Why aren't we talking about data security?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.strathroyagedispatch.com/2015/09/03/why-arent-we-talking-about-data-security

With Canada's federal election proceeding apace, and so many issues left
uncovered within the scope of recent and upcoming debates, this column is
focusing on tech policy issues that I think deserve further attention.

I draw the candidates' attention to the issue of information security and
data privacy.

It's no secret that scads of data from ­infidelity-themed website Ashley
Madison were released recently by a hacker group called Impact Team. Now
this information is out in the wild, causing widespread panic.

As data security expert Troy Hunt said, "This incident needs to be
approached with the understanding that for many people, this is the worst
time of their life and for some, it feels like the end of it."

That personal havoc would certainly go a long way toward explaining the
suicides possibly linked to the hack.

But the Ashley Madison hack is only one episode in an ongoing story about
how the Internet is broken, in large part because everything is broken.

As Quinn Norton, a journalist who covers the hacker culture, points out,
"It's hard to explain to regular people how much technology barely works,
how much the infrastructure of our lives is held together by the IT
equivalent of baling wire."

The Ashley Madison hack, and other high-profile hacks, are just symptoms of
an ongoing disease that poses a real threat to the quality of life for
everyday people online.

Systematic attacks on personal information are nothing new, online. But
they are becoming more popular, in part because news media are covering
them more. Stories like the Ashley Madison story, or the Sony hack, or the
Jennifer Lawrence and other Hollywood nudes, are almost impossible to
resist. They're the stuff that a gossip columnist's dreams are made of.
They also carry the promise of the illicit, of seeing the unseen and
knowing the unknown, the seductive pull that makes all hacking attractive.

But when we associate hacks with titillating information like nude photos,
or sexy texts, or even the blathering misspelled emails between industry
executives about how to solve a problem like Adam Sandler, we miss the more
serious ramifications of such attacks.

For example, consider the recent attack on health insurance provider
Premera Blue Cross. Eleven million members of the service were affected.
Their personal information went everywhere; Premera is now on the hook for
two years of credit protection to all customers.

Similarly, retailer Target is now paying out up to $10,000 per customer
affected by a 2013 data breach related to credit card information. They're
not alone: JP Morgan, Home Depot, and eBay have all endured similar attacks.

These are real people. This is real money.

And Canadian systems are just as vulnerable as any others. Witness the most
recent Wal-Mart data breach this past July, in which up to 60,000 customers
were affected.

Any candidate worth his or her salt should be drawing up a data security
plan as part of a larger tech policy platform. It's an easy investment to
make that protects a wide variety of Canadians at the personal and
financial level. It's a simple way to make everyone safer.

But establishing such a plan might mean actually listening to scientists,
whether they work on global warming or on information security. And lately,
Canada hasn't had the best track record with taking science -- or any kind
of evidence-based policy -- very seriously.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!