Ever had a bank, vendor or other company urge you to open an online account?
Of course you have.
“Your information is totally secure with us,” they say.
Of course it isn’t.
The problem is, you can’t do business today without conducting much of it online.
Researchers from the universities of Virginia and North Texas recently reported that most businesses are not as protected from cybercrime as they could be — no matter what they’re telling the public and their partners in commerce.
“While they may be saying the right things in public to satisfy investors, underwriters and customers, there is an apparent lack of urgency in promoting a truly resilient and secure organization,” they wrote in a paper published by the Association for Computing Machinery.
“Our research did not have to dig very deep to find surprising gaps in organizational security practices,” they wrote.
We’ve already discussed in this space the recent explosion of malware ransom cases, such as this year’s shutdown of the Colonial Gas pipeline. Here we’ll focus mainly on hacks that exposed customers’ personal information, such as Social Security numbers (although personal information can be involved in other types of hacks as well, such as when hijackers threaten to release customer information if companies don’t pay the ransom).
One of the most recent cases was T-Mobile. Last month, nearly 50 million customers had their personal information exposed, including SSNs and driver’s license numbers. The man who claimed credit for the attack said he didn’t try to ransom the information back to the company because he already had buyers lined up to pay him for it.
Other companies from which customer information has been stolen or exposed include Amazon, Facebook, Yahoo (twice), Marriott Starwood, LinkedIn (twice), Adobe, Toyota, CVS, Target and Costco. Even UVa’s Health System was hit just a few years ago.
And you’ll notice that some of the companies listed here are even big names in the high-tech world — so you’d think they’d know better and do better.
Chris Maurer, a professor in UVa’s McIntire School of Commerce, said he and his colleagues asked companies about best practices for computer security, including such things as evaluating themselves on cybersecurity practices, conducting regular cybersecurity training for employees, and having a member of the leadership team dedicated to cybersecurity.
The research showed that even among the biggest companies, those earning more than $1 billion in revenue a year, about a third did not have a dedicated computer security officer.
One of the reasons companies don’t invest more in cybersecurity, suggested Maurer, is that its value is hard to quantify.
If security measures are working — then nothing happens; there is no breach. But how do you measure nothing?
It’s not quantifiable, but one measure might be how frequently data breaches occur and how dangerous they are. Surely, the constant drumbeat of news about hacks and their costs to companies and customers alike would push businesses to strengthen their security.
Not necessarily, said Maurer. Psychologically, the news can have just the opposite effect: Companies may assume breaches are inevitable and there’s no way to stop them.
There’s no way to put a once-and-final end to burglary, either, but that doesn’t mean businesses shouldn’t invest in strong walls and sturdy locks.
Studies such as Maurer’s and his colleagues’ might help push more businesses into implementing these best practices. We hope so.
Companies would save themselves — and us — a lot of trouble if they beefed up their cyber defenses. They might not prevent every attack — but they could prevent them more often.
