Still relevant lessons in security economics
I started working in the information security and privacy space in 1988 at a large multi-national financial and healthcare organization. Imagine trying to get security and privacy controls implemented at a time when there were no regulations requiring organizations to do so. Yes, I faced some challenges. And many since. Some examples:
- Desktop personal computers (PCs) were quickly replacing dumb terminals as the work machine of choice in the early 1990s. Of course people were already using PCs in their homes, and viruses had been around and spreading for almost a decade. I recommended we install anti-virus software on all the PCs. The CFO and COO poo-pooed the idea, saying it wasn’t worth the investment. Scant months later an employee brought in a floppy disk that had a virus which propagated from his PC to around 800 others attached to the network. There was significant loss of work time, files, and related resources. I soon had funding for anti-virus software.
Lesson: Seeing risks and being proactive to mitigate them would have been a lot less expensive than the cost of the security incident that could have been prevented.
- In the mid-1990s many employees, agents and brokers in my organization were starting to use the Internet on their home PCs. Most of them also had remote access to the company network. I recommended all the business unit VPs to require their staff, agents and brokers who connected to the network to be required to install personal firewalls and configure their PCs to have the connection to our network be separated from their connections to the Internet. The business units with the agents and brokers refused, saying it would slow them down too much, stifle their creativity and motivation to work for us, was too expensive, and was completely unnecessary any way. One high-producing broker on the east coast loved using the Internet, and he was often surfing the net while connected to our network. Through his computer we had a Denial of Service (DoS) attack bring down the network, and we lost around a week’s worth of employees’ work hours, in addition to losing many corrupted files, and losing customers because of the down time which caused lost confidence and trust. During the recovery process the VPs approved a new policy to require firewalls and other security on personal PCs that were also used for business purposes.
Lesson: Seeing risks and being proactive to mitigate them would have been a lot less expensive than the cost of the security incident that could have been prevented.
- In 2006 the CISO at one of my multi-national technology clients was worried about the risks involved with the large amount of clear-text customer data the traveling sales staff had on their laptops. She was also additionally worried when considering the growing numbers of U.S. breach notice laws. She recommended to the CEO that their laptops be encrypted due to the risks, and also pointed to the breach laws that indicated encryption was a safe harbor to not require notifications in the event an unauthorized person accessed the computer. The Corporate Legal Counsel advised the CEO against the investment, since there was no law that required it. The lawyer determined it was an expensive, unnecessary investment that would only slow down the people using the laptops. Encryption was not implemented. Two months to the day after this decision was made a sales person had their laptop stolen from an airport restaurant while he went to the bar to get another beer. The time it took to respond to and mitigate this breach, in addition to the significant associated costs, cost close to 10 times more than what the subsequent implementation of encryption on the laptops cost.
Lesson: Seeing risks and being proactive to mitigate them would have been a lot less expensive than the cost of the privacy breach that could have been prevented.
FTC is Forward-Facing with Privacy Guidance
Last month I wrote about the need to build security and privacy protections into the smart gadgets that are being used within the Internet of Things (IoT) and described five actions companies need to take to protect privacy. The concern is growing. The U.S. Federal Trade Commission (FTC) recently published their forward-thinking report on this topic; “internet of things: Privacy & Security in a Connected World.” This 55-page report signals their plans to step up activities to make sure organizations, of all sizes, creating smart devices are building in effective security and privacy protections. Such preemptive action is smart and valuable, given the potential for large security incidents and privacy breaches that could cause harms like we’ve not seen to date.
I applaud the FTC Commissioners who wrote this report for being pro-active, and having the vision and wisdom to recognize the great need for issuing this security and privacy guidance now, and not later, to protect individuals using the smart devices in the IoT. The Commissioners included:
It is especially significant considering the dissent of FTC Commissioner Joshua Wright, whose entire argument against proposing security and privacy safeguards for IoT devices were generally based upon two tired and completely false premises that the misinformed and privacy-problem deniers have been trying to claim for decades:
1) There’s no need to ask manufacturers to build in protections until after a significant number of bad things have already happened to people. Bad thinking! So, instead of wanting to prevent the bad things we know can happen based upon looking at the associated risks, he wants people to have privacy breaches and experience security incidents first, just so the protections can be proven to be necessary, by his and other privacy-poo-pooing skeptics. History and thousands of incidents show this is an old and unwise position to take.
2) Too many have a habit of saying it is not worth the cost of implementing protections until actually seeing that bad things really will happen. It’s not a matter of if, but when! As my three examples provided show, leaders should not be penny wise and privacy foolish. I could fill a book with more examples. And I know my information security and privacy practitioner colleagues could also add hundreds of thousands of their own examples. History and thousands of privacy breaches show this is an old and unwise position to take that completely disregards the damage that could occur to millions of individuals’ lives.
The costs of implementing security safeguards and privacy controls are significantly less than the costs, and damage to individuals’ lives, of cleaning up and paying all the associated money and time for security incidents and privacy breaches.
We already know that smart devices are being widely used that record the conversations and images of those in their vicinity. We already know that smart cars can be hacked. I know from my work with medical devices that if they are not secured they present security, privacy, and also safety risks to those using them. The risks have been demonstrated. There is no legitimate reason to not take actions now to secure all these IoT devices. History shows this guidance will prevent many incidents and breaches by those companies smart enough to implement these smart recommendations into their smart devices.
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One (http://techpageone.dell.com/). Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.
Tags: cybersecurity, Dell, Edith Ramirez, Federal Trade Commission, FTC, Information Security, Internet of Things, IoT, Joshua Wright, Julie Brill, Maureen Ohlhausen, privacy, privacy professor, privacyprof, Rebecca Herold, smart device, TechPage, Terrell McSweeny