Law of Unintended Consequences
The Ashley Madison affair (no pun intended) certainly brought the issue of private data breach front and center. By allegedly exposing the most personal of information and private thoughts of participants it took the issue of cyber security out of the realm of corporate boardrooms where bottom lines rule to the realm of bedrooms where bottoms rule.
For those of you who are unaware Ashley Madison is a website that presents itself as “ the most famous name in infidelity and married dating,” where “ thousands of cheating wives and cheating husbands signup everyday (sic) looking for an affair.” They claim to be, “…the most famous website for discreet encounters between married individuals,” and offer their services from 中国 (China) to ประเทศไทย ( Thailand) to Canada. (Actual wording on landing page, not mine.)
Wikipedia reported that in July 2015, a group calling itself “The Impact Team” stole the user data of Ashley Madison, and on 18 and 20 August, the group leaked more than 25 gigabytes of company data, including user details. Kim Zetter of wired.com provides some details of what actually happened and how the hackers did their dastardly deed. Needless to say, the hacked data became a treasure trove of real or imagined events. Journalists and their readers from Sudbury, ON to Boston, MA had a field day spawning a short-lived industry focusing on modern day morality and modern day technology.
Not So Fast
It was widely expected that the data breach would effectively be the end of the controversial website, but parent company Avid Life claims that people are using the site more than ever. Today the site claims 43.46 million members in comparison to the 39 million acolytes it claimed at the time of the breach. Despite the surge in subscriptions, the website’s future is still uncertain as Avid Life faces several lawsuits from disgruntled customers, which will inevitably be costly.
A Picture is Worth a Thousand Words
Computer Dealer News recently joined the Ashley Madison controversy. It made the observation that in the Ashley Madison hack it wasn’t the size that mattered but the quality of the data. CDN listed the 10 largest data breaches as follows:
Have We Made No Progress ?
Ashley Madison pales in comparison to these hacks. So the question that CDN’s Dave Yin asked is,”Why are these breaches still happening given the number of security tools and practicing MSSPs ( Managed Security Service Providers) ?”
Scott Montgomery, vice president and chief technical strategist at Intel Security and Mike Canavan, vice president of sales engineering at Kaspersky Labs suggest the answers lie in several areas.
Business Behaviour 1 : Minimize Expenses
Firstly, clients and customers value the data differently. Whereas an individual might assume his personal data is being managed and treated with the same respect he treats it, companies tend to think of the cost of security. Client data is stored with millions of other client data in a database. Fences are not erected around each piece of information but rather around all the information. Once the wall is breached all the information is accessible.
Business Behaviour 2: Maximize Revenue
Secondly, companies frequently do not use the full range of capabilities their devices and software provide. This small percentage utilization may be a function of cost or lack of familiarity with the functionality of the tools. Think of the 380-page handbook which came with your new car. Did you read and understand every page? Likely not. You read the minimum necessary to get going. Companies frequently behave the same way. Although their devices may support extra layers of security, they might lack the technical skills to configure their devices correctly to maximize security.
Business Behaviour 3: Think Bottom Line
Thirdly, many companies have assumed a posture that a data breach is inevitable and have assumed an attitude of breach containment rather than breach prevention. The companies are more interested in keeping the damaged area as small as possible, rather than preventing the harm itself. This type of thinking usually involves a risk assessment which attempts to value the cost of insuring against a breach ( security software) versus actual cost of a violation such as legal fees, loss of business, client mitigation expenses.
Get a Professional Opinion
Jolera believes the central concern of any security evaluation must be the impact the loss may have on clients. What is the value the client ascribes to the data?, What is the impact of a loss to the end user? What processes will the client follow to mitigate the breach? By placing the client at the focal point, the financial losses can be properly evaluated and different strategies appropriately weighted. A valid assessment requires an intimate knowledge of hardware, software and business economics. Call Jolera for a professional assessment of your security posture. What you don’t know can really hurt you.