Developing A Culture of Information Security

In 2018, security should be everyone’s concern. Recent massive data breaches from companies that are too well-funded, too experienced and too well-equipped blame it on understaffing, under-resourcing or ignorance point to an ongoing failure of security awareness in many organisations.

These breaches affect millions of people, often revealing private and economically valuable information which can then be used or sold by hostile actors for the purposes of identity fraud. With the trend towards storing more and more sensitive data online, the need for a revolutionary change in how companies approach consumer data security is needed. In this blog, we’ll examine how the current measures taken by many companies to secure customer data fall short and speculate on how these companies can build a way forward that better protects against potential hacks.

Equifax – a preventable tragedy

In May of 2017, consumer credit reporting agency Equifax suffered a breach that led to hackers accessing the private data of millions of people around the globe. Thought to impact more than 145 million US residents and as many as 44 million British residents and 8,000 Canadian residents before its discovery on July 29, the breach was particularly devastating due to the nature of the data accessed. In addition to first and last names, information such as residential addresses, Social Security numbers, birth dates and driver’s licence numbers were found to be accessible by the hackers, with around 200,000 US consumers having credit card numbers and dispute documents with personal identifying information accessed.

While not the biggest breach of all time – Yahoo, who in 2013 had more than 3 billion accounts compromised across the Yahoo network, including the site itself, as well as Flickr, Tumblr and other Yahoo properties – was arguably the most damaging event due to the sensitive nature of the data accessed. It’s important to put the scale of this breach into perspective – more than 44 per cent of the total US population, or more than half of all US adults with a credit history were affected – giving hostile actors a nearly priceless well of highly sensitive data.

While in isolation many of the data points leaked are relatively innocuous, the potential for identity fraud is very real as the leak contains the most common proofs of identity requested by businesses. Savvy hackers could potentially link Social Security or drivers licence numbers to names, allowing them to impersonate individuals, giving them access to financial accounts and more.

After the announcement of the breach on September 7, Equifax blamed the breach on a vulnerability in the Apache Struts 2 web application framework. However, this does not absolve the company of blame. The vulnerability was originally documented in March and a patch was released in the same month, but as reported in manyz technology publications, Equifax had failed to install the provided patch before their customer data was compromised in May.

Writing for Ars Technica, Dan Goodin made the argument that this failure to patch a key security vulnerability – along with several other high-profile gaffes in the immediate aftermath of the breach being revealed – speaks to a pattern of technological incompetence at Equifax that is completely unbecoming of one of the three largest credit agencies in the United States. He highlighted some of the key technological and strategic errors made in a recent article.

“For one thing, it took the Atlanta-based company more than five weeks to disclose the data loss,” he wrote.

“Even worse, according to Bloomberg News, three Equifax executives were permitted to sell more than $1.8 million worth of stock in the days following the July 29 discovery of the breach.”

The company continued to display a pattern of carelessness in its dealings with victims of the breach, committing several errors that Goodin said added up to an ‘amateur response’ from the company in light of the severity of the matter.

“The website, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number,” he wrote.

“Another indication of sloppiness: a username for administering the site has been left in a page that was hosted here.  (. . .) That by itself wouldn’t allow for unauthorized access, but it’s still something that should never have happened.

In addition to the above, the domain was initially not registered to Equifax in the initial few days after launch, leading to Cisco-owned Open DNS blocking access to the site as a suspected phishing threat. The whois records were updated on September 10 and Open DNS restored access to users.

“Meanwhile, in the hours immediately following the breach disclosure, the main Equifax website was displaying debug codes, which for security reasons, is something that should never happen on any production server, especially one that is a server or two away from so much sensitive data,” Goodin wrote.

Many commentators pointed out that Equifax’s responses in the wake of the breach only served to heighten anxiety amongst affected individuals. Taken together, their efforts to contact and work with affected consumers painted a picture of a company that was rushing to provide a solution without taking the adequate time to ensure that they weren’t exposing their customers to additional risk and their brand to further damage.

Referring to the display of debug codes on the main Equifax website, Goodin criticised the company and highlighted the severe damage the entire episode had done to efforts to assuage consumer concerns.

“A mistake this serious does little to instil confidence company engineers have hardened the site against future devastating attacks. (. . .) [Failing to secure a large volume of highly sensitive data] was enough to make this among the worst data breaches ever. The haphazard response all but guarantees it.”

Clumsy, amateurish mistakes like those made by Equifax would be more excusable from a younger or smaller company. However, Equifax has existed in the credit market since the late 19th century, and according to their company profile have more than 10,000 employees worldwide. The company’s size, age and prestige gives it a level of respectability that it has not lived up to in this instance, and its reputation as a global leader means that its staff should be thoroughly aware of all security threats to corporate infrastructure. That a company with as stringent security requirements as a consumer credit reporting agency failed to notice a worst-case-scenario breach into their most sensitive servers speaks to a lack of security awareness at all levels of the organisation.

Additionally, not only does Equifax operate in a highly regulated industry, the 2017 breach was not the first time the company had faced official scrutiny for mishandling of consumer data. In July 2013, a federal jury in Oregon awarded more than $18 million dollars to Julie Miller for hardship brought about as a result of Equifax erroneously merging her credit reports with someone with a different Social Security number, date of birth, and address, as a result of which she was denied credit and her personal information disseminated to unaffiliated businesses. This occurred despite numerous notifications by Miller in writing and via phone, after which Equifax continued to refuse to delete the false collection accounts attached to her credit report. The September breach indicates that in the intervening years, Equifax failed to learn from their previous mistakes and as a result continued to employ the same lax standard of information management in 2017 as they had in 2013.

