Written: December 16, 2021
Major information technology (IT) breaches are becoming a daily occurrence. The news coverage has centered on hacking and hackers. The bigger story, in my opinion, is the failure of government and business leaders to prevent the hacking. The news coverage at times makes it sound like the problem is the Internet, being hacked is just the way things are, and it is not possible to have servers containing important information be secure. This is not true. In this post I will be offering a different perspective.
The Internet consists of a myriad of telephone wires, fiber optic cables, satellites, wireless access points, and other communications methods and equipment. The Internet is built on global standards which enable any device connected to the Internet to be able to connect to any other device connected to the Internet anywhere in the world, and soon in outer space. There are currently more devices connected to the Internet than there are people in the world. The last data I saw showed there are a mind-boggling 10 billion connected devices. Devices include computer servers which contain the world’s information, much of it personal, private, sensitive, and critical to the operation of business and government operations. Other devices include video cameras, digital gate and door locks, surveillance systems, critical infrastructure systems, airplane cockpits, and the cars we drive.
The Internet itself is inherently insecure. However, it is possible to make any device connected to the Internet completely secure and locked down to not allow a connection request from any device not authorized to connect. Protection is achieved by using software and hardware devices which provide firewalls to block unwanted connections. Security software can provide authentication checks to make sure every connection can be confirmed to be a desired connection. Encryption is used to scramble data so only the owner of the data can make sense of it. Many other sophisticated tools are available to make servers connected to the Internet secure. Yes, it is possible to have secure servers. Unfortunately, there continue to be cases where the custodians of servers have left the keys under the welcome mat.
Not protecting the servers and other devices from being breached represents gross negligence and incompetence. Securing servers is important for every organization but especially so for companies which provide part of the nation’s infrastructure or contain very personal information like financial, investment and tax information, credit reporting, insurance data, and healthcare.
The U.S. Chamber of Commerce is calling on the Federal government to do more to fight hacking breaches. This is a cop-out. We don’t need the federal government, which itself has demonstrated incompetency in multiple instances, to tell private companies how to run their businesses. There is however a role for the federal government. In the financial services industry, there are rigid standards for using encryption and other software tools for securing servers. Regular audits occur and are followed with significant penalties for inadequate compliance. This approach should also be in place for any company or organization which stores consumer data or provides infrastructure services affecting millions of people. As an aside, the defense bill passed this week had a provision requiring critical infrastructure companies to report any cyber-attacks. Our brilliant Congress removed the provision in the final hours.
In the mid 1990s, when I was VP for Internet Technology at IBM, my team and I were quite concerned about security. Working with IBM Research, we formed a group which I called the “ethical hackers”. We attended a major technology conference to demonstrate some new tools our researchers had developed. The lead researcher took the podium and asked if any of the companies represented in the room believed their systems were secure. Several hands went up. The researcher asked if he could have permission to try to hack into the company’s systems, live from a laptop at the podium. The first company said yes. Within a couple of minutes, the researcher asked if the CEO’s daughter had just gotten her driver license. He had read this in an email on the company’s server. You could feel the uneasiness among the audience. A second volunteer confidently gave the ok for his company. Again, within a few minutes, the researcher said he was reviewing the company’s payroll data. There were no more volunteers. The “ethical hackers” group became a profitable business unit. After hacking into a company’s systems, for a consulting fee, the group would provide a report with the details on how they had broken in and a set of recommendations for how to prevent a future breach.
Gartner has forecasted the worldwide information security market will reach $170 billion in 2022. This is good news. It shows organizations are focusing on their defenses against cyber threats. According to Cybint, a global cyber education company, 95% of cybersecurity breaches are a result of human error. The ID Theft Resource Center reported between 2005 and 2020 there were 11,762 data breaches. An estimated 300 billion passwords are used by humans and machines worldwide. Many, perhaps most, of them are like abc123. There is plenty of opportunity to improve.
Every significant organization has a chief information officer (CIO). It is a tough job with a lot of turnover. Many are paid $1 million or more. That is ok, but they have to be accountable. Likewise for the CEO. Paying millions of shareholder money to hackers because of their own incompetence is outrageous. In the digital economy of today, any leader of an organization needs to know quite a bit about IT. Not as much as the CIO, but enough to ask the right questions to ensure the organization’s servers and network are secure. If the CEO is not comfortable, he or she should have a Technical Assistant and bring in outside skills. Cybint says the key is to have a commitment to “reskilling the workforce and upskilling in cybersecurity”. Innovative education and training solutions are out there. It is possible to have a safe and secure digital world if top management can lead the way.