The ongoing Sony hack
controversy shined a light on many things including Sony executives on Hollywood
stars, their movie schedule and, to a certain extent, how the movie industry
works but what stuck out like a sore thumb is just how bad Sony Pictures sucked
at securing their own data.
Bereft of solid access controls
or any classification of the data they had, Sony was hit hard by the hack but
if even the most minor and common sense data security measures were implemented,
the company wouldn't still be reeling from the email leaks that have been
producing headlines for the last two weeks.
However, what’s interesting and
terrifying is that Sony’s lax security practices are widespread. Sony suffered
because sensitive data such as social security numbers could be found in a
number of files that were available to too many employees but other companies are
just as susceptible to similar breaches as according to a survey carried out by
the Ponemon Institute revealed that an incredible 71% of employees felt by that
had access “to data they should not see” and 54% said that “this access is
frequent or very frequent”[1].
Why Sony like breaches haven’t
more is sheer luck however as companies continually drop the ball when it comes
to data security as hackers have had a good 2014 targeting breaching companies
data security according to the Identity theft Resource Center “with more than
81 million records compromised”[2].
Companies love giving the hackers the credit for becoming smarter and better
but the truth is that companies, especially the larger ones, suck so bad at
data security it’s justified to query whether they’re being this negligible of
their security on purpose.
In Sony pictures case, the
answer is resounding yes. Sony’s ridiculous poor data access controls go back
as far as 2005 when an auditor told Jason Spaltro, Sony Pictures then executive
director of information (now currently serving as the company’s senior vice
president of information security), that “Sony had several security weaknesses,
including insufficiently strong access controls, which is a key Sarbanes-Oxley
requirement”[3].The auditor also revealed to
Splatro that “the passwords Sony employees were using did not meet best
practice standards that called for combinations of random letters, numbers and
symbols”[4].
Upon listening to the audtior’s
recommendation in making the passwords stronger at the company, Splatro pointed
out that complicated passwords that are hard to remember will lead to employees
“writing them down on sticky notes and post them on the monitors. And how
secure would that be?”[5].
While you may think that
Splatro had a point that people would write down and put them in a place they’ll
remember it, keep in mind that Spaltro at the time was the executive director
of information security and it’s his job to take all steps to make sure
breaches don’t happen. Also keep in mind that as an IT executive at the company
he also has to make sure that every dollar spent is cost effective which, in
most cases, means a lot of companies will nickel and dime when it comes to data
security despite the risks.
IT executives also have to
comply with a bevy of domestic and international laws and regulations and
complying to all of them is very expensive and time consuming. Because of this,
IT executives like Spaltro have to keep conscious of the bottom line and even
decide if some laws or regulations are worth following as CIO’s Alan Holmes
explains:
“How to (or, for some CIOs, even whether
to) follow regulations is neither a simple question with a simple answer nor a
straightforward issue of following instructions. This makes it more an exercise
in risk management than governance. Often, doing the right thing means doing
what’s right for the bottom line, not necessarily what’s right in terms of the
regulation or even what’s right for the customer”[6]
Now taking all this into
consideration, look back at Spaltro’s discussion with the auditor and you’ll
see that he’s trying to avoid the arduous task of keeping in lock step of Sarbanes
Oxley in the noble pursuit of minimizing the hit to the company’s bottom line. In
short, what happens is that IT executives, charged with keeping data secure,
have to fudge on data security as “when business metrics are applied to
compliance, many companies decide to deploy as little technology or process as
possible—or to ignore the governing laws and regulations completely”[7].
What this means in practice is
that companies look for cheapest or less strenuous security practices and
measure the risk against being caught out. This dangerous game being played by
companies with their own data security is reprehensible but to a certain degree
inevitable.
The job of the IT executive has
always been difficult but in the last few years, the job of the modern IT
executive has become spectacularly more complicated with advent of the cloud,
big data, and the internet of things and the myriad of security issues that
surround all three has made the CIO’s jobs so demanding that new roles such as
the chief security officer have been created to chip in to deal with the
nightmare that has become modern data security.
Even back in 2006 the demands
put on IT executives were excessive as they were tasked with “running projects,
innovating, keeping the lights on and putting out those ever-smoldering IT
fires—that they simply don’t have the time to decipher the laws that affect
them, much less the time to invest in reconfiguring systems and processes to
meet regulatory requirements”[8].
To give a flavor of how
difficult it is to keep up with all the laws and regulations related to data
security, consider how difficult it was for IT departments to keep up with one
as back in 2006 “IT organizations…(spent) between 5,000 and 20,000 man hours a
year trying to stay compliant with Sarbanes-Oxley’s requirements”[9].
Consider that Splatro had to
meet with people from Sony’s legal and human resources departments as well as
outside security auditors just to find out “what Sox compliance means”[10].
Considering that Sony Pictures is an entertainment
company and not a bank, it makes sense that they would have come to the
conclusion that Sarbanes-Oxley meant and awful lot less to them than it would to
a bank but, as the last few weeks have proved, as hackers could care less about
what data security laws and regulations means to either.
So far, we’ve focused on what
Sony’s poor data security practices but if only they were the only company
risking data breaches. This is indeed a worldwide problem as it seems no matter
what the field, all companies converge in poor data security as 665 million
customers (that means you and me) were affected by data breaches in 2013[11].
With numbers like these, Prakash
Panjwani, president and CEO of SafeNet, may cite a survey that says that 65% of
adults in the US, UK, Germany, Japan and Austrailia “would never, or were very
unlikely to, shop or do business again with a company that had experienced a
data breach” but Panjwani knows full well that if this was true these people
would have make an extraordinary commitment to living off the lay of the land (which
is not as idyllic as it sounds) and making an awful lot of in person cash transactions
(which in this “cashless society” we’re being frogmarched into, is nearly
impossible) as data breaches, or data breach attempts, are a daily occurrence for
way too many companies.
If the incompetence of
companies in dealing with data security are bad, their solutions, especially in
reaction to data breaches, aren’t much better. Target, in reaction to a large
data breach that included the loss of 4o million credit card details and 7o
million of the personal information of their customers, hired their first CISO
(Chief information Security Officer) which was seen by experts as a forward but
concerns quickly propped up when Target made CISO position subordinate to the
CIO. What this means is that the CISO
won’t be an equal to the CIO and be able to report to the CEO directly. The CISO
would have to make his arguments for expenditures on security through the CIO,
who has his own agenda and is often under pressure to produce on IT projects,
which could make the CISO’s security recommendations an afterthought.
This scenario could easily lead
to conflict within the organization as the CISO can find his interests, at
Target at least, marginalized by his boss, the CIO. Appointments to deal with security issues in
the company may seem like a good idea but it’s clearly going to take more than
that. Target just suffered a major data breach that is still facing backlash
from and it will take a serious reappraisal of its data security practices and
this can’t be done when the chief security executive at the company is
subordinate to the CIO who may see security as key interest but, as examples
above have shown, isn’t their only concern.
However ill-advised it is to
have the CISO subordinate to the CIO, at least the appointment an CISO is
better than what they had before when the responsibility for security was spread
across the organization rather than under one roof. This is why when the
company’s point of sale system were compromised causing the breach, Beth
Jacobs, Target’s former CIO, it’s highly likely that she didn’t know about it
until it was too late and paid the price with her job[12].
This incompetence companies
have securing their data, never mind ours, will only get worse as increasingly
things are run on networked systems, systems that hacked and made vulnerable.
As explored earlier, An obscene amount of pressure is placed on CIO’s and CISO’s
in not only securing these systems, but ensuring they meet business needs and
are cost effective which is no mean feat.
In sum, the answer as to why so
many companies suck at data security is not as simple as it sounds in one sense
but in another it quite elementary. Due to most modern companies becoming data driven
organizations and many processes outsourced to networked systems, this put a
lot of pressure on IT executives who have so far shown it’s proving too much. Added
to that they have negotiate a myriad of data protection laws and regulations
across a number of states, IT departments have had to play fast and loose with
data security and have paid the price in treasure and much more and if past behavior
is any reliable indicator for future behavior, expect more stories like Sony’s
and Targets to become the norm.
[1] G.
Press, 2014, Sony Is Not The Only Company With Subpar Data Security, New Survey
Finds, http://www.forbes.com/sites/gilpress/2014/12/09/sony-is-not-the-only-company-with-subpar-data-security-new-survey-finds/
[2]
Ibid
[3] A.
Holmes, 2007, Your Guide to Good Enough Compliance, http://www.cio.com/article/2439324/risk-management/your-guide-to-good-enough-compliance.html
[4]
Ibid
[5]
Ibid
[6] Ibid
[7]
Ibid
[8] Ibid
[9] Ibid
[10]
Ibid
[11]
P. Panjwani, 2014, In Data Security We (Lost) Trust, http://thehill.com/blogs/congress-blog/technology/226981-in-data-eecurity-we-lost-trust
[12]
M. Shacklett, 2014, A former CIO’s take on Target CIO resigning after massive
data breach, http://www.techrepublic.com/article/a-former-cios-take-on-target-cio-resigning-after-massive-data-breach/
No comments:
Post a Comment