By Javvad Malik
Businesses rely on technology more today than they ever have in the past. In fact, many business models are built entirely around a technology which, if disrupted, could spell ruin.
A traditional business with a brick-and-mortar presence is probably better able to withstand an extensive online disruption or outage. For example, if a bank’s online system or mobile app is unavailable, it has other options to fall back on – even if it does involve customers physically having to walk into branches to deposit cheques.
But those examples are rare, and even the most traditional of businesses are embracing the digital revolution at a rapid pace, vaporizing physical assets in the process. One only has to look at their smartphone to see how many physical items it has replaced, from maps to flashlights to cameras.
So, it’s important that the digital infrastructure that underpins the modern world be resilient; the ‘A’ in the CIA triad (‘Confidentiality, Integrity and Availability’) helps professionals focus on business continuity planning and disaster recovery.
But have we been focusing on the wrong things?
Recently, a building surveyor was explaining to me the concept of earthquake-resilient buildings. He highlighted an important point: in most countries, building code objectives are mapped to collapse resilience, not to damage. The analogy is akin to a car that has designated crumple zones to absorb the brunt of the force during an accident.
In other words, resilience in buildings and vehicles is all about saving lives — not the building or the vehicle. Which makes me wonder whether businesses have focused on building resilience into the wrong parts. Is the industry focused more on saving the building or the vehicle at the expense of lives?
Broadly speaking, while lives are not literally at risk (although with IoT making its way into every facet of life including medical devices, the risk does increase), there is a lot of personal information that companies are in possession of which slips through the radar of most planning sessions. The response is often summed up as: “Let’s offer free credit monitoring for a year for our affected customers.” In the building analogy, it’s the equivalent of, “Sorry your building collapsed and everyone died during the earthquake. Here’s a year’s coupon to stay in a local hotel.”
Companies are pretty good at protecting their own crown jewels. But they’re often limited in what they do for their customers.
One of the reasons is that the emphasis is put on the wrong type of information. PCI DSS (Payment Card Industry Data Security Standard) is a well-meaning standard, but has forced companies to focus on protecting payment card data. The problem with this approach is that card data is pretty much a commodity. It naturally ages, and new cards need to be issued as a matter of course. A breach simply accelerates the process. The point being that payment cards have natural resilience built into them.
That’s not to say that when cards are breached there isn’t a cost associated. It’s to avoid bearing the burden of these costs that card issuers rallied to have PCI DSS implemented, with the threat of big penalties to any company that has been beached. This in turn forced companies to disproportionately invest in protecting card numbers over actual customer information — like protecting buildings at the expense of their inhabitants.
Regulations like GDPR are a step in the right direction with its focus on protecting the privacy of individuals. However, it too wields a big stick with the threat of massive fines. So, companies will do what they can to protect their businesses.
The evolution of many companies means that protection is often retrofitted under the guise of compliance. But there is a significant difference between retrofitting to prevent business damage and retrofitting to prevent the entire business from collapsing.
We need to shift the way we think of information and the controls we put in place so that we can not only withstand the metaphoric cyber earthquake, but also protect the customers.
The first part of this is for businesses to understand which aspects of its digital infrastructure are commodities or standard offerings that can be swapped or replaced relatively easily, versus custom-designed and individual data that is irreplaceable.
For this, the best place to start is at the beginning. Design decisions need to be better thought out and not rely on decisions made from years gone by, when the digital landscape was a different place. Haroon Meer probably said it best when he described customer data as being toxic: it has its benefits, but companies should be prepared to wear hazmat suits when dealing with it.
This includes not using personal information for trivial functions. For example, does every online registration require a user’s personal information such as date of birth? If not, then why capture it? Similarly, should the user’s email ID be used as their user ID? As email has become more important for users, so has the risk of it being targeted.
Similar to how many companies choose to tokenize card data — perhaps the data can be captured, but alternative methods used to protect it. Maybe your favorite pizza shop doesn’t need to store your address in all its databases, and a tokenized version can suffice. So if it does get breached, not only are the customer details protected, but business can continue with minimal disruption — allowing true resilience against such events.
After all, what’s the point in protecting all your buildings if there’s no one left to inhabit them?
About Javvad Malik
Javvad Malik is an award-winning information security consultant, author, researcher, analyst, advocate, blogger and YouTuber. He currently serves as a security advocate at AlienVault.