I haven’t seen BlackHat, you know the movie featuring Chris Hemsworth? In fact the list of shows or movies I haven’t seen (or in fact am unlikely to see) is growing as the world of ‘hacking’ becomes more in tune with popular culture. To be entirely honest this is not really a hardship, but one of the most frustrating elements of working in the field of information security is how difficult it is becoming to live your day to day life without accepting how organizations manage my data.
Take my experience at the local bank. It was a simple request: close my account. In fact close my account because I am not confident in your ability to protect my personal data. I walk into the bank with passport, driving license, and statements to verify my identity.
What followed was a walking catalogue of disasters that would have left would-be identity thieves rubbing their hands uttering the term ‘excellent’ in their best Mr Burns voice. Firstly, there was no attempt to authenticate the requestor (me) with only the statement used to identify me. This statement was then left in the photocopier within an open area of the branch, oh and all I needed to do tell them where to transfer the money was to write it on a sheet of A4 paper.
All that was needed was to intercept my mail, and anybody could simply have transferred every single penny to any account of their choosing. This of course is the crux of the issue, if someone was to take the bank statement from the photocopier who do you think would have suffered? Of course I would have reported the issue and quite likely received the money back but there are no assurances of this. However if there were attempts to use this information to delve further into my life the impact could have been worst. There wouldn’t have been a simple mechanism for me to prove where the original source of the leak came from, and fundamentally it was me that suffers the loss of someone else’s failing.
Herein lies the issue. To operate in today’s world you have to trust a lot of people to do the right thing with data about you. If it’s the bank using the safest procedures, or in my case where employees are actually using the correct procedure. With the rolling list of breached organizations increasing daily, it simply is a matter of time before it’s a company that I have entrusted.
Knowing this early allows me to potentially limit the exposure (e.g. by changing passwords), but there are no assurances that either I will know, or indeed if the breached organization are aware themselves. The concept of the abnormal churn rate is becoming relevant because loss of trust within companies that fail to appropriately protect data about me is resulting is lost business. In particular the response to a breach is key, in one very public case for example customers reported to getting scam calls a day before the company admitted to customer data being stolen.
Being open and honest about such incidents is critical. Whilst the headlines may focus on the numbers of lost customers, the effect on each customer can be longer term than a single quarter. Whilst transparency, secure data handling practices, and good employee awareness is unlikely to make Hollywood scriptwriters desks’ it remains integral in keeping customers.