Coming to terms with our new reality.
As the owner of multiple companies that store, process, and host critical data for regulated industries, there isn’t a day that goes by that I’m not asked about cyber security. I’m asked “What are you doing to address today’s emerging threats?” “How are protecting your customer’s data?”, is another frequent question. There is no doubt cyber security is a concern that must be taken seriously.
The most recent cyber security headline is the data breach over at Equifax, one of the nation’s “Big Three” credit reporting agencies. The breach is so severe, it has impacted nearly a third of all American’s by exposing their credit card data, social security numbers, addresses, and other information that places almost anyone using a credit card at direct risk of identity theft. The Federal Trade Commission writes more here.
Equifax is in good company because they are not the only ones to have consumer data stolen from them. In July 2014, JP Morgan Chase, the largest bank in the United States was the victim of a hack that compromised the data of more than half of U.S households. The data included names, addresses, contact information and user ID’s and passwords according to information filed with the Securities and Exchange Commission.
Anthem Health, the nation’s second largest health insurer suffered a data breach in February 2015 wherein the hack exposed the names, addresses, Social Security numbers, dates of birth and employment histories of over 78.8 million current and former customers.
Of course, the list goes on and on. Target, Home Depot, the U.S Office of Personnel Management, Yahoo, and eBay to name a few more.
Now let’s be honest with ourselves, these are BIG brands with BIG budgets and TOP talent. Can you spend your way to safety and security? No. Can you ever be 100% secure? No. So what can you do? You can set your expectations in alignment with reality.
ASKING FOR THE BLUEPRINTS WHEN CONDUCTING DUE DILLIGENCE
Let’s take a step back to the beginning of this article. I am the owner of multiple technology companies that store, process, and host valuable data for regulated industries. At times I’m requested to provide some very interesting things. “I need a copy of your firewall rules, your network diagrams, your internal infrastructure layout, and your internal procedures.” I’m being requested, in short, to provide a written manual that could be used to usurp my security. My answer to this is a resounding NO.
Let’s put it another way. What would happen if you walked into your bank and demanded from the branch manager, “I need to see the diagrams of your bank vault. I need to know what it’s made of. I want to see the plans to your air conditioning ducts, and I need to know the name of your alarm company.” They would probably think that you’re planning to rob the bank. Oh, and a bank would NEVER provide you with any of that information; ever.
To summarize, as someone who is in the business of security networks, don’t ask me for diagrams of my network, and paperwork as to it’s inner workings…it won’t happen.
MANAGING PAPER VS MANAGING RISK
Another place good decision making can go off the rails is an over obsession with paperwork. Paperwork does not keep you secure. All it does is create jobs for the paperwork people, and then makes another set of paperwork people go away when you “show them the paperwork”.
You best believe that companies such as JP Morgan Chase, Equifax and all of the other high profile companies had every SOC1, SOC2, SSAE, ISO27001 and PCI-DSS audit and attestation paper.
Ask yourself, what good did it do them? Exactly.
MANAGING RISK WHEN CHOOSING VENDORS
When was the last time you opened a credit card and demanded that the credit card company complete a “vendor survey” before opening the account? Did you check that the credit card company reports only to credit bureaus that cannot be hacked? Of course not, because there was no way to know. Your decision was made based on the knowledge that you were dealing with a known, reputable company and that is how you should continue to make decisions.
KNOWLEDGE IS POWER
Data breaches are only the tip of the iceberg. There’s wire fraud, malware, viruses, phishing, and more. Yet, it seems that the large majority of title agents really don’t know what they don’t know. Why?
Benjamin Franklin said “Tell me and I forget, teach me and I may remember, involve me and I learn.”
Just how much involvement is there in educating the land title community? Underwriters take an agency representative whose job is supposed to be understanding title insurance, declares them a cyber security expert, then sends them out into the field to teach with some hot tips. Land title associations hold the same boring seminars droning on about wire fraud horror stories and then pepper in some lectures about clean desk policy. Zzzzzzzzz.
Where’s the teach and involve? If I show you how to use Russian software to write a phishing email, maybe you’ll learn something.
COMING TO TERMS
Our reality is here to stay. Understanding how to work within our reality is what makes us successful. Wishing our reality was not so, is ignorance. The golden takeaway is that there is no true security, only varying degrees of risk. Education and conversation is the best way to truly understand the risk landscape we face while preparing ourselves to be ever vigilant.