A Recap of 2014’s Poor Performance in Cyber Security

The second half of 2014 has begun and while many people are reluctant to get closer towards the end of another year, I for one am glad it’s getting closer.

Why?

Let’s take a trip down memory lane and look at a few of the events that have happened so far in 2014:

  • 400,000 users affected in a cyber attack on Avast
  • eBay users’ passwords leaked
  • two organisations forced out of business.

My monthly list of data breaches and cyber attacks are getting longer each time it’s created; you can view each list here:

List of January Data Breaches and Cyber Attacks

List of February Data Breaches and Cyber Attacks

List of Data Breaches and Cyber Attacks in March

List of Cyber Attacks and Data Breaches in April

List of Cyber Attacks and Data Breaches in May

List of Data Breaches and Cyber Attacks in June

Frustrating, isn’t it? We as a public keep these organisations in business by purchasing their products and services but they can’t provide us the simple courtesy of looking after our personal data.

Personally identifiable information doesn’t need to be leaked for a breach to cause victims a great deal of bother. In the case of the eBay breach where passwords were stolen, users had to change their eBay password as well as any other accounts that used the same login credentials — a tedious and long process for some.

Changes are needed in part two of 2014

The shortest way I can explain the current state of most organisations information security is by displaying the below picture.

Handsome Business Man in Suit with Surprised Expression

The expression says it all. A large majority of organisations are getting information security completely wrong. They’re too focused on getting as much data they can get their hands on, having fast websites and not ‘wasting time’ encrypting things.

In the last couple of weeks I’ve spoken to a handful of IT professionals, all of whom have a keen interest in information security. However, their employers don’t support their suggestions for better security. One response I received was

I’ve heard leadership tell customers that their data security is of the utmost importance. Then I’ve been asked to send that same data in plain text to vendors. I’ve been derided for suggesting encryption at the database and hard drive levels. Companies don’t see the point until they get their data stolen, and many probably NEVER know that their data has been stolen.

Should somebody be ridiculed for suggesting such a basic security measure? No they shouldn’t, but, ladies and gentleman, that’s the current state of information security in most organisations