Security breaches and unplanned system outages are nothing new, and over the past couple of years it’s fair to say that the world has seen quite a few.
In June, we saw 6.5 million LinkedIn passwords published on hacker forums, and back in April Global Payments announced that 1.8 million credit card customers had their details taken. In December 2011, the internet and phone connections of millions of people in Norway, Sweden and Finland were knocked out for two weeks by the Dagmar storm. And in October 2011, BlackBerry users could not send or receive emails after a failure at a datacentre in the UK.
In light of all these incidents, it’s important to remember that not all errors or system failures are a result of acts of grievous ineptitude. Mistakes happen, accidents happen, and most people accept this and are able to appreciate that we live in a society where our lives are so entwined with technology that incidents like this are bound happen.
However, what they won’t accept is having the wool pulled over their eyes by organisations failing to report data breaches.
In September, the European Union (EU) called on businesses, public-sector organisations and governments to be more transparent when they suffer data breaches. It believes more openness will help it to both the gauge the scale of cyber crime and formulate policies to combat it.
A recent report by Enisa, the EU’s information security agency, highlighted how “a lack of transparency and lack of information about incidents makes it difficult for policy makers to understand the overall impact, the root causes and possible interdependencies. It also complicates the efforts in the industry to understand and address cyber security incidents. And finally, it leaves customers in the dark about the frequency and impact of cyber incidents.”
Enisa’s comments are spot on. There is a dire need for greater transparency. When incidents do occur, the ones in the firing line are the IT department and its suppliers. They are the ones charged with maintaining the safety and security of their customers’ data. Unfortunately, not all technology suppliers or IT professionals see it this way, with many more concerned with protecting their own reputation as opposed to the wellbeing of their customers or users.
In many cases, they are happy to let security failures slip by undetected, and even when they do detect them, they rarely report them to the authorities. When incidents are reported, the supplier in question usually points the finger at anything or anyone other than themselves. It is never their fault.
The plain fact is that a lot of the IT industry hides behind the claim that their products and processes are examples of “best practice”. Well, if that is the case why are we still experiencing so many breaches?
The harsh truth is that a lot of these IT professionals don’t see it as being in their best interests to report incidents. They are happy to keep quiet, leaving customers and government policy makers in the dark about frequency, impact and cause. It’s almost as if they think they’re wearing Teflon coats with pockets stuffed with get-out-of-jail-free cards.
It’s high time these people were administered with a massive dose of reality. Hacking and security breaches will never go away until the IT industry starts to work side by side with customers to implement effective measures to prevent them, and stops using customers as a shield to hide behind.
Enisa is right: transparency is key to meeting the growing threat from increasingly sophisticated cyber criminals. IT departments and suppliers need to swallow their pride and be prepared to put their reputations on the line. It is completely unethical for them to sit in the shadows while their customers take the fall for their mistakes.
By acknowledging vulnerabilities and sharing information about them, both stand to gain a better understanding of malicious attacks, which in turn will help them to install processes to ensure the safety of data.
• Simon Bain is CTO of Simplexo