There were a number of big newsworthy IT events happening in 2017. As we discussed on this weeks Gestalt IT Rundown, the WannaCry ransomware had major impacts across the world. But perhaps even more than widening concerns over ransomware, 2017 was defined by data breaches. Any leak of personal information is scary, but in many ways, 2017 changed the way we imagine the scale of such breaches. Data breaches occurred at such rate and scale that it’s tempting to become inured by their occurrence.
Whenever these breaches occur, the natural response to want to ascribe blame. It’s often easier to simply assign responsibility to a single cause or person, rather than to try and understand how exactly they were put into a position to fail so spectacularly. There’s generally some token outrage in the tech and security communities of companies using outdated encryption, or incomplete security not designed to fail gracefully.
But while there often are valid technical failings behind these breaches, very often the human element plays a much larger roll. In her recently ebook, 10 Ways We Can Steal Your Data, Karen Lopez outlines the many ways that mere communication and organizations deficiencies can result in data breaches.
The book does a good job of illustrating how simply efforts to save time and assumptions made can lead to gaping security holes. The really crazy one was using production data in a test/dev environment. Karen does a great job outlining how organizations get to that point. The book shines because it doesn’t just yell at the reader and tell you that a certain practice is bad. Rather it situates using examples how organizations get to that point. At the end, it doesn’t sugarcoat that these are bad practices, but it shows the journey it takes to make that leap.
The other really interesting way data leaks is the most human example. It comes from an all too common occurance. Many IT admins are not shy about dishing on process and how they work. Karen rightly points out that all you have to do is get a group of IT pros talking about password best practices, and they’ll often literally tell you their own personal password algorithm. I know I’ve done something similar!
Overall the book shows that it isn’t enough to have a technical knowledge of data security. To truly avoid data breaches, you need to eliminate communication silos that lead to harmful assumptions, and maybe not tell people what your passwords are.