Don't Get Mad, Get Furious: BIO-key Offers Insight on Recent Equifax Data Breach
Like you I have been inundated with the media's frenzy on the latest data breach from Equifax. What I find interesting and somewhat surreal is that this was just another lost battle in a long standing war between enterprises that house consumer data and the hackers that want access to it.
It has been nearly fifteen years since I joined the ranks of the security industry including as a BOD member and Treasurer of the International Biometrics and Identification Association (IBIA) and at the end of the day NOTHING has changed, and in fact, it has gotten worse. I have been privileged to have participated in tens of millions of dollars in security opportunities and transactions during those years and have amassed a history and a perspective on why we will continue to see this behavior proliferate our lives as enterprise users and consumers.
The so called experts (seems like everyone these days is or at least believes they are) will tell you that the hackers are a step ahead of their victims and that technology cannot keep pace with their intellect and expeditious attempts to break the bank! Although there is some truth to that and the news they spread to garner visibility, I have an entirely different perspective, not as an expert but rather an experienced industry participant.
As you might imagine, cyber security is reviewed and discussed at all levels top to bottom within Fortune 1000 companies frequently. Competent Chief Technology Officers, Chief Security Officers and Chief Information Security Officers around the globe know how to thwart or at least harden their infrastructures to reduce or eliminate the threat to their organization and impact to their customers. Most have insurance policies in place to minimize the financial implications and liability should an event occur. So, it seems that large corporations that store your personal information are doing everything possible to protect you right?
Wrong! As an industry insider who has participated in thousands of RFP's, meetings, discussions and sales presentations it is clear that the two most significant issues plaguing our cyber security efficacy are first and foremost the allocation of dollars that CTO's, CSO's and CISO's are competing for at the executive and BOD level. Keep in mind cyber security is an expense that is, generally speaking, will not return a dime of revenue to a company. Put yourself in the middle of a typical executive team meeting where business leaders from each group are vying for investment dollars to grow and expand their businesses. Imagine the pressure to return short term results and build sustainable long term revenue. Better yet, think about the personal compensation associated with delivering those results, are you starting to get the picture?
Second, given the evolving nature of cybersecurity threats past, present and future and the technologies that are available today to reduce or stop the breaches it will take a shift in process and a fundamental change of behavior from every employee within an organization to implement actually. Change is hard; change is risky and dramatic change is not what we are getting from the top levels within companies. Even if they do fund an initiative and it is disruptive to the business, as it will be at the start or if not properly implemented, heads will roll. Given the compensation levels tied to those senior executives, it just isn't worth taking a chance and assuming the risk to both job and career. Some companies will appear to be moving the needle, but we know better don't we? We continue to see the can get kicked down the road and businesses waiting as long as they can to implement major technology changes that can impact consumer security.
Please understand this is not to say every organization is misbehaving or ignoring the problem. In fact, many are pushing quickly ahead to implement new and innovative techniques so that the issue of compromised credentials is no longer a threat to access information stored in databases around the globe. Using old style Knowledge Based Authentication (KBA's) that ask you a question that only you should be able to answer is not enough and quite frankly once compromised is useless unless "something you have" is tied to that authentication so the evil doers cannot become you in cyberspace.
Incorporating something you have such as a biometric vs. something you know like a Password, PIN or a token into the authentication stack can reduce the threat of compromised credentials. Multi-factor authentication is coming to reality for consumers with Microsoft Windows Hello, and Google Authenticator... enterprises must internally implement technologies to protect their assets and our customer information. This problem is not an insurmountable, in fact, I have witnessed many scenarios where companies have done just that!
As industry participants we must ask the tough questions of our prospects and customers, we must serve them with accurate and practical solutions that are both proven and scalable, they must be interoperable and work for the masses and most of all they must come from credible companies that have references. Examples are easier to understand, and of course, no one wants to be first.
As consumers we must ask the companies that house our private information if they are doing everything they can to protect us including investing not just in "window dressing" but real, tangible solutions that will ensure a higher level of security.
I can write pages on the technology solutions that are currently in use and why some work and most won't or on the life cycle of technology acquisitions in medium and large companies, but that is not at issue here. Simply put, I had to speak out on this latest breach because it has likely impacted both you and me so please "Don't get Mad, get Furious!"
Chairman & CEO