The mistakes of a novice, everyone makes them and even crafty old veterans can fumble the ball every once in a while. In the field of data security, however, small mistakes can result in really big problems.
Recently, university student Dan Farrall reported that the job application website which GCHQ, one of the UK’s intelligence agencies, sends plain text passwords to applicants via email.
There are plenty of reasons why this is a ridiculously bad practice and can expose very sensitive information to the wrong people. It’s not just password security that’s susceptible to oversights or laziness or miscommunication, or whatever it is that exposes vulnerabilities. Often, we’re just an angle bracket away from SQL injection or a right-click away from global access.
The lesson here is that we cannot take security for granted. Even the organisations you would assume are most equipped to secure your data may not have visibility of everything they manage.
It’s certainly not the case that password encryption is beyond the grasp of the partner of an intelligence agency like GCHQ. In fact, in the majority of cases, there is a known solution for the security challenges we face. But the volume of data we manage, the interconnectedness of our systems, organisational bureaucracy and, frankly, people make security much harder than it seems. This case in particular highlights the need to do a thorough check of your third party providers and their business practices, especially in the area of security.
We have to focus on the basic “blocking and tackling” if we stand a chance of becoming a culture of data security and privacy.
Here is a list of the top 5 things that can help both individuals and organisations begin to practice defensive driving in today’s world.
1 Without the ability to access and share information securely, almost every business process will be impaired. For individuals it’s not much different—imagine losing control of your Gmail account.
2 Once we learn to recognise the value of our information, we need to understand where it’s stored and how it’s shared. Information can easily be copied and replicated on many systems and in many formats.
3 Wherever we have assets that need to be protected, we need basic controls around them such as authentication, authorisation, auditing and alerting. These controls won’t stop all attacks but they’ll certainly stop most of them.
4 Once you’ve got the right controls in place for secure collaboration, people need to stick to them. Unsanctioned public cloud services or plain text password resets by third party providers are examples of what not to do. Unfortunately, services that the organisation doesn’t know about or approve of are entirely outside of organisational control and so is the information stored in them.
5 When information can’t be shared it has little or no value. When it’s available to too many people or the wrong people, it’s a liability. Information is most valuable when it’s available to the right people and only the right people.