Last month, there were reports on breaches at Kmart and Dairy Queen (my family loves Blizzards). Updates then came out about a massive breach at Home Depot. Then more recently, there’s been the spate of nation-state attacks on the USPS, National Oceanic and Atmospheric Administration (NOAA), Sony Entertainment and the White House. Between the time I finish writing this post and the time you read this, who knows what new reports may surface?
The continued onslaught of attacks, perhaps coupled with the fact that we’ve reached last month of the year, got me feeling philosophical. I’m starting to think that the leadership teams in organizations managing sensitive data have been progressing, albeit at a snail’s pace, through the five-stage grief cycle:
Stage 1: Denial
For years, company executives were in stage 1: denial. Senior leadership teams largely ignored the fact that their data was at risk, so they barely protected it. Attackers could simply point a “cantenna”—effectively an antenna with a Pringle can or some other cylinder—at a store or office building, sniff the WiFi network, and collect data. The attackers behind the infamous T.J. Maxx breach, one in which 45 million credit cards were stolen, used this technique.
Stage 2: Anger
News reports began to surface about one massive breach after another the public started to get a sense of how widespread the problem was and became angry. Ultimately, politicians began to take notice. California stood alone in 2002 when SB 1386, a security breach notification law, was passed. For the first time, companies were forced to publically disclose when they leaked personal information. By the end of 2007, almost all U.S. states had breach notification laws. Further, there are now similar provisions in place in regions around the globe. Hoping to stem the tide of breaches plaguing the industry, the major credit card issuers banded together to introduce the Payment Card Industry Data Security Standard (PCI DSS) in December 2004. This standard forced merchants to strengthen their security posture, submit to ongoing audits, and face the prospect of fines if they failed to comply. The group has been working to make the standard clearer and more effective ever since. My last blog covered what’s new in PCI DSS 3.0.
Stage 3: Bargaining
Recently, executives at many companies started entering stage 3: bargaining. Management teams started negotiating with regulators, detailing how they built walls around their data and how they could check off all the items on the auditor’s list.
They also began bargaining with customers, effectively promising that they will do better the next time—and offering free credit monitoring services as a mea culpa. In the process, they’ve helped create a massive privacy service industry: The organizations offering these monitoring services on the sponsoring company’s dime then offer fear-based messaging along with their up-sell opportunities. Having been victimized repeatedly as a result of their retailers’ and financial institutions’ lax security, consumers have understandably been eager to sign up.
Globally, some executives are even lobbying for a dilution of breach notification laws, saying, in effect, consumers can’t handle the truth and that these announcements are hurting business and the broader economy.
Stage 4: Depression
Now we are in a dangerous time in the cycle, a point where many leaders and consumers are in stage 4: depression. In this stage, CEOs and boards are lashing out and firing CIOs. In this depressed state, leadership teams go on security spending sprees, often without a well-conceived strategy. Taking a scattershot approach, they cling to the hope that some new and additional end point and perimeter security technologies spread throughout their network will provide a magical ability to spot an attack or thwart a malicious insider. For consumers, there is a malaise about lost credit card information and stolen identities. Breaches in the news are now so commonplace it is no longer considered shocking or even interesting to many consumers—at least until they are hit directly by fraud or identity theft.
Stage 5: Acceptance
Here’s my prediction: 2015 will be the year many reach stage 5: acceptance. Business and government leaders will come to grips with the fact that their sensitive assets aren’t safe. They will accept that hacker gangs, nation states, and the occasional bored teenager will be coming after their data and at some point these attacks will bypass the perimeter security defenses in place. They’ll realize they can’t successfully fight these attacks 100% of the time, so they have to prepare for them.
One example illustrating this move to acceptance: In the mobile-phone segment, the major handset manufacturers are starting to offer encryption capabilities on their platforms. I expect that this will help fuel enhanced security awareness and expectations, and that ultimately more emphasis will be placed on strengthening security where the most sensitive data is typically aggregated: corporate servers.
Once executives reach acceptance, they’ll start to prepare by instituting a strategy that focuses on securing sensitive corporate data. For these business leaders, there will be no more denial, anger, bargaining, or depression about data loss. Instead, they will focus on protecting the data itself, employing the optimal, most proven method—namely using encryption and other de-identification techniques. After all, attackers can’t abuse what they can’t use. Rather than employing the scattershot approaches of the depressed, these leaders will be seeking solutions that can be cost effectively employed to protect files and databases across their data centers and cloud environments.
Once more executives reach this kind of acceptance, and respond accordingly, maybe the news won’t continue to be packed with reports of data breaches. Who knows, maybe next year around this time, instead of recounting the latest litany of breach stories, I’ll just be updating you on my holiday plans.