Another day, another breach. Equifax, SEC, Deloitte and the next one is coming soon. Nothing surprising there anymore, not for customers, not for the breached companies. So why does this keep happening and why isn’t there a change in how we treat our own information, personal or business?
Understanding the real significance of Equifax and other incidents requires thoughtful analysis — and some math. This is typically where eyes glaze over and the conversation shifts to ridiculing the use of “fax” in the brand of a 21st century company, relying on an antiquated technology or to the academic background of the now unemployed Equifax CISO.
While a headline story for a few days, ultimately, every breach has very little impact on the protection of consumer data. Here’s why.
Your Social Security number is breached… again
We know that 143 million people have had their Social Security numbers, birth dates, address histories, legal names and, in some cases, driver license numbers exposed by Equifax. What we don’t know is how many were exposed for the first time. Consider that 4.2 BILLION personal records were breached last year alone. Yahoo lost more than 1 billion user accounts (but no SSNs or driver licenses), Anthem lost 80 million of our SSNs in 2015 and OPM breach resulted in a loss of personal background reports on more than 21 million individuals. These are just a few identified and reported incidents.
It is reasonable to calculate that the Equifax breach did not introduce much fresh value for cybercriminals nor fresh risk for consumers. The real impact of this specific incident is tied to the freshest data breached — the driver license numbers. However, it is unlikely that the Equifax information is new to those who mine personally identifiable information (PII) for financial gain. The bottom line is: we are in the unfortunate state where the exposure of 143 million records is pedestrian. Or as I explained to my neighbor, “Equifax failed to patch their systems, now the bad guys probably have your Social Security number… again.”
What’s the incentive to protect PII?
In October, we will celebrate the 14-year anniversary of Microsoft’s launch of Patch Tuesday. In 2003, we all thought that we were headed down a path where patching would become the least of our worries. We were wrong. WannaCry and Equifax have made it clear that simple patching of known systems remains dark art for many large organizations. Most companies struggle to simply build a reliable inventory of their externally facing assets — not to mention orchestrating processes to protect them.
Some voiced optimism that in the wake of Sony, Home Depot, Target, Slack, WebEx, Atlassian and Yahoo, the C-Suite will take notice and act to protect their systems. And they had already taken notice and acted. Just not to protect consumers. In 2015, researches at Columbia University’s School of International and Public Affairs concluded that the actual expenses reported by companies victimized by large breaches amounted to less than 1 percent of each company’s annual revenue and that “after reimbursement from insurance and minus tax deductions, the losses are even less.”
If exposing consumer information in the largest breaches in the history of computing results in losses that are immaterial, why do we expect investments in protecting consumer information?
The C-Suite has always been driven by risk and profitability, not patching vulnerabilities. So it is not surprising that companies turn to underwriting when they can’t reliably protect — or even identify — their digital assets and liabilities. Unfortunately, this means that your personal information will be collected, stored, mined and monetized at risk levels acceptable only to data processors and ideal for cybercriminals.
An easy and tangible way to understand how these decisions are made by many corporations sitting on massive databases is to think of this in terms of the way sales teams use customer information. They buy lists of prospects that include the name, email, title and phone number to qualify targets for outreach. They understand that their competitors have access to much of the same information.
These basic data points are helpful, but it is more specific and unique information that makes the sale. Same goes for a cybercriminal. There are only so many times they can get your name and Social Security number before it just becomes a tool to qualify accuracy. As a result, data processors and cybercriminals value the data less. The processors see less need to protect the information and criminals look for fresh data points that will make the existing data more valuable through targeted campaigns.
Not a consumer problem only
The freshness and accuracy of data is what drives value in terms of both monetization and disruption. A savvy cybercriminal or nation-state is much more interested in the data found in executive communications, previews of earnings reports, acquisition strategies and deal rooms than in accessing a trove of SSNs.
According to the chairman of the US Securities and Exchange Commission, in the latest breach, PII wasn’t stolen, but the non-public information obtained from missing laptops and non-secure personal email accounts may have been exploited for stock trading.
Judging by the recent high-profile incidents, including the 2016 elections and the recent SEC compromise, the strategic use of valuable information is the new target area for advanced adversaries. And that is what corporations and institutions care most to protect.
However, while an exposure of consumer data by Equifax is the biggest headline this time, the chances for success are as miniscule for securing individuals’ PII as they are for protecting corporate sensitive data. Both PII and proprietary enterprise information are processed by services built on the same fundamentally flawed business and risk models designed to collect and store your data indefinitely so it can be searched and monetized. That is not a system fail, but its feature.
This, in combination with a mathematical impossibility to protect high-target information when we as consumers have no way of controlling who has access to our data and corporations understanding that protecting customers’ PII is not a financially sound investment explains why we will continue to see more incidents and increasingly sensitive data exposed. In this race to the bottom, there are no winners. When information exists with undefined access points, it will be compromised.
Trading convenience back for data privacy
So how do we protect our critical and fresh information that drives shareholder value and impacts our personal identities? Finding our collective way out of this requires more than a new consumer data protection policy and increased fines, although long overdue. The answer lies not in defense but hygiene and customers taking control of their valuable information. The system has to change and we, as ultimate owners of our information, have to be willing to take responsibility, trade convenience for control and do some work.
Moving your proprietary communications to systems protected by sound math and encryption and controlled by you is a strong start. It is no longer responsible to trust a service provider to protect your IP and high-target acquisition strategies from an unauthorized access when its whole business model is built on retaining visibility into your information.
When we all understand that it is impossible to be successful configuring and managing products built to provide easy access to information, it becomes reasonable to use these tools for stale and non-critical communications only. When the exposure of your strategic data results in business disruption and shareholder dilution, math is a strategy and configuration is a hope.
Today’s risks dictate that companies and governments rethink how they treat sensitive and fresh information. Rather than starting with a failing strategy to save and protect it all, it is critical that we all have well-thought-out data classification to determine what conversations need to be put on the record and stored and what data must remain off-the-record and only accessible for a finite period of time to ensure it cannot be compromised.
Today, our digital economy is propped up on communications that are processed, stored, mined and monetized, but not protected. Another massive data breach is coming soon, but only if we do nothing.