Evangelizing on Pandora's Box

As a practitioner of Business Resiliency (Privacy, Security, Disaster Recovery, Business Continuity, Risk and GRC), I keep mulling over the factors learned in the trenches. As a society, we have indeed fallen over the precipice and have lost control over our personal and financial information. Indeed, Pandora’s Box has been opened.

Just recently, I received notice from the Data Breach Litigation Settlement Administrator regarding Credit Monitoring in regards to the Anthem breach which exposed approximately 80 million records. What’s ironic about the settlement is that Experian is providing the credit monitoring services. Experian itself was breached exposing 15 million T-Mobile customer accounts.

Corporate Boards, ill equipped regarding practical knowledge about privacy and security, are at wits end in attempting to protect brand reputation and stock valuation. Sadly, the stocks take a hit, and after a while, everyone goes about their business. The enterprise sees its’ budget for security increase, the class action litigation firms make their money, the credit monitoring services make their money, the consultants investigating the breach make their money, the software publishers make their money, and AI technology takes center stage as the savior of all that’s bad in living in an interconnected society. These vendors also make their money. So where is the impetus to do a better job and kill the goose that has laid the golden egg?

The outcry has been ignored but the effects are looming larger and larger. Facebook, Google and anyone who claims to honor unsubscribe requests, go about their business, announcing platitudes, continuing their bad behavior while introducing new technology that poses even greater risks. Facebook’s Portal using Messenger could become a pervasive intruder into the lives of people who choose to enhance their lives technologically, but potentially give away their most intimate privacy, i.e., what goes on in their homes.

The tendency is to ignore the everyday revelations of unscrupulous spying until calls from a divorce attorney start coming in about potential representation because of a marital disagreement regarding 2% milk because Alexa was sitting on the counter.

So, why is this happening? For a number reasons. Chief of which is the unwillingness to implement truly effective reform and begin to think critically.

Let’s examine some major drivers. Security has become a big business with 1000s of vendors, billions in losses, hundreds of millions in sales, courses in technology and easy access to tools and community groups. But what we are not emphasizing is ethics, values and consequences for poor decisions.

This morning I reviewed the statistics collected by our Microsoft email server, and our additional front end product that filters and stops spam. Of 17263 inbound messages, 1800 were allowed to be delivered, indicating that 15463 were filtered as spam. This represents 90% of the traffic was non-business related. How much cost was incurred in providing the bandwidth, CPU cycles, power and air conditioning, software expenditures and salaries for administration and maintenance? And of the 1800 emails not filtered, the majority of these messages were borderline spam, and were deleted manually by the users. Let’s include lost productivity into the cost formula also.

Attempts have been made to place additional responsibility on internet service providers (ISPs) to enforce a set of rules that attempt to discourage bad behavior. Objections have been raised by direct marketing associations that restraint of trade issues would be litigated.

Educational institutions see this fledgling industry as a means of increasing enrollment by providing courses in ethical hacking, infrastructure design, use of advanced tools such as Kali Linux, but do not provide any ethical standards because there aren’t any and consequences don’t exist. Equipped with this knowledge, it takes only a small percentage of newly minted and degreed hackers to begin wreaking havoc.

Law enforcement is not trained, and those that are trained like the FBI, only investigate the major thefts, while your credit card gets charged with an Apple MacBook. Someone pays for this theft and it is usually the credit card holder, one way or another.

Virtual technology and unlimited access to multi-gigabit transmission facilities, centered on institutions of higher learning provide a haven to learn and perfect a trade without ever having to report to an employer’s work location. It is amazing to see how many spam emails originate at an educational institution. And what about the unofficial ISP who rents a Virtual Machine and unlimited bandwidth to a supposed developer as a means of defraying some of the infrastructure cost?

Nation-state hacking. It’s real, and countries that show animosity towards our free speech and liberal society only have to wait. We will collapse because of our lack of action and give away for the lack of security, our livelihoods, our security and independence. The divisiveness, lack of fortitude and always a new party in power, wracks our society and stability with every election. Come to America, do business with America, and siphon off the wealth and freedom. It’s there for the taking.

Evangelizing on an issue is a two edged sword. Sometimes I have to fall upon it, but sometimes I encounter a Board, a Chief Executive Officer or another professional who cares about what they do and how their enterprise performs. The problem is not solved by buying the next AI-you-won’t-be-breached-ever technology that replaces critical thinking. What we have given up is critical thinking, strategic planning and a mindset appropriate to the environment, by overly depending upon empty promises, technology that doesn’t work, and plain ole experience.

How’s that new IoT product shaping up? Planning on finally putting in security in version 2.0? You clean up if you're first to market. Don't worry about security - right now its' overhead and too expensive to include with release 1.0. You will be able to generate additional sales if you package everything right, get market acceptance, and increase the price for v2.0, while not getting sued in the interim.

Everyone enjoys a good story.

Available to speak to your group if you are serious about learning more and protecting your enterprise (440) 596-0916.