Saturday, December 20, 2014

(The Big Disrupt) Data Security: Why Do So Many Companies Suck At Data Security?

The ongoing Sony hack controversy shined a light on many things including Sony executives on Hollywood stars, their movie schedule and, to a certain extent, how the movie industry works but what stuck out like a sore thumb is just how bad Sony Pictures sucked at securing their own data.

Bereft of solid access controls or any classification of the data they had, Sony was hit hard by the hack but if even the most minor and common sense data security measures were implemented, the company wouldn't still be reeling from the email leaks that have been producing headlines for the last two weeks.

However, what’s interesting and terrifying is that Sony’s lax security practices are widespread. Sony suffered because sensitive data such as social security numbers could be found in a number of files that were available to too many employees but other companies are just as susceptible to similar breaches as according to a survey carried out by the Ponemon Institute revealed that an incredible 71% of employees felt by that had access “to data they should not see” and 54% said that “this access is frequent or very frequent”[1].

Why Sony like breaches haven’t more is sheer luck however as companies continually drop the ball when it comes to data security as hackers have had a good 2014 targeting breaching companies data security according to the Identity theft Resource Center “with more than 81 million records compromised”[2]. Companies love giving the hackers the credit for becoming smarter and better but the truth is that companies, especially the larger ones, suck so bad at data security it’s justified to query whether they’re being this negligible of their security on purpose.

In Sony pictures case, the answer is resounding yes. Sony’s ridiculous poor data access controls go back as far as 2005 when an auditor told Jason Spaltro, Sony Pictures then executive director of information (now currently serving as the company’s senior vice president of information security), that “Sony had several security weaknesses, including insufficiently strong access controls, which is a key Sarbanes-Oxley requirement”[3].The auditor also revealed to Splatro that “the passwords Sony employees were using did not meet best practice standards that called for combinations of random letters, numbers and symbols”[4].

Upon listening to the audtior’s recommendation in making the passwords stronger at the company, Splatro pointed out that complicated passwords that are hard to remember will lead to employees “writing them down on sticky notes and post them on the monitors. And how secure would that be?”[5].

While you may think that Splatro had a point that people would write down and put them in a place they’ll remember it, keep in mind that Spaltro at the time was the executive director of information security and it’s his job to take all steps to make sure breaches don’t happen. Also keep in mind that as an IT executive at the company he also has to make sure that every dollar spent is cost effective which, in most cases, means a lot of companies will nickel and dime when it comes to data security despite the risks.

IT executives also have to comply with a bevy of domestic and international laws and regulations and complying to all of them is very expensive and time consuming. Because of this, IT executives like Spaltro have to keep conscious of the bottom line and even decide if some laws or regulations are worth following as CIO’s Alan Holmes explains:

“How to (or, for some CIOs, even whether to) follow regulations is neither a simple question with a simple answer nor a straightforward issue of following instructions. This makes it more an exercise in risk management than governance. Often, doing the right thing means doing what’s right for the bottom line, not necessarily what’s right in terms of the regulation or even what’s right for the customer”[6]
Now taking all this into consideration, look back at Spaltro’s discussion with the auditor and you’ll see that he’s trying to avoid the arduous task of keeping in lock step of Sarbanes Oxley in the noble pursuit of minimizing the hit to the company’s bottom line. In short, what happens is that IT executives, charged with keeping data secure, have to fudge on data security as “when business metrics are applied to compliance, many companies decide to deploy as little technology or process as possible—or to ignore the governing laws and regulations completely”[7].

What this means in practice is that companies look for cheapest or less strenuous security practices and measure the risk against being caught out. This dangerous game being played by companies with their own data security is reprehensible but to a certain degree inevitable.

The job of the IT executive has always been difficult but in the last few years, the job of the modern IT executive has become spectacularly more complicated with advent of the cloud, big data, and the internet of things and the myriad of security issues that surround all three has made the CIO’s jobs so demanding that new roles such as the chief security officer have been created to chip in to deal with the nightmare that has become modern data security.

Even back in 2006 the demands put on IT executives were excessive as they were tasked with “running projects, innovating, keeping the lights on and putting out those ever-smoldering IT fires—that they simply don’t have the time to decipher the laws that affect them, much less the time to invest in reconfiguring systems and processes to meet regulatory requirements”[8].

To give a flavor of how difficult it is to keep up with all the laws and regulations related to data security, consider how difficult it was for IT departments to keep up with one as back in 2006 “IT organizations…(spent) between 5,000 and 20,000 man hours a year trying to stay compliant with Sarbanes-Oxley’s requirements”[9].

Consider that Splatro had to meet with people from Sony’s legal and human resources departments as well as outside security auditors just to find out “what Sox compliance means”[10].  Considering that Sony Pictures is an entertainment company and not a bank, it makes sense that they would have come to the conclusion that Sarbanes-Oxley meant and awful lot less to them than it would to a bank but, as the last few weeks have proved, as hackers could care less about what data security laws and regulations means to either.

So far, we’ve focused on what Sony’s poor data security practices but if only they were the only company risking data breaches. This is indeed a worldwide problem as it seems no matter what the field, all companies converge in poor data security as 665 million customers (that means you and me) were affected by data breaches in 2013[11].

With numbers like these, Prakash Panjwani, president and CEO of SafeNet, may cite a survey that says that 65% of adults in the US, UK, Germany, Japan and Austrailia “would never, or were very unlikely to, shop or do business again with a company that had experienced a data breach” but Panjwani knows full well that if this was true these people would have make an extraordinary commitment to living off the lay of the land (which is not as idyllic as it sounds) and making an awful lot of in person cash transactions (which in this “cashless society” we’re being frogmarched into, is nearly impossible) as data breaches, or data breach attempts, are a daily occurrence for way too many companies.

If the incompetence of companies in dealing with data security are bad, their solutions, especially in reaction to data breaches, aren’t much better. Target, in reaction to a large data breach that included the loss of 4o million credit card details and 7o million of the personal information of their customers, hired their first CISO (Chief information Security Officer) which was seen by experts as a forward but concerns quickly propped up when Target made CISO position subordinate to the CIO. What this means is that the  CISO won’t be an equal to the CIO and be able to report to the CEO directly. The CISO would have to make his arguments for expenditures on security through the CIO, who has his own agenda and is often under pressure to produce on IT projects, which could make the CISO’s security recommendations an afterthought.

This scenario could easily lead to conflict within the organization as the CISO can find his interests, at Target at least, marginalized by his boss, the CIO.  Appointments to deal with security issues in the company may seem like a good idea but it’s clearly going to take more than that. Target just suffered a major data breach that is still facing backlash from and it will take a serious reappraisal of its data security practices and this can’t be done when the chief security executive at the company is subordinate to the CIO who may see security as key interest but, as examples above have shown, isn’t their only concern.

However ill-advised it is to have the CISO subordinate to the CIO, at least the appointment an CISO is better than what they had before when the responsibility for security was spread across the organization rather than under one roof. This is why when the company’s point of sale system were compromised causing the breach, Beth Jacobs, Target’s former CIO, it’s highly likely that she didn’t know about it until it was too late and paid the price with her job[12].

This incompetence companies have securing their data, never mind ours, will only get worse as increasingly things are run on networked systems, systems that hacked and made vulnerable. As explored earlier, An obscene amount of pressure is placed on CIO’s and CISO’s in not only securing these systems, but ensuring they meet business needs and are cost effective which is no mean feat.

In sum, the answer as to why so many companies suck at data security is not as simple as it sounds in one sense but in another it quite elementary. Due to most modern companies becoming data driven organizations and many processes outsourced to networked systems, this put a lot of pressure on IT executives who have so far shown it’s proving too much. Added to that they have negotiate a myriad of data protection laws and regulations across a number of states, IT departments have had to play fast and loose with data security and have paid the price in treasure and much more and if past behavior is any reliable indicator for future behavior, expect more stories like Sony’s and Targets to become the norm.      

[1] G. Press, 2014, Sony Is Not The Only Company With Subpar Data Security, New Survey Finds,
[2] Ibid
[3] A. Holmes, 2007, Your Guide to Good Enough Compliance,
[4] Ibid
[5] Ibid
[6] Ibid
[7] Ibid
[8] Ibid
[9] Ibid
[10] Ibid
[11] P. Panjwani, 2014, In Data Security We (Lost) Trust,
[12] M. Shacklett, 2014, A former CIO’s take on Target CIO resigning after massive data breach,

No comments:

Post a Comment


Related Posts Plugin for WordPress, Blogger...