by Daniel J. Solove
There are certainly many hackers with sophisticated technical skills and potent malicious technologies. These threats can seem akin to Leviathan — all powerful and insurmountable.
It can be easy to get caught up focusing on the Leviathan and miss the low-hanging fruit of cybersecurity. This low-hanging fruit consists of rather simple and easy-to-fix vulnerabilities and bad practices.
Cybersecurity is a garden of mostly low-hanging fruit. Pluck the fruit, and huge headway can be made in protecting data.
One of the most common causes of data breaches involve lost or stolen portable electronic devices with unencrypted data on them. Encryption should be used far more often. As I noted in a recent post, the number of organizations with an enterprise-wide encryption strategy increased from 15% to 36% during the last decade, 64% still don’t have one.
Security training is another easy thing to do. So many incidents involving human error or carelessness. Much hacking occurs by way of people being fooled by phishing or social engineering. So many breaches are readily preventable. According to one study, more than 90% of data breaches could have been avoided.
So, instead of shaking in one’s boots at the possibility of a Leviathan, there are things can be done right now. Train! Encrypt! Just these things alone will make a huge difference.
A wonderful article by Nuala O’Connor at the Center for Democracy and Technology (CDT) discusses the recent OPM breach:
Federal agencies have had a long and troubling history of ignoring recommendations that come from within their own government with regard to privacy and security. The Inspector General warned OPM last year about serious security and privacy problems after it was hacked in a smaller-scale incident, yet the agency did not implement the recommended changes to its systems or practices. Among the problems cited in the Inspector General’s report? OPM didn’t have the most basic data map or a simple inventory list of its servers and databases, nor did it have an accounting of all the systems connecting to its network.
The lack of a data inventory is a common one — it is the leading reason on a recent survey why more organizations don’t use more encryption.
Data inventories are a key component of a privacy program — a perfect illustration of how privacy and security go hand-in-hand. To know oneself, one must know one’s data.
Nuala O’Connor goes on to make another great point:
Common-sense privacy and security practices don’t need to be expensive or disruptive. Many of the most successful hacks, including Anthem’s, occur for one reason: human beings. Hackers often gain access not by circumventing encryption or through cleverly designed viruses – they gain access by stealing credentials, as in the OPM breach, via laptops, or bad passwords. As critical as encryption is to cybersecurity, it would not have stopped the OPM breach – but data-retention limits might have mitigated the extent of it. The agency reportedly was holding data on individuals from as far back as 1985.
The best way to protect data security is to get rid of all the humans. Plan B is to train them.
Another great point by O’Connor:
Information sharing is not the silver bullet of cybersecurity for commercial entities nor for the government, but common-sense security measures can make a difference: Imposing data-retention limits, regularly reviewing and updating systems, using two-factor authentication, and providing added security for IT staff can all mitigate data breaches. We also have to recognize we have entered a new era – the most sensitive information about all of us is held in a computer somewhere. The federal government and everyone holding this type of data has to dedicate the time and money necessary to safeguarding it at the level it deserves.
Amen! There is so much chatter among policymakers about information sharing. But so little talk about the information we all already know.
There are so many obvious things wrong with OPM’s security that it boggles the mind. Why were so many sensitive records stored all in one place? Why wasn’t the data encrypted? Why weren’t so many basic best practices followed?
Here are a few simple pieces of low-hanging fruit:
1. Know your data
4. Respond to blinking red lights
5. Assess the risks
6. Keep data where it belongs
7. Be vigilant
There are more, but these things go a long way. So I recommend going after the low-hanging fruit first, then turning to the Leviathan.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.