I am so tired of seeing stable doors bolted. It seems that anyone who has stewardship of sensitive data largely ignores that responsibility until they’ve been compromised, then rushes to spend fortunes proving how much better they’re going to do it in future. I’m looking at you, TalkTalk, but I’m also thinking of Equifax. After all, they just lost the names, social security numbers, birth dates, addresses and sometimes other sensitive data on 143 million US citizens, and similar info on an unknown number of non-US individuals. Oh, and a mere 209,000 payment card numbers.
And get this – one of their services is identity theft protection. You have to laugh. Or turn to drink.
So, look, this is news, but not really. I’ve largely given up posting a reflexive blog every time there’s a newsworthy breach. Partly because I’d have no time to do anything else, and partly because most of the breaches are now making the regular news, so you know about them already. That’s my point here – there are major breaches almost every day, the reputation damage is now happening in the mainstream media, and yet most organisations still refuse to take cyber security seriously or spend proper money on it until they’ve had their own breach.
Really? If there’d been a rash of burglaries in your neighbourhood, would you wait to reinforce your doorlocks, check your windows are closed and update your burglar alarm until after you’d been burgled?
So why don’t you pretend you’ve been breached? That’ll force you at least to work out what your crisis communications plan looks like, and you might also invest in some vulnerability identification so you can work out how the imaginary breach might have happened. Possibly you’d find some of the weaknesses in your policies and processes and fix them, too. It’ll be significantly cheaper than picking up the pieces after a real breach.
If you can’t convince your board to spend the money on a test exercise, why not lie? Tell them that you have been breached and need to plug the gap before the mainstream media find out. That should wake them up, and frankly by this stage of head-in-the-sand behaviour I think the end justifies the means for once.