website, http://www.bullseyebreach.com.