The Myth of Enterprise Data Security

Chances are that digital information about you has already been exposed in systems with security flaws… and perhaps even stolen by hackers.

In 2013 three billion people with Yahoo accounts potentially had their data compromised… In 2015 the federal agency in charge of hiring and staffing our nation’s government – the US Office of Personnel Management – was hacked. In that single event, highly sensitive personal data including fingerprints, background checks, and social security numbers belonging to 21.5 million people were potentially stolen… In 2017 the consumer credit reporting corporation Equifax had its systems breached, potentially exposing the social security numbers, addresses, names, and birthdates of up to 145.5 million Americans – nearly half the nation.

You might think that when a new security flaw is exposed at one company, all other companies immediately take steps to correct similar flaws in their own systems. Unfortunately that’s not always the case, as veteran IT specialist Kevin Hawkins explained when he sat down for an interview with us in November of 2017.

Hawkins has personally seen his share of network security holes and hacking attacks. He has more than a decade of experience as an SQL database administrator at Humana, one of the nation’s leading health insurance companies, and nine years of experience as a professor of IT.

In fact, before our interview Hawkins had just been talking to a person who consulted for company that dealt with personal health information. “I’m just waiting to hear on the news when they get hacked because they’re just ripe for it,” he said, explaining the company was literally 15 years behind with their technology upgrades.

Hawkins identified several reasons why he thinks data breaches are only going to get worse:

  • There is a lack of user awareness about being pro-active with data security.
  • Those who store our private data – private companies and government agencies – have not made cyber security an adequate priority.
  • Hackers are constantly developing new techniques while refining the old.

For Enterprises, Unwitting Employees Are Often the Weakest Link… Just Ask the DNC

No matter how good a company’s network firewall and anti-virus programs are, if its employees aren’t wise to best practices and cyber threats then they can easily be the point of compromise for the entire enterprise.

Employees often accidentally serve as a bridge between nefarious actors and secure data. If a hacker can gain access to an employee’s network privileges, that typically means access to sensitive customer data. Companies need to give their employees adequate training to prevent these types of penetrations.

Runner4567 is Not a Strong Password

Case-in-point is John Podesta, the man at the center of the 2016 Democratic National Committee hacks during the Trump vs Clinton election. His Apple iCloud password was “Runner4567,” something any hacker could brute-force in an hour. What’s more, it appears he used this same password for other accounts including Twitter, which was soon hijacked after his Apple password was leaked to the public.

The fact that his password was actually leaked in emails highlights the importance of deleting emails that contain sensitive information – not letting them pile up in the inbox. Better yet, employees should avoid disseminating sensitive information like passwords unless it is absolutely necessary.

Good Web Browsing Practices

Passwords are pretty obvious but there are still companies that don’t have automatic password change schedules or strong password requirements. Aside from those, good web browsing habits are the next-best practices employees should be trained on.

Employees should be cautious when going to unknown websites that are miles down in the search results or based in other countries. This starts with training about country code top level domains. “Most of the cyber crime is based out of China and Russia,” notes Hawkins. Many network admins block .ru and .cn addresses by default.

Training on good browsing habits should also cover protocols when downloading anything, installing apps or programs, and even installing updates. Many companies restrict these types of activities but you would be surprised how many don’t.

Being aware of phishing and spear-phishing schemes fall under this category too. The cyber security company CrowdStrike determined it was a spear-phishing attack – an email addressed to someone with a personalized subject that activates when opened – that led to the 2016 breach of the Democratic National Committee.

It’s Shocking How Cyber Security Is Still On the Back Burner for Many Enterprises

Companies and government agencies have a lot of issues to deal with. All too often cyber security isn’t recognized as an existential threat until a breach actually happens.

Hawkins explains that cyber security has got to be viewed as a pressing priority…

“If companies are not on the vanguard of this they’re just going to have nothing but issues going forward. And a lot of companies just don’t see the turnover in income from that. They put it on a back shelf thinking they’re okay for now and things are good, but it’s just going to get worse going forward.”

Unfortunately when we look at some of the recent major security breaches, a pattern emerges of companies and government agencies not heeding the warnings about lax cyber security until it’s too late.

That was the case for the 2016 Democratic National Committee hacks. US officials say that federal investigators warned the DNC about potential network intrusions months before the DNC took any action. By the time the hackers were finally kicked out, they had already been inside the DNC network for about a year.

It was the same for Equifax. Its former CEO admitted the Department of Homeland Security had warned his company about software flaws two months before it was hacked. And the ignored warning that led to the hack against the federal government’s personnel department was even worse.

The inspector general warned the US Office of Personnel Management about flaws in its cyber defenses a full decade before the 2015 hacking incident was detected. As late as 2013 the OPM did not have a single person devoted to IT security, and in November of 2014 an inspector general report noted the OPM lacked encryption, did not know how many servers and databases it had, and was not aware of how many different systems connected to its own networks.

If the recent high-profile, high-volume data breaches due to naiveté and negligence weren’t enough to convince you your information isn’t safe, just remember that within the geopolitical arena governments around the world are spending millions to train armies of cyber crooks.

And that doesn’t even take into account most hackers who aren’t government trained. They’re just out to steal and sell your personal information on the black market to anyone willing to pay for it.

When a Trojan Horse Was Wooden

Hawkins smiles when he remembers the innocent days when home PCs were just catching on. “Back in 1984 Microsoft released their first version of Windows. At that time they had no concept of security so it was really wide open.”

The good ol’ days didn’t last long, however. Pretty soon there were pop-ups all over AOL and cyber security as a profession came into the mainstream. Fast forward to the present and we’ve seen another field recently come into the mainstream: big data.

Club cards, social media, and smart phones that literally track your every movement and purchase are commonplace, and capable of generating gigabytes of detailed data about you. And when you click on the “I agree” box you’re allowing this data to be legally sold to anyone willing to pay for it.

The expanse of big data prompted The Economist to make a benchmark announcement in May of 2017: the value of the data economy has surpassed the value of the world’s oil industry.

The ever-increasing amount of data about you flowing between those who store it, those who buy it, and those who analyze it is also mirrored in the government as it digitizes data about citizens for internal use. That includes everything from your taxes with the IRS to your health records with Medicare to your metadata with the NSA.

Each instance where your data is transferred, stored, or analyzed is a potential window for a hacker to sneak in. Is the government better at securing data than the private sector? Not in Hawkins’ opinion. “They seem to run way behind everyone else. By far.”

If history is any indication, neither deserves a medal.

“Hackers Only Get Better”

That’s what Hawkins observed as we neared the end of our interview. He added ominously, “They don’t get worse and they don’t go away.”

Today hackers have diversified to focus on each of the windows and sub-windows through which data can be exfiltrated. For example, when you do something as simple as install an app, you’re creating another potential window where a hacker could break in and access the data stored on your phone. Apple’s App Store debuted in 2008 and less than a decade later it hosts 2.2 million apps. Android users can choose from even more apps. And every one of those apps can be exploited uniquely by a hacker.

Your data, and the profit that can legally be made from it, is multiplying exponentially. That means the targets available to hackers are also multiplying. Companies are too busy making money to emphasize cyber security as a priority, and when there is a major breach it seems the consequences are not adequate to deter the same thing from happening again.

If there’s any silver lining to this it’s that there will be steady demand for those in the cyber security field well into the future.