Protecting the Wrong Things

6
[ This article was originally published here ]

Businesses rely on technology more today than they ever have in the past. In fact, many business models are built entirely around a technology which, if disrupted, could spell ruin.

A traditional business with a brick and mortar presence is probably better-placed to withstand an extensive online disruption or outage. For example, if a bank’s online system or mobile app is unavailable, it has other options to fall back on – even if it does involve customers physically having to walk into branches to deposit cheques.

But those examples are rare, and even the most traditional of businesses are embracing the digital revolution at a rapid pace, vaporizing physical assets in the process. One only has to look at their smartphone and see how many physical items it has replaced, from maps, to flashlights, to cameras.

So, it’s important that the digital infrastructure that underpins the modern world is resilient. The ‘A’ in the security CIA of ‘Confidentiality, Integrity and Availability’ helped professionals focus on business continuity planning, and disaster recovery.

But have we been focusing on the wrong things?

Earthquake Resilient Buildings

Recently a building surveyor was explaining to me the concept of earthquake-resilient buildings. He highlighted an important point that in most countries, building code objectives are mapped to collapse resilience, not to damage. The analogy is akin to a car which has designated crumple zones to absorb the brunt of the force during an accident.

In other words, resilience in buildings and vehicles is all about saving lives – not the building or the vehicle.

Which makes me wonder whether businesses have focused on building resilience into the wrong parts. Is the industry focused more on saving the building or the vehicle at the expense of lives?

Broadly speaking, while lives are not literally at risk, (although with IoT making its way into every facet of life including medical devices, the risk does increase), there is a lot of personal information that companies are in possession of which slips through the radar of most planning sessions. The response often summed up as, “let’s offer free credit monitoring for a year for our affected customers.” In the building analogy, it’s the equivalent of, “Sorry your building collapsed and everyone died during the earthquake. Here’s a year’s coupon to stay in a local hotel.”

Crown Jewels

Companies are pretty good at protecting their own crown jewels. But they’re often limited in what they do for their customers.

One of the reasons is that the emphasis is put on the wrong type of information. PCI DSS is a well-meaning standard, but forced companies to focus on protecting payment card data. The problem with this approach is that card data is pretty much a commodity. It naturally ages, and new cards need to be issued as a matter of course. A breach simply accelerates the process. The point being that payment cards have natural resilience built into them.

That’s not to say that when cards are breached there isn’t a cost associated. It’s to avoid bearing the burden of these costs that card issuers rallied to have PCI DSS implemented, with the threats of big penalties to any company that was beached. This in turn forced companies to disproportionately invest into protecting card numbers over actual customer information. Protecting the buildings at the expense of its inhabitants.

Regulations like GDPR are a step in the right direction with its focus on protecting the privacy of individuals. However, it too wields a big stick with the threat of massive fines. So, companies will do what they can to protect their businesses.

Retrofitting protection

The evolution of many companies mean that protection is often retrofitted under the guise of compliance. But there is a significant difference between retrofitting to prevent business damage, and retrofitting to prevent the entire business collapsing.

We need to shift the way we think of information and the controls we put in place that can not only withstand the metaphoric cyber earthquake, but also protect its customers.

The first part of this is for businesses to understand what aspects of its digital infrastructure are   commodities or standard offerings that can be swapped out or replaced relatively easily, versus custom-designed and individual data that is irreplaceable.

For this, the best place to start is the beginning. Design decisions need to be thought out better and not rely on decisions made from years gone by, when the digital landscape was a different place. Haroon Meer probably said it best when he described customer data as being toxic. It has its benefits, but companies should be prepared to wear hazmat suits when dealing with it.

This includes not using personal information for trivial functions. For example, does every online registration require a user’s personal information such as date of birth? If not, then why capture it? Similarly, should the user’s email ID be used as their userID? As email has become more important for users, so has the risk of it being targeted.

Maybe the data can be captured, but alternative methods used to protect it. Similar to how many companies choose to tokenize card data? Maybe your favourite pizza shop doesn’t need to store your address in all its databases, a tokenized version can suffice. So, if it does get breached, not only are the customer details protected, but business can continue with minimal disruption – allowing true resilience against such events.

After all, what’s the point in protecting all your buildings if there’s no-one left to inhabit them?