Three Things We Should Have Learned from Recent Security Threats

By Wednesday, June 17, 2015 0 No tags Permalink

In a thousand different ways, over the long arc of time, it has been said by our wisest sages, “If we don’t learn from history, we are destined to repeat it.” With said warning firmly in place, and embedded in our very psyche, one would think that recent security threats would have taught us valuable lessons, and changed our behavior. One would be wrong.

It takes humans a long time to learn from negative experiences. Knowing the best behavior is not enough to make us alter ours to fit it. We continue to do things we know are self-destructive: much of the world still smokes; asbestos is still being used as building material.  No potential drug user in the U.S. takes their first hit of illicit drugs without knowing the risks.

We see the warning signs, step over the remains of those who went before, and forge ahead thinking, this time, for me, it will be different. This is true for every walk of life, including Internet and computer-based security threats. We read the stories, ignore the lessons, and proceed to go about business as usual as if nothing had changed. It is as if the threat is not real unless it happens to us.

As an individual, we can take as many unwise risks as we like. As a small business owner, you have compliance laws with which to contend. You face liability of up to $50,000. That should be motivation enough for you to pay close attention to threats and breaches.

Here are three of those threats from privacyrights.org, and the lessons we should have learned from them:

Identity Theft

Uber notified 50,000 drivers of an unauthorized access to their database which resulted in compromising driver data. The hacking took place in May of 2014. According to the company only names and driver’s license numbers were compromised.

The company is offering identity protection services for affected drivers.

Identity theft is older than the Internet. We know what it is. And for the most part, we know how to combat it. Today’s Internet security software should do at least the following:

  • Block Dangerous Websites
  • Guard against Identity Theft
  • Protect Kids Online

From company to company, the words, implementation, and pricing may be different. But the idea is the same. Uber is just now learning that identity theft protection is a good idea for employees whose job has a prominent online component. It might also be a good idea for the rest of us.

Unauthorized Access

Lime Crime, an online cosmetics company notified customers of an unauthorized access to their website server which resulted in malware being installed. This malware allowed customer data to be captured, including credit card payment information.

Once a hacker has physical access to your computer or device, you’re done. That is why, in major office buildings, the server room is locked, often with biometric access. Company computers can be infected by keychain-sized flash drives and CDs. This is why IT departments have taken to locking USB ports and removing optical drives. The lesson is to do everything feasible to limit physical access to your devices from unauthorized parties.

Unencrypted Files

Lone Star Circle of Care notified individuals of a data breach after the discovery of a back-up file containing names, addresses, phone numbers, and birth dates was accidentally posted on their website for view.

This last example sounds a lot like human error. But this disaster could have been averted if the company had taken the simple expedient of encrypting sensitive files and backups in the first place. Sony made this same mistake. They placed user names and passwords in an unencrypted folder helpfully marked, “Passwords”. Really, the black hats don’t need that much help. Never leave sensitive information in an unencrypted file.

The big security exploits filling the headlines are rarely interesting from a technical standpoint. They take advantage of the fact that humans don’t learn lessons from the past. We make it easy by using weak passwords, surfing the web without basic protections, allowing physical access to our computers and devices, and leaving sensitive information in unprotected files and folders. These are things we can control. Let us learn from the mistakes of those who went before us so that our children don’t have to learn from ours.

 

No Comments Yet.

Leave a Reply