How to tackle corporate cluelessness about data security

During World War II, the U.S. Office of War Information launched a “Loose Lips Sink Ships” campaign to reduce the chance that someone might inadvertently give useful information to enemy spies. Today we can give Vladimir Putin credit for reminding everyone to tighten their lips—or, in modern parlance, their grips on Internet security.

When Russian-backed hackers published a trove of confidential emails stolen from the Democratic National Committee, the compromise sent a warning to every security practitioner: If experienced professionals can be so dumb when they’re connected to the Internet, imagine how badly the rest of us can screw up.

And we clearly are screwing up.

People “have been conditioned to trust their environment, believing that any prompt, window, or link put in front of them must be safe. There’s no suspicion,” said Scott Petry, CEO of Authentic8, which develops secure browsers for cloud-computing uses. They “either have a false reverence for things technical, thus believing anything they see on their screen, or they don’t even think about the ramifications of their actions.”

People are also too trusting of tech they encounter on the streets. Consider what happened when researchers from trade association CompTIA left USB drives in different public locations in Chicago, Cleveland, San Francisco, and Washington, D.C. Some 20 percent of the people who picked up the devices plugged them into their computers at their offices. This spoke volumes about the depth of our disregard for basic cybersecurity hygiene.

“It shows how best security practices are not well known by the general public, even if those practices have been around for a while,” said Seth Robinson, the organization’s senior director of technology analysis.

To be sure, new generations of employees have grown up in a culture where it’s common to indiscriminately share personal data such as locations, preferences, and vacation schedules. Carried into the workplace, that kind of behavior invites digital disaster. But while it’s tempting to fault rank-and-file employees for a record number of corporate data breaches, the folks higher up the food chain shoulder a lot of the blame.

“Many corporations are not that different from individuals,” Robinson says. “They may understand the importance of security, but are not necessarily taking every possible step to improve their posture.”

For too long, boardroom big shots have treated cybersecurity as anything but a top priority. Many organizations are only getting serious about locking down sensitive data now, after a rash of damaging breaches over the last couple years demonstrated the magnitude of cybercrime threats to their companies—and jobs.

Cybercriminals are getting more sophisticated all the time. They also have easy access to advanced hacking tools that they can buy or rent on Dark Web markets. Faced with the realistic threat of more and more breaches, companies of all breeds and sizes need to better mix and match their data security technology, processes, and education.

Rinse, wash, repeat

The technology piece of the puzzle is probably the easiest to fix. Just as automakers now build technology into vehicles that can override driver errors to prevent crashes, connected companies can build layers of security technology into their systems to mitigate attacks and quickly confine breaches.

Organizations also shouldn’t believe that they are more secure because they have instituted “rules” governing cybersecurity. Much security “best practices” development and enforcement is little more than corporate theater. And some of it is downright baffling.

What’s the point, for example, of making employees change passwords every 90 days, or of force-feeding convoluted password requirements that make it nearly impossible to remember log-ins?

More often than not, people respond by jotting down new passwords on easily pilfered pieces of paper. Federal Trade Commission Chief Technologist Lorrie Cranor noted last year that policies requiring frequent password updates often result in people choosing weaker passwords and then changing them “in predictable ways” attackers can easily guess.

“Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases,” wrote Cranor, a former professor of computer science at Carnegie Mellon University.

Senior executives need to lead and make it clear that cybersecurity is now a make-or-break proposition. In the aftermath of major data breaches at companies such as Anthem, Sony, Home Depot, eBay, JPMorgan Chase, and Target, cybersecurity has become a boardroom concern.

Addressing those concerns requires action.

In a 2014 report, McKinsey researchers found a clear link between the level of engagement by the top brass and an organization’s success managing cybersecurity risks. “Since making the decisions necessary can only be achieved with active engagement from the CEO and other members of the senior-management team,” they concluded that top managers need to push for changes, and connect responsible cybersecurity practices with the well being of the organization.

Starting with the CEO, organizational leaders need to back up intensive security training programs with visible enforcement such as fines, terminations, or both for violators, including their fellow executives. Because human nature is slow to change, they need to urgently—and repeatedly—hammer home the message.

This year, security researchers expect to see new phishing attacks launched every 30 seconds. Companies no longer have the luxury of remaining clueless or indifferent about cybersecurity.