Wake Up! User Data Security Is a Nightmare

With the frequency of data breaches hitting the Internet, it’s no surprise that an increasing number of companies are starting to look at their systems and asking “Are we secure?” Very few are getting an answer they want to hear. Keeping data secure is a complex challenge, and few people are well-versed in its many facets and constantly changing risks. Some companies just throw up their hands and say “See? You can’t stop cyber breaches.” Fortunately, that’s a load of crap.

There is a lot you can do to stop cyber breaches and protect your user data. Read this brief overview of what we're up against, and then check out the Guide to User Data Security for deep details, scripts, and strategies to keep your data safe.

Data Security Is Complex

The reason data security is difficult is threats come from a wide range of sources. Some industry professionals use a metaphor comparing system security to putting a strong lock on the front door of your house. But that doesn’t even come close to encompassing the complexity of the situation. If we wanted to make the house metaphor accurate, we’d have to include doors, windows, family, guests, friends of guests, furniture and appliances, contractors, and service professionals — basically everything, everyone, and anything that gets close to your house. Plus, we’d have to plan for thousands of people trying to find a way to break in every moment of every day.

Security professionals need to defend against:

• Hardware attacks that take advantage of vulnerabilities in routers, processors, equipment, and connection pathways
• Firmware attacks that exploit the core functional code of our computers and devices
• Software attacks that invade the sites, tools, and applications that allow us to communicate and interact
• Social engineering attacks that focus on the most easily targeted access point of all: the people using the system

And it gets worse. What if you had to worry about the locks on your neighbor’s doors? With the explosion of cloud-based and multi-tenant services, security teams need to think about how their systems can be compromised by sharing multi-tenant resources. (Read here for more information on single and multi-tenant identity systems.) This is just the beginning of the challenges security teams face. Hackers are leveraging advances in processing power and computer AI technology to build an ever-evolving set of exploits and attacks.

Data Security Is a Full-Time Job

Even if it is your primary job, it’s not easy to stay ahead of the range and scope of possible hacks. I work with a team building a CIAM solution and we are constantly refining our codebase to handle increasingly sophisticated challenges. We are continually working with the security-developer community to stay on top of the most recent exploits. We even do our own research — in 2016, we hosted a hack challenge for the community to take their best shot at a development server we set up. We were not disappointed. The talented team at Polynome successfully breached the security on our dev server, illustrating how creative and detailed an attack can be. Lucky for us, we were just doing research.

The point of all this is that system security and data privacy are a full-time job and SHOULD be a high-priority for every organization. Large companies struggle to defend against cyber threats, and it is even more difficult for startups and small- to medium-sized companies with more restricted time and money. Every company must apply their resources to protect against the most probable threats, and be ready to address any issues that arise. Some companies never have any problems. Others aren't so lucky and have failures at the worst possible time impacting users, punishing the company’s reputation, and costing millions of dollars. (According to IBM, attacks specifically focused on locking critical data and collecting ransoms cost firms more than $8 billion last year.) Additionally, the GDPR introduces substantial risks of legal violations and monetary fines.

Make Data Security a Priority

There is no question that data security and privacy will continue to be a prominent issue, and companies need to address it now. Security has moved from a “we’ll get to that eventually” feature to a "we need to do this from the beginning" priority, and must be skillfully factored into designs, projects, and timelines. Make sure your team understands the complexity of security needs and plans to continue revising the system to keep up with evolving exploits. If you decide to leverage third-party providers and partners, ask them how they address security issues and stay current. If their system fails you can lose your business and reputation.

Where Do We Start?

A question we hear frequently is “With all the possible issues, where do we start?” The current best answer is to balance your available resources against the most common threats and get the most secure system you can afford, maybe even a little more. Then make sure you include security considerations into your decision-making process, and evaluate the short- and long-term risks. Security doesn’t happen by neglect, but data breaches do.