In a recent post on the state of data security, I discussed how the nature of our privacy online and the security of our personal information is at serious risk and only getting worse. Now, instead of focusing on the problem, I’d like to focus on some helpful solutions we can implement at the individual, organizational, and even state level.
We need to start with the understanding that there’s no such thing as absolute security. All our solutions are small pieces to an overall security awareness strategy—this means there’s no silver bullet, no single vendor solution, and no magical security awareness training seminar that will solve all our problems.
However, when we have the combination of proper education and small implementations of both technology and culture, our overall security posture becomes more robust.
The first thing we need to get in our heads is that we’re typically more reactive than proactive. How often have you attended a security awareness seminar at work or implemented some sort of patch or security technology in response to a threat on the news, rather than in anticipation of future threats?
If we’re only ever responding to the threat of the day, we’ve already lost.
First, there is little to no reason why any institution other than a bank or credit bureau needs a social security number, or really, that much personal information in general. Sometimes a service requires a home address and credit card number for shipping, but that’s where it should end. For e-commerce, it’s better to use a low-limit credit card dedicated only to online purchases rather than a card with a very high limit, or worse yet, a check card number directly attached to a checking account. In this way, there is at least a buffer between a potential thief and our actual bank account.
Second, we should be using a variety of strong passwords rather than a single, easy-to-remember password for all our online logins. Personally, I believe the technology exists for passwords to be phased out eventually, but until that happens, our passwords should be complex, varied, and changed from time to time.
Third, we can choose browsers that don’t track our movement online, and we can opt for email services that both encrypt and honor the privacy of the content of our messages. Granted, there is certainly a trust element there, and ISPs still know what we’re doing, but remember that each small piece we add is part of the bigger picture of our overall security posture.
And of course, we should be using all the best practices, such as utilizing a firewall, locking our personal computers and encrypting their hard drives, keeping passwords private, and deleting old and unused online accounts (such as from MySpace or AOL).
At an organizational level—whether that be a company, service provider, municipality, etc.—the cost and complexity increases dramatically, especially when dealing with others’ personal information, Whether it's employees, customers, or members of a social community, organizations must be especially proactive to protect the data they store within their infrastructure.
First, a vehement adherence to security best practices must be ingrained in the culture of the executive staff and every single employee in the company. This includes the IT staff. Because internet usage is now generally very transactional, engineers need to be educated on how attackers actually hack systems and reverse engineer technology. This is security awareness training for IT.
Second, companies must encrypt data both at rest and in motion on the backend. Yes, it’s more work and money, but this alone will mitigate the risk of data misuse in the event of a data loss. This involves encrypting server hard drives and using only encrypted channels for data in motion. This can become very cumbersome with regard to east-west traffic within a data center itself, but the principle should be applied where it can be.
Third, organizations storing others’ personal information should consider decentralizing data as much as possible. This is also expensive because it requires the infrastructure and culture shift within an IT department used to centralizing and clustering resources as much as possible. Small and medium-sized businesses are especially vulnerable because attackers know they are easier targets, so they especially need to make the educational and cultural changes to protect data.
In a recent article, I discussed the top 10 network security best practices organizations should stick to. This includes keeping up with current patches, making use of good endpoint protection, using centralized authentication, using a decent monitoring and logging solution, staying on top of end-user training, and preventing or limiting the use of personal devices on the corporate network. These are ways to prevent data leaking and an outright breach.
Our municipalities and larger government entities should be following these principals for their internal infrastructures as well, but how does government oversight factor into our overall security posture?
Government regulations for financial institutions already exist, but what about other industries such as e-commerce, social media providers, our private employers, etc.? This is extremely difficult because laws differ from state to state and country to country, so how can government oversight help protect our personal information online?
This is a debatable topic because it involves the question of how much involvement government should have in the private sector and in our private lives. However, there are some things that governments can do that don’t impede on privacy but help to ensure security.
First, there should be legislation governing the securing of third-party data. Data is the new oil, but it’s also a major liability. So just as it’s illegal for someone to steal a valuable widget off a store shelf, there should be explicit legislation and subsequent consequences for the theft or mishandling of our information. This is difficult, because the bad guys are the thieves, not always the company that was breached.
This means there need to be better methods to track stolen data after a breach in order to capture and penalize the attacker. However, without tracking data after a breach, the entity left holding the bag is the organization that suffered the data breach and the individual whose information was stolen.
We need to determine where the responsibility lies. Is it all on the end-user? Is it all on companies? Is it by government legislation? The reality is that it’s a decentralized responsibility in the sense that companies and governments store our information and are therefore responsible for keeping it safe. In most cases, though, we’ve also chosen to share that information, so we bear responsibility as well.
To some extent, governments can regulate the manner in which third-party data is stored. This would increase overall security posture and penalize organizations that mishandle our private information. Ultimately, the criminal is the thief, but this way, the organizations that handle our data would have the incentive to improve their security posture as well.
We need to remember that there’s no such thing as absolute security. The entire security paradigm in our society must change. Rather than being reactive and relying on stopgap measures, security awareness today must begin in the elementary school classroom and continue into the boardroom. Our solutions are small pieces to an overall security awareness strategy, and this is okay. And if done proactively and dutifully, they will increase our overall security posture and decrease the risk to our information online.
Here I outlined only a few pieces to this puzzle, so I’d love to hear your thoughts and additional suggestions in the comments.