In Defense of Honest Security Reporting

I have to say as I settled in to have lunch and read my friend and associate Alan Shimel’s column, “Security Desensitization: Another Data Breach, Blah, Blah, Blah,” I just about choked on my ham-and-cheese-on-pretzel-bread sandwich.

In the post, Alan makes the very valid point that the staggering number of data breaches, numbering in the thousands of incidents and billions of records, are numbing. The numbers most certainly are overwhelming. There are so many breaches, big and small, occurring in nearly every aspect of our lives: financial information, employment information, health and medical information and even stories about state secrets being spilled. This all becomes background noise.

But Alan got a few things wrong. Some, who are sloppy in how they use terms such as Fear, Uncertainty, and Doubt (FUD) may disagree, but the media isn’t committing FUD when accurately reporting the data breaches in the public and private sectors.

Does the media hype things up? Sure. But the media isn’t fueling FUD and certainly isn’t crying wolf. That is to say accurately reporting what happens isn’t FUD, (FUD is, after all a disinformation strategy). And there wasn’t, at first, a wolf in the “Boy Who Cried Wolf” fable—the boy tricked villagers into thinking a wolf was attacking his flock. Then, when the real wolf attack came, no one believed him. Newsflash: these data breaches that reporters are reporting are actually happening. The wolves are here.

So when Alan says that maybe the “media should take the pedal off the metal of constant breach bombardment,” my answer is maybe the organizations being breached should put their own feet on the pedal of their information security and risk management programs.

Managing risk brings me to another point I’d like to contend. This reporting is important, especially to organizational leadership and security teams. This reporting helps to inform, and it helps force companies to at least attempt to improve the security of their software and their organizations. And while these incidents rarely have lasting impact on the companies breached (and in many cases they shouldn’t have long-term impact) they often do have a possible impact on the breached organization.

Talk to security folks at major retailers, healthcare organizations or any other vertical after they’ve been breached and embarrassed publicly about what their security program looked like before and after the breach. In many cases, the security will have been vastly improved post-breach. In fact, many CISOs I have interviewed over the years have explicitly said they look for opportunities at companies that have been breached for this very reason: They will be heard.

This reporting also helps to show and inform others about the structural problems, organizational problems, technological challenges and oversights that make these breaches all too possible. While Alan may not give a “rat’s ass” about whether the Equifax breach was made possible by poor patching hygiene or Apache Struts software—many of the application and security teams I speak with almost daily do. They want this information to help persuade team members and business leadership about why they want to have a better handle on securing their software supply chain and keep patches up to date, and why emergency patches are warranted. It shows development teams how important it is even for their non-production environments need to be kept tight.

This brings us to the importance of these stories for consumers. While there is less that consumers need do to protect themselves, they need to be aware when the organizations with which they do business have been breached. They need this to determine whether they are at any greater risk and what they may be able to do about it. This isn’t about credit card numbers, which are generally the least-risky asset thieves are likely to steal (most cards are zero or very low financial liability), but medical, personal history and financial data. This type of information can place you at real risk.

Which brings us to another point Alan made in his column, regarding steps consumers can make to protect themselves. As he said, “It was hard to resist telling them nothing they could do would help in the long term. So I gave them assignments so they had a sense they were doing something. Freezing your credit, if only temporarily, couldn’t hurt, but navigating all three major credit agencies’ requirements to do so is a chore. And really, if a determined cybercriminal has your info, other than being vigilant, what can most people do?”

That’s both incorrect and dangerous thinking. First, credit freezes are a long-term defense. In most states a credit freeze is permanent, in some states credit freezes are lifted after seven years. If you live in a state and want a continuous freeze, just submit the request after the seven-year expiration. This is one of the best ways to project yourself, especially following the Equifax breach, and will help provide protection from identity theft for years. It’s a proactive step that is much, much more than having a “sense that you are doing something” or something that “couldn’t hurt.”

I helped more than a dozen people freeze their credit, secure their PINs and put fraud alerts in place. It takes, on average, about 15 minutes per person. If it’s indeed a “chore,” this is a 15-minute chore with a big return on the effort.

Staying vigilant is good advice, of course, and part of that is putting the credit freeze in place. You should also consider a credit fraud alert, which forces creditors and others to take steps to verify your identity. But attackers will try to steal your identity or conduct transition fraud on your accounts in other ways as well, so keep an eye on your tax information, medical information and other information.

The FTC has a good FAQ on credit freezes here, as well as information on how to contact the major credit reporting agencies.

Staying vigilant also requires keeping an eye on the news in case a data breach affects you personally or a loved one. Staying vigilant demands fast, accurate and honest coverage of data breaches—and that’s what we will continue to strive to deliver to you every day here at Security Boulevard.

While the data breach numbers are admittedly staggering, asking the media to stop reporting on breaches is just asking society to stick its head in the sand. That’s not a plan, whenever I watched it be placed into action, that ever worked out very well. It certainly will not make anything better. We certainly need new and better approaches to enterprise security –burying the messenger certainly isn’t the plan we need.

  • George, George, George. When you are a hammer everything looks like a nail. It is not just the security media who is desensitizing everyone, it is the entire security industry. Too much of our entire industry keeps the lights on by selling FUD about how you can be the next headline. Yes we need better security response options. I don’t think everyone freezing their credit is a great solution. Otherwise the heck with it, why shouldn’t we all do it, as sooner or later we are all going to be victims. There has got to be a better solution here.