When I was in my 20s, technology was simple. All I had to do was make things work. Back then, the only question to answer when debating features was, “Could we?” — never, “Should we?” Even when a huge stack of records management requirements landed on our desks we didn’t worry about the impact to the core functions of our system.

Then the world of "Wargames" became open to people with the right skills, technology and IP address. 

Every system is slowly being connected to the Internet as organizations look for ways to make their staff's and customers' lives easier. Organizations have no choice as both staff and customers complain when they cannot access basic information over the Internet.

And sharing this access can be an opportunity. Organizations can learn more about the work habits of their employees, correlating which behaviors relate to good or poor performance. On the customer side it provides businesses with a flood of data, allowing for more personalized communications, which in turn lead to more focused marketing and a firmer understanding of which campaigns work and which ones don’t.

Unfortunately the benefits spread to hackers as well. Hackers have more opportunities and greater rewards when they breach a system. Hackers don’t care if a person is more likely to attend an event with SharePoint in the title. Hackers do care about email addresses, that a customer works for a government entity, lives in a nice suburb of DC and tends to vacation in August. The customer can now be targeted as a potential pathway to hack that government entity or be set up for a robbery come next vacation season. Simply ping the email address every week for an out-of-office reply.

As collectors and keepers of that information, what should organizations do? What are they obligated to do? Privacy statements are important but even if there is no plan to share the information, how much effort should be taken to ensure that the implied trust is not violated?

So Much Information

When we hear about breaches, we rarely hear about financial or HR data being exposed. Sony was an exception more than the rule in this regard. The exposed information is usually customer information.

Organizations cannot stop determined hackers from getting into a system. Between zero-day exploits and tricks to gain access through the credentials of a valid employee, access can be obtained. When hackers breached the US Office of Personnel Management (OPM), the information lost was clearance applications filled out by Federal employees and contractors. To truly understand the impact of the lost OPM data, you have to know what information a typical clearance form contains:

  • Addresses for the last seven-plus years
  • Social Security Numbers and birth details for you, spouse, kids, parents
  • Your complete employment history
  • Contact information for people who have known you at all those addresses and jobs

That is just the tip of the iceberg of the information collected. With the information provided, not only can identities be stolen, so can the identity of a newborn child. Affected kids now need a lifetime of identity theft protection.

Everyone likely needs that protection. The information lost in most attacks includes details beyond credit card numbers. Three years of protection means nothing as it takes criminals years to leverage all of the stolen information.

Treat All Systems Equally

If organizations plan to keep detailed information on customers, prospects and random people that visit the website, the data needs to be protected as if it was our own personal data. Network traffic needs to be monitored to look for extractions of large amounts of data, any indications that an external entity is receiving information at strange hours and other strange behaviors.

Firewall rules are not the answer as they can be circumvented. I have watched some of the most burdensome firewall rules be bypassed by moderately competent network administrators. It does not take much imagination to imagine what a professional hacker can do.

The Collect Everything Mindset

Apps are the worst thing to happen to privacy since the invention of photography. People quickly install interesting apps and then take them for granted. Most people accept the default permissions without worrying about the consequences. Even if a person does care, he may determine that every requested permission makes sense.

Then comes an update requesting more information, followed by an updated privacy policy. The app now wants to track location. It is for a feature that is required only 1 percent of the time, but it collects location data at all times to be prepared for that 1 percent contingency. There may be no intent to use the information maliciously but its very existence puts everyone using the app at risk in the case of breach.

Security and privacy experts are paranoid, but it doesn’t take much effort to see the wide spectrum of organizations that have been breached. It's not a matter of if an organization's systems will be hacked, but when. Businesses need to adapt to the new digital era, but with this comes a responsibility to protect their customers' and would-be customers' data.

Organizations need to ask themselves these questions: If your systems were breached today, how would the news story read? Would it show an organization that was breached by a determined set of hackers or an organization that just didn’t care and was inviting disaster?

Write your own headline. Protect that information and only collect what you need. Protect that information as if it were your own. Your own identity may be at stake.

Creative Commons Creative Commons Attribution 2.0 Generic License Title image by  pellesten