We've seen plenty of massive data breaches in recent years— thefts that involve the personal info of hundreds of millions of people and cost the affected companies hundreds of millions of dollars. So far, however, we seem not to have learned our lesson. Cybersecurity continues to take a back seat to dozens of other issues in corporate boardrooms, in legislative chambers, and in the media.

It's time to ask the obvious question: how much worse do things need to get before our attitudes change?

Read more ...

The rising epidemic of data breaches, the evolution of internal and external cyber threats, and increasingly demanding privacy regulations have put pressure on companies around the world to become more proactive about protecting sensitive information against loss, theft, and misuse.

For many organizations, a proactive approach to information security means establishing data governance policies and creating an operational framework for encryption. Strong data encryption is the best way to secure data while allowing the right people to access it, and has become a must-have component of information security in the eyes of consumers, government regulators, and corporate boards. But encryption alone is rarely a complete solution.

Read more ...

It's easy to say that our society needs better cybersecurity. The daily barrage of cyber attacks against companies, government agencies, and individuals has made that that clear enough.

The hard part is finding a path forward— developing a strategy that involves the right stakeholders, addresses the right threats, and strikes the right balance between privacy and security. It seems that for every step we take toward better security, we take a step back as politicians, law enforcement officials, and corporate leaders continue to pursue conflicting agendas.

Read more ...

What happens when someone sees a USB drive lying on the sidewalk? About half of the time, as multiple experiments have demonstrated, the person will pick up the drive, take it home, and plug it into his or her computer.

What happens next depends on what’s on the drive. If it contains identifying information, the finder might return it to its rightful owner. If it contains malware, it might kick off a widespread cybersecurity crisis. If it contains a few gigabytes of classified airport security information, including patrol timetables and maps of the security facilities used by foreign dignitaries, it becomes one of the most embarrassing security breaches of the year.

Read more ...

Two months after it first disclosed the theft of 145 million consumers' personal information, