You don’t have to go out of your way these days to learn about ongoing data breaches. You don’t have to pore over the online tech news sites with intention, or dedicate hours a day to researching cybersecurity incidents, in order to hear about brazen attacks against organizations and their caches of private, sensitive data. You don’t even have to rely on the national nightly news—fill in your favorite network and nightly news show here—for this information. Chances are, if you turn to your local news station, wedged somewhere between the local weather report and the mundane coverage of the historical society’s latest charity drive, you’ll hear something about the growing dangers posed by hackers and the cyber-attacks they carry out, and what that all means to us.
But what does it mean to us, really? Unless an attack takes place against our own employer, or our own government, or a company with whom we as consumers do business, we tend to think something along the lines of, “wow, that must really be rough for all those people whose PII was just released out into the wilds of the dark web.” Perhaps a vague sort of compassion washes over us, followed by an even more vague sense of relief, then followed by, well, something else driving the thought out of our minds completely until the next reported breach we hear about. My point is that we hear about data security and cyber-attacks quite a lot, but they don’t occupy our conscious minds for too very long. And that’s actually quite a shame when you think about it.
Each reported data incident or breach is a poignant reminder of the ever-present threat that cyber-criminals represent to us, our employers, and our society as a whole. Each one implies, silently yet insistently, that the next one may affect our lives more directly and harshly, because next time we might be the target. A more ominous way to say it is, the next one will affect our lives more directly because we’re all likely targets, and many of us are submitting our PII (or PHI) to the same shared services. But is that assumption too alarmist? I don’t think so. I think it’s actually a healthy assumption, and it’s one that can lead you to reasonable preventative or mitigating measures, especially in the workplace. If you have any level of influence within your organization—and let’s face it, we all do to some extent—you can use the takeaways from breach reports to effect positive change around you.
Let me run through some of the consistent lessons learned I’m reminded of with each report about the latest data breach:
Assets of Value
I am always struck by the all-importance of data to threat actors. Of course, hackers have their own personal motivations, but the vast majority of them are after assets of value. I’m not talking about servers or workstations or other physical IT assets, though those are definitely corporate assets that they care about, but only as stepping stones to their main goal. Keep in mind the fact that threat actors aren’t trying to steal your routers or workstations—they’re trying to get to your sensitive and highly valuable information. That’s it. Whether that information is about your customers, your partners, your intellectual property, or your corporate trade secrets, the more sensitive the data is, the more they want to steal it. They want to leverage it, compromise it, and yes, even weaponized it in some cases. It’s their sole focus.
Think about your own home, which you’ve probably protected well enough with locks, security cameras, and other means of home protection. What exactly are you protecting? Not the window that gets smashed by an intruder in the middle of the night, or the door that gets kicked in by one. No, it’s something else entirely that you’re protecting (loved ones, irreplaceable family heirlooms). Every time I hear of a data breach, I question to myself, how can an organization like this better protect sensitive data in the future? It’s a question that each one needs to answer, because in the end they want your data.
When an organization talks about corporate culture, it usually refers to characteristics such as the general social atmosphere, the management philosophy and style, the corporate mission, and the work-life balance. What’s rarely associated with an organization’s culture are its views on and treatment of data. However, the role of data—and how employees use (and abuse) it—is absolutely critical to that culture and reflects the values of the organization.
In the healthcare industry, for example, providers collect, process, and house an enormous amount of sensitive data not just about themselves (the company, the employees) but more importantly about their patients. Nearly everybody in the organization works with this PHI and PII data in some way. But it’s not just data—behind the data are actual human beings whose most sensitive and private information is now out of their direct control. Every healthcare provider would be justified to stress that point in many ways every single day to every employee in the company.
No matter what the organization or industry, every moment we’re working with sensitive information, we need to keep in mind that this isn’t just bits and bytes of data. We’re dealing with peoples’ lives and livelihoods, and the culture of the organization needs to place the highest value on that reality in fresh, creative, memorable, and actionable ways. What do you think would work better to help build this culture of data privacy and security: 1) another short, scripted video on how to change passwords, or 2) an executive or high-profile business leader of the organization telling a personal story about how he or she almost or actually did commit an error with passwords, then using it as a teachable moment for everybody else? No doubt the latter. Every reported data breach is an opportunity to think about our own organizational cultures and how to strengthen them where data security is concerned. And everybody in the company needs to be actively involved.
While humans are an incredible product of physical and intellectual evolution, we’ve never really eliminated simple error from our daily experience. The most proficient artist, the most capable mathematician, the most respected physician, the most experienced pilot—they all are prone to making mistakes (I try not to think about that when I am in an airplane many thousands of feet above the ground in essentially a large and heavy traveling at very high speeds). So naturally, the rest of us mere mortals make mistakes, too, and quite often throughout the course of our days. The more our society provides incessant distractions (think smartphones, smart watches, and other electronic devices constantly bombarding us with stimuli), the more susceptible we are to committing additional human error.
In a world that is speeding up seemingly exponentially, we really need to apply the brakes, to slow down and encourage others to do the same. Especially when we’re working with sensitive data (or setting up or configuring tools and resources that do), we need to double-check, triple-check, and build safeguards into any and all data workflows and procedures. Let’s be honest: most organizations pressure employees to get more done in less time. To eliminate human error, a business can 1) implement automation to replace faulty human interaction, and 2) encourage employees to take their time, to be extra-cautious with the organization’s most sensitive and valuable asset (its data). We all need to accept the fact that simple human error is behind a large portion of the reported data incidents, and we all need to act accordingly to guard against human error.
As humans, we seem wired to want to trust others. It creates a better, more sociable atmosphere when we let down our guard and indicate with our words and actions that we trust those around us. Have you ever been in a conference room and decided to excuse yourself to take a bio-break or get a drink? Did you lock your laptop and secure your other devices? If so, why, and if not, why not? It says a lot about you, about the organizational culture, and about the natural desire for trust in our lives.
Where sensitive data is concerned, however, implicit trust of anyone or anything should be anathema. Every bit of sensitive information should be protected and obfuscated to all except those who demonstrate overwhelmingly a need to access and work with it, and only after repeated and rigorous challenge and verification. When I read about data breaches involving third parties and partner organizations, I often wonder, how much implicit trust was granted to the people and organizations not under control of the primary caretaker of that data? Is it time to reconsider all that trust?
The answer isn’t always a new tool, but where data security is concerned, you absolutely have to carefully consider the tool(s) you’re using to protect that information. Wait, you’re not protecting the data? What are you doing, protecting the borders around the data, or maybe verifying the identity of users trying to access that data? Those are important tools and methods in the cybersecurity toolbox, but you need to add one very important and special tool: data-centric security.
Applying security directly to the data itself won’t necessarily prevent a breach, but it will mitigate and soften the fall-out of one. Tokenization and format-preserving encryption can replace sensitive data elements with representational ones that have no inherent meaning. Even if the wrong person gains access to that data, it is meaningless and hence worthless. You will be amazed at the number of reported data breaches or leaks involving unprotected data. Sometimes, the right tool is the answer!
I’m hoping that the next time you read about a data breach or hear about one on your local news, you stop and remember this post. Every unfortunate event is an opportunity for all of us to learn and to make course corrections. Data breaches really are powerful teachable events.