The negative aspects of the digital world have begun to rear their ugly heads. It took some time, but they’re here, and in full force. Going digital has meant that everything happens at the speed of light, as one CEO had stated when this particular revolution began. The problem is, of course, that when everything happens at the speed of light, the bad stuff happens at that same exact speed: from bringing down much needed infrastructure, like your electric company (a possibility), to bilking individuals for thousands of dollars, possibly hundreds of thousands (an everyday reality).
The world, being not only digital but capitalistic as well has unleashed a new breed of “entrepreneurs” that share the opinion that there is nothing higher than the almighty dollar (rubble, yen, pound, what have you). The fact that their activities are quite criminal has not deterred these entrepreneurs. Indeed, if the authorities, local and global, cannot catch you, would you pass up the chance to make a million bucks in a fortnight? Perhaps. But what if the amount offered were ten million bucks in a fortnight? One hundred million? The temptation may be, and is, too great for some.
Ultimately, there is only one way to curb the activities of such criminals. You do it the same way you curb normal, everyday crime: you go after the criminals. As of right now, this is a near impossibility. Not only is law enforcement bound to their respective localities, the system these new criminals are leveraging, the internet, was designed to be free and open (and global, although not part of the original specs), making it easier for one to perpetrate acts of delinquency quite easily. As far as I can tell, there are no plans to overhaul either the internet or each countries’ and international laws-and even if there were, the implementation would be measured in decades, in my opinion.
So, what are companies to do when they deal with billions-in some cases trillions-of cash flow everyday? This is the money criminal masterminds are targeting, after all. Companies are left to fend for themselves, plain and simple. What I find disturbing about this is that, at first glance, they don’t seem to be interested in digital protection. I wouldn’t say that they can’t; they certainly have the wherewithal and the technology is there for effective data security. But they’re doing a terrible job; in some cases, they’re not doing anything at all. Let me give you an example of both instances.
The classic case of not doing anything, security wise, is not using full disk encryption on laptops. Full disk encryption, also known as whole disk encryption or hard drive encryption, is encrypting all the contents of your computer’s hard drive. This literally means encrypting everything: your most sensitive files, yes, but also the operating system, temporary files, minesweeper game, Solitaire-everything. Full disk encryption is a lifesaver for those occurrences in life that one cannot control: theft, loss, misplacement, and other instances where one doesn’t know what happened to a laptop. Specific examples of not doing anything would be the theft of laptops from the Veteran’s Association hospitals that have been covered in the news, although that is one example out of many.
The classic case of doing a terrible job would be the TJX case. The largest retail data breach in history to date, the TJX case is a prime example of what can happen when management decides to take chances with security (or the lack thereof). Hackers were able to trawl millions of credit card numbers because TJX was using an old encryption protocol for wireless data transfers. Management was aware that the encryption protocol in use was not secure, but decided that they would keep the ineffective method in place due to cost issues. This is tantamount to a bank deciding that it won’t change a busted lock to the bank’s front door because, at first glance, it looks like the lock works-and a new lock would cost too much money. But, if someone comes along and kind of jiggles the lock…no more security.
Unfortunately, instances like the above are recurring themes, and security experts have pointed to them as proof that companies are playing a game of chicken when it comes to data security. And as the security experts point out, a lot of these security measures are not hard to implement. For example, if your workforce consists of a substantial number of mobile workers, it makes sense to secure the data found on their laptops with full disk encryption. Indeed, they’d insist on it.
However, it prompts the question whether what we’re seeing is truly a case of companies playing chicken with their customers’ data. Could it not be a case of selective bias? After all, you’d expect to read instances of a data breach in the news, but there’d hardly be a peep if a computer was lost but the contents secured with full disk encryption; the latter is, security wise, almost as insignificant as losing a tennis ball. Plus, consider this: the many states laws passed since California approved Senate Bill 1386 generally don’t require a public announcement if data is secured with encryption.
When you consider the disparate pressures for reporting a loss of consequence versus that of no consequence, it only makes sense that even if companies were doing a good job of securing their digital assets, the media can only paint it otherwise: no one’s going to report on the loss of an encrypted laptop, a non event. The New York Times won’t headline the theft of my 1992 Honda Accord, for example.
In such an environment, the only way to effectively know if companies are doing their utmost to protect customer data is for companies to openly announce it and consolidate that data. Already, a number of companies are beginning to announce via press releases that they’ve partnered up with a security vendor to protect their digital assets. Consolidating such data may be a better way to assess whether companies are proactive when it comes to corporate data security.
Ironically, the problem with such announcements is that it may mean an increased chance of a security breach. For example, if it turns out that a particular data security solution can be bypassed due to a little known flaw, potential hackers would easily know who to target.
All the more reason, then, to use an encryption solution that has foiled everyone’s attempts to be cracked, time and time again, because the fundamentals are solid, like AES and RSA.
|
Tim Maliyil is CEO and founder of Data Guard Systems, Inc., a leading developer and marketer of endpoint managed security services and online business management software, based in New York City. Data Guard Systems is an Application Service Provider (ASP) and offers intuitive business management software to various industries. Data Guard’s flagship product is the AlertBoot data security managed service. AlertBoot offers full disk encryption and a comprehensive suite of disk security solutions as a centralized, managed service. Deployment times and support are significantly reduced, thus resulting in a lower overall total cost of ownership for an organization. Prior to founding Data Guard Systems, Mr. Maliyil served as the Director of IT at HarborTech, a privately-held supply chain house for the semiconductor industry. He also held various positions at Netegrity (now Computer Associates). Mr. Maliyil holds a B.S. in Computer Science from Tufts University. |