August 2013, the Yahoo office is buzzing with people, panicked and trying to find a solution. Management is trying to find the source and teams are trying to contain the damage. The calamity had struck. Hackers had acquired personal data of nearly three billion people through phishing attacks. The data included names, phone numbers, passwords, security questions, and backup email addresses among others. The worst thing: the data was “protected” with outdated encryption making it easy to crack for the hackers and resulting in the biggest recorded attack of this decade.
This is just one example. The past decade has been marred with a series of similar attacks, including:
- Sony PlayStation network in 2011 affecting 77 million users
- eBay in 2014 affecting 145 million users
- Equifax in 2017 affecting 143 million users
- Marriott in 2018 affecting 500 million users
More recently, the August 2019 Ransomware attack across hospitals, health care centers and schools in the USA impacting 621 entities and costing around $186 million in losses is yet another eye-opening example of vulnerable IT security.
But, if security is so vulnerable, why are there no precautions taken?
Well, while the precautions sometimes work, there are times when hackers could exploit the smallest loopholes. A small gap in one person’s security understanding can lead to major threats. Security is everyone’s responsibility, and hence, to build awareness, I am sharing a few concepts that will give you a high-level view into the world of security.
Consider a bank that provides everyone that works at the bank — from the Security Guard to the Janitor—access to the main vault. Convenient for everyone. But would you prefer everyone accessing your savings? Not likely. A more secure bank would have role-based access where only the President and Manager can get into the Vault.
In the digital world, global access to programs is often provided to many employees — even to the members who do not need it. In this case, if an account of this person is hacked, it could lead to major damages across the network. This is where the least privilege helps. It restricts access for users to unnecessary sections and provides access privileges to only the users who absolutely need it, like in a bank.
Defense in Depth
Is the least privilege enough prevention against the attacks? What if the hackers hack legitimate user’s account to get access? Well, this is where defense in depth concept helps. It can be compared to the security layers at the airport.
Layer 1: authentication through a valid ID proof to enter the airport
Layer 2: security check
Layer 3: validation while boarding a flight
Defense in depth is a similar approach to cybersecurity where defensive mechanisms are layered to protect data. The layered security ensures that even if one layer is breached, the other stays intact and protects the data from unauthorized access.
With all the security approaches and precautions, the attacks should ideally be none. However, there are always loopholes that are not noticed unless something devastating occurs. The concept of failing securely was introduced to tackle such scenarios and ensure that even if the system fails, it does not disclose the unwanted data and allow its tampering, hence the name failing securely.
One real-world example of failing security is a building with electronic locks on the doors to keep unauthorized people from getting into the building. In case the power goes off, the doors will fail securely by defaulting the doors to stay locked. Thus keeping the thieves out in the cold.
It’s Up to You
The 21st century has brought along a plethora of inventions – smartphones, Internet of Things, Social network, artificial intelligence and so on. These have certainly eased our lives, but they have also put our data out there and vulnerable to thieves. It is up to us as good corporate citizens to ensure the trust our customers put into us to secure their information is not compromised. Security is everyone’s responsibility and being aware of these basic concepts will help you understand steps you can take to mitigate the risk at your company.
About Susan Thayer
Susan is an experienced CRM and digital marketing consultant with nearly 15 years of managing discovery, implementation and strategic use of CRM solutions and related programs. Prior to joining the consulting world, she served as director of marketing and other leadership roles for leading businesses in both the B2B and Consumer Goods industries. Past corporate employment includes digital marketing and e-commerce for a leading global auto parts corporation, medical products and a website design firm. Susan is a current board member for the Junior League of Lincoln and President of her HOA. She is a past board member for the American Marketing Association of Lincoln and past Public Relations Officer for the state of Arizona Toastmasters.
More on Susan Thayer.