Bad at Cybersecurity

If you’re like most people, you feel confident and well-informed about online security, and if you’re like most people you have absolutely no reason to feel that way.

That was the conclusion of a new survey from Harris Poll and Google, which found that 55% of Americans above the age of 16 graded themselves as an A or B when it comes to online safety, but only 23% could identify a link with “https” as being more secure than “http,” 70% misidentified a secure URL, and a whopping 97% got at least one answer wrong on a basic six-question security test.

But don’t let it get you down–many major companies aren’t very good at online security, either.

First American Financial and Google’s Years-Long Blunder

Take, for example, First American Financial Corp. The company stored customer documents and records pertaining to mortgage deals going back 16 years in a way that was openly accessible to anyone with a web browser: zero authentication or encryption required. All one needed was a guessable URL to view documents related to mortgage deals including bank account numbers, tax records, Social Security numbers, and scans of drivers licenses. There were scads of records involved, like almost 900 million of them.

As Brian Krebs noted, the number of people with access “would potentially include anyone who’s ever been sent a document link via email by First American.”  By extension, it would also include anyone with access to an email fitting that description.

While First American is a Fortune 500 company, it has never demonstrated any interest in being a cybersecurity-forward company. That said, even companies that take cyber security seriously often get it wrong.

Take Google, for instance. The search giant came clean about a similar gaffe earlier this month, revealing that passwords associated with the accounts of an unspecified number of G Suite users had been stored in an unencrypted format on their servers for 14 years.

“To be clear, these passwords remained in our secure encrypted infrastructure,” the company announced in a blog. Considering that the passwords were supposed to be stored in an encrypted format, reassurances about infrastructure seem a bit hollow.

And Many, Many Others

Google and First American are hardly alone. Facebook’s seemingly unending parade of major privacy accidentsmistakes, and gaffes are mind-boggling and too many to list here.

This month alone 49 million Instagram users learned their personal information had been leaked, and 5 million customers of Canada’s fourth largest cellular provider also were potentially exposed. The FEMA leak of 2.3 million disaster victims as well as Meditlab’s accidental exposure of six million medical records in the form of digitized faxes are two other recent indications from news feeds that we are all living in a state of cyber insecurity.

These news items are noteworthy not only because of the danger they pose to the people whose personal information is now almost certainly in the wrong hands. What matters here is that none of them are data breaches. They are all data leaks.

It’s easy to confuse the two, but while a data breach is a failure to keep a hacker or cyber-attacker out of your data, a data leak is a failure to protect it in the first place. It’s the difference between someone breaking into a bank vault and having an employee not bothering to shut and bolt the vault door. And much like data breaches, leaks only seem to be getting more common.

This is where corporate culture comes into play.

If a majority of people have an unrealistically high opinion of their own security savviness, companies need to take that into account. Lax attitudes and faulty assumptions are rife in the workplace. That Google traversed 14 years as a going concern without checking a basic security feature in one of its flagship services is resounding proof of this troubling fact.

What can companies do?

As the old Peter Drucker saying goes, “Culture eats strategy for breakfast.” While it’s extremely difficult, especially for cybersecurity teams, to change pervasive attitudes in a company, that’s the job at hand.

A few basic practices can help get companies headed in the right direction, and cut down on some of the more easily preventable data leaks:

  • Ask simple questions and encourage others to do the same: Reliance on sophisticated tools for determining cyber risk is an easy (and bad) habit to fall into. Tools should never trump basic questions like, “Is that data encrypted?”
  • Map and inventory your data: Data is an important commodity to businesses and hackers alike. Losing track of customer data or information only opens the door for it to be left accidentally unprotected on a server or a network drive. Any time data is collected, have a policy for documenting where it is, how it’s stored, and who has access to it.
  • Review your practices: Most IT departments are overworked and spread thin. Running from one crisis to the next means less time to check and double-check for any security holes or basic errors in how security is handled.

A sloppy attitude toward data security is ultimately a safety issue. While people affected by a data leak may not be in immediate physical danger, there is potential for lasting harm to customers and a company’s reputation. Much like any other workplace safety issue, a set of rigorous safeguards and workplace training are vital to avoid carelessness.