The changing nature of security

One possible lesson to learn from the Equifax breach is that for large organisations, it’s no longer enough to rely solely on a small group of IT professionals to protect their data. The increasing complexity of the average worker’s role is requiring them to have access to more sensitive data and more data in general. Where in the past, an entry-level employee’s role could be compartmentalised away from sensitive data; nowadays workers are exposed to or are required to handle highly valuable information as part of their day-to-day workflow.

This shift reflects the changing nature of work in the developed world away from secondary sector roles such as manufacturing towards tertiary and quaternary sector roles in the service and knowledge economy. In order to thrive, bosses can’t put blinkers on their workforce – each member of your team needs an enormous amount of data on a daily basis in order to perform in a fast-paced and dynamic market.

This is best shown in the shift towards agile methods of product delivery, which have seen a surge in popularity as the traditional 12 to 24-month development cycle for a product or software package is considered too long. Businesses are putting a premium on an ability to pivot rapidly and suddenly to better track the shifting needs of the market.

To do this effectively, decision-making needs to become decentralised, with power to determine the strategic direction of a product or service devolved to a much lower level than previously considered. Businesses that embrace this fully are sometimes in the situation where individual team leaders may be responsible for determining the viability or suitability of whole features for a piece of software – and to their benefit when done right. This obviously requires a great deal of data – not just about the individual’s particular area of work, but about the product entire, competitor’s operations and the needs of the market. This is highly sensitive information that could be extremely value to another company were they to acquire it, and it’s likely it is in the possession of a lot of – through no fault of their own – unskilled or unqualified personnel in your organisation.

A universal responsibility

The end result is a Gordian knot of enterprise security – too much information passing through too many hands to control effectively. Fortunately, the problem contains its own solution: If you’re decentralising your company’s data, decentralise your security processes too.

This also ties into another argument for building a security culture. Existing concurrently with the fact that the role of a system administrator in a company has expanded past the ability of any one individual or department to handle is the idea that employees should be expected to perform basic ‘cyber hygiene’ as part of their role. While normally defined fairly broadly to refer to all of an individual’s online activities, the same principles that underpin the concept – keeping your security measures up to date, being aware of the risks of a given situation, being careful with whom you share data – can be specifically applied to organisational information security.

Writing for Data Center Knowledge, CTO of The Bunker Phil Bindley recognised the importance of building a culture of information security – or a culture in which cyber or information hygiene was regularly and widely practiced – in any organisation.

“Many businesses view information security as a function of information technology, rather than a function of business. This mindset needs to change,” he said.

“Organizations need to start thinking about information security as an element that enables businesses, facilitating increased competitive advantage that allows them to manage risk and protect all of the dollars that have been spent on creating a brand.”

This culture is driven from the top-down but must be cultivated at all levels within the company. Executive personnel are no longer the only target for hostile actors – now even your most junior employee either handles sensitive information or has a machine connected to a device storing sensitive information.

The solution is in setting clear, easily to follow rules and guidelines that all staff of all levels of computer literacy can understand.

“The next element is for businesses to introduce sound security procedures within their business by ensuring that all staff look at everything through a lens of data security,” Bindley wrote.

“Everyone within the business needs to think about what they do day-to-day to make sure they behave in a way that is beneficial to the company as a whole and does not put security or compliance in jeopardy.”

Building towards success

So, how do you achieve it? Each business is different, meaning your security culture and your journey towards it will look different. However, there are a few core similarities between all good, effective security cultures – these are the tent poles around which you make your choices.

Writing for TechBeacon, Security Journey CEO Chris Romeo highlighted four defining features of a sustainable security culture:

  1. It is deliberate and disruptive to the organisation, aiming to foster a change in how security is seen and enacted.
  2. It is engaging and fun, creating its own drive for personnel to participate.
  3. It is clearly rewarding, providing an extrinsic motivation for participation.
  4. It provides a return on investment for the business, improving your offering and lowering vulnerabilities

All of these features require a deliberate effort on the part of the company, and an understanding of precisely what it is they’re trying to achieve. Culture will happen with or without you – lifestyle and wellness writer Tim Ferriss famously noted that culture is “what happens when people are left to their own devices.” Building any culture – but especially something as artificial and in places seemingly arbitrary as a positive security culture – deeply enough into a business that it becomes sustainable takes effort.

Both new and existing employees require constant reinforcement of what is required of them, and the best way to achieve it is regular official training and constant reminders. Consider implementing short, unobtrusive and construction weekly or monthly updates for your staff on current security best practices to ensure everyone stays sharp. Instil in everyone the idea that security is everyone’s responsibility, and drive home the importance of situational awareness and of understanding the likely consequences of actions they take with company information. Furthermore, it’s not enough to threaten the stick – you need carrots too. Find ways to reward those who help to build the security culture – provide gifts for people who volunteer for additional training, or offer incentives and career advancement into a more dedicated security role within the company.

Make the right choice for your organisation today and start building the security culture that your organisation will need tomorrow. CrossPoint can provide consultation and guidance for businesses looking to enhance their security, speak to one of our representatives to learn more.

Leave a Reply