E is for Everyone
There are lots of relevant information security words that start with “E”, but I’m going with “Everyone”.
Three primary reasons:
- Information security (good or bad) affects everyone.
- Everyone has a role in information security.
- If everyone has a role, then everyone must have responsibilities.
There’s a saying I often use:
Information security isn’t about information or security as much as it is about people.
Two important points from this statement:
- People suffer when things go bad. If nobody suffered, nobody would care.
- People are riskier than technology. Technology only does what we tell it to (for now).
Let’s apply these points to our reasons why “E” is for everyone.
When bad things happen, people suffer. Doesn’t matter if we call the “bad thing” a data breach, a ransomware attack, a phish, business email compromise, or whatever. All bad things related to information security affect real human beings, either directly or indirectly.
Some quick examples:
- Ransomware attack (poorly prepared) – A ransomware attack hits an organization. The organization isn’t well prepared for it, meaning they didn’t adequately backup their data or adequately protect their backups. The organization has no hope of recovery without negotiating with the attackers and paying the ransom. No worries, “it’s covered by insurance”, a common reply. People suffer:
- The organization suffered an outage, even if minimal, it’s an outage. Outages mean lost services to customers and lost revenue for the organization. Customers suffer and so do the organization’s stakeholders (owners, investors, employees, etc.).
- The insurance company suffered the claim loss. This might seem insignificant, but insurance companies are not in the business of losing money. They will raise premiums across the board if necessary to recoup losses. “In the first half of 2020 alone, we observed a 260% increase in the frequency of ransomware attacks amongst our policyholders, with the average ransom demand increasing 47%,” Coalition (one of the largest providers of cyber insurance services in North America). Insurance company stakeholders suffer (even if temporarily), and we all suffer through higher insurance premiums.
- Paying an attacker a ransom, leads to their re-investment in better and more frequent attacks. We all suffer. Everyone suffers, and worse, the cycle continues.
- Business email compromise – An organization suffers a business email compromise that leads to $800K loss; stolen money through unauthorized ACH transfers. This resulted in a loss for the organization, its customers, and its stakeholders. They all suffered. This attack resulted in $800K that could no longer be spent on good things; things like expansion, employee benefits, employee salaries, etc.
- Data breach – A hospital gets hit with ransomware, but this variant also exfiltrated protected health information (PHI). The hospital didn’t properly protect itself, and certainly didn’t protect the patients well. The hospital suffered a significant outage, affecting services for patients when they’re needed most. To make matters worse, all patients who were affected by the lost information are now dealing with significant anxiety and safety issues.
- Anxiety from knowing their private information is in the hands of someone they don’t trust. Contributing to the anxiety is not knowing when/if their information has been used by criminals or how to fix the problem if it did.
- When a criminal uses stolen PHI to get treatment, their health information becomes mixed with/added to the victim’s. If the criminal gets treatment for a condition using a victim’s medical record/insurance, the criminal’s treatment is now on the victim’s medical record. The next time the victim gets treatment (legitimately), he/she will be treated as though he/she has the criminal’s condition, leading to potential faulty life/death decisions made by doctors
- Victims are also faced with medical bills that aren’t theirs. If you’ve dealt with medical bills before, you know how this feels.
The list could go on, but you get the point. These scenarios are based on real stories. Reality, NOT fantasy.
Information security (good or bad) affects EVERYONE.
At home the problem is more direct, but less understood. Attackers have always gone after people at home. Since the first home PCs were connected to the Internet, they’ve been under attack. If we think attackers have relented, we’re foolish.
The problems at home are less understood for a couple reasons:
- The consumer market has been grossly underserved. This market is underserved because consumer information security is more difficult to monetize. This market is very easy to monetize for cool blinky lights, personal assistants, “smart” homes, etc. It’s a pain in the ass to monetize for information security.
- Personal attacks, or attacks at home, don’t grab the headlines like organizational attacks do. People aren’t paying attention (as much); however, this might be changing with the explosion in remote working or “work from home”.
At home, your information security and safety are your responsibility. Not mine. Not the government’s. Yours. Sadly, an attack aimed at you or your children is yours to bear, sometimes alone.
People Are Riskier
Riskier how? In terms of being riskier than the technology or in terms of being riskier than they were before?
Technology only does what we tell it to do. Tell it to do bad things (on purpose or on accident), and the technology does bad things. Tell it to do good things, and you guessed it, technology will do good things. It’s not technology that’s bad as much as it’s the behavior of technology makers and consumers that can make it bad. Technology makers are incented to get the product (hardware and/or software) into consumers’ hands as quickly and cost-efficiently as possible, NOT as securely as possible. Information security is up to you then. If you don’t know how to secure the product or technology, then you will suffer the consequences.
Technology makers need to be incented to make things more secure, not punished for making things insecure.
Consumers need to learn better information security habits to reduce their risk within their area of influence; in communities, at work, and especially at home.
EVERYONE has a role in information security. What’s yours?
In simple terms, there are information owners, custodians, and users. In reality, this is where the break down starts. Most people have no clue what their role is. If you don’t know your role, you don’t stand a chance in understanding your responsibilities.
These are people who are directly affected by the loss of confidentiality, accuracy (or integrity), and/or availability of their information. They “own” the information, and it’s theirs.
- My health record is mine.
- My financial account information is mine.
- My Social Security Number is mine.
- My private conversations are mine.
- My private emails are mine.
- My credentials for accessing accounts are mine.
I am the information owner. At times, I’m the information owner for people I’m responsible for too, like members of my family.
These are organizations and people who have been delegated the responsibility of protecting information from the information owner.
- The hospital is a custodian of my health record.
- The bank is a custodian of my financial account information.
- The school, employer, bank, credit agency, etc. is custodian of my Social Security Number.
- The phone carrier (or whoever else I might be using for private conversations) is the custodian of my private conversation.
- The email provider (personal and work) is the custodian of my private emails.
- The password manager program (please tell me you use one), and everyone I authenticate with, is the custodian of my credentials for accessing accounts.
These are people who use the information in a manner approved by the information owner through the information custodian.
Organizations Are Not Data Owners
Organizations do not “own” our information. Organizations are custodians and users of our information.
Organizations do NOT “own” any information except what they’ve created.
Organizations act like “owners” of our information, but they’re not. If they want to be, then they’ll need to accept the consequences of misuse instead of pushing the consequences onto the real owners (you and me). Organizations act like owners of our information when they make risk decisions on our behalf without our approval. Truly, if more people knew how some (maybe most) organizations protected our information, I’m pretty sure some of us would stop doing business with them.
Each role has specific responsibilities, but this is where things get even messier.
Information owners must inform/declare to information custodians what’s acceptable and what’s not with respect to protecting their information. Once this has been defined, it’s also the owner’s responsibility to hold the custodian accountable.
Most people have no idea that they are an information owner or what it means to be an owner. For those who do understand the role, many feel powerless to do anything with it. We have a long ways to go in empowering information owners; to delegate information security responsibilities effectively and simply to data custodians. We’ve tried going down this route, sort of, with compliance mandates, but our compliance initiatives are far behind the times and largely ineffective. Much work to be done here.
Information custodians protect information according to what’s been delegated by the information owner. If nothing has been delegated (explicitly), custodians are left to their own devices. Some custodians treat our information with extreme care while others could care less. If we’re frustrated by how organizations are protecting our information, maybe we need to back up and look at our responsibilities (as information owners) and create solutions that will allow us to become empowered.
Easy. Just follow the rules, as defined by the owner and delegated through the custodian. If the user doesn’t understand the rules, it might be due to break downs with information ownership and/or custodianship. If the user doesn’t follow the rules because they don’t want to, there’s other problems of course.
If everyone has a role, then EVERYONE must have responsibilities.
This is not only fundamental information security, this is fundamental logic. We’ve got a lot of work ahead of us.
Honorable Mention for “E”
I received many great suggestions for the letter “E” including:
- Evolution – information security is certainly evolving, but not fast enough. Complexity is the worst enemy of information security, and we’re going too fast to secure things. Technology is evolving much faster than our ability to secure it.
- Elephants – the “elephant in the room” is often information security, or the lack thereof. If only we could make the elephant a little smaller and little less intimidating.
- Efficiency – a great word, but could be a can of worms. If we can make things more secure (less risk) and be more efficient, we have the potential recipe for success!
- Endpoint – endpoint protection is certainly part of the equation, but I didn’t choose it because of the overemphasis our industry puts on it’s importance. It’s important for sure, but some people (vendors mostly) will claim it’s the silver bullet/easy button. I know the person who suggested “endpoint” is NOT insinuating such a thing (I know him), but others might. Just FYI. silver bullets and easy buttons don’t exist and never will.
- Encryption – a great suggestion and safe choice. Encryption is wonderful and a critical protection against unauthorized disclosure and/or alteration of data.
- Evolve – closely related to “evolution” See above.
- Exfiltration – another great suggestion. Exfiltration is the extraction or taking information from an environment, and the word is often used in relation to data breaches. It often results in a compromise of confidentiality if the data wasn’t adequately protected with encryption (another vote for “encryption” above).
One last word that I was considering was “education“. Education is VERY important and we all must continue learning. There are so many good free and paid education opportunities available everywhere, there’s really no excuse for not investing in yourself.
Next up is “F”. Ooh, a bad word I use too much starts with “F”! You know the word, but it’s not going to make it into the Security ABCs, sorry.
Leave a ReplyWant to join the discussion?
Feel free to contribute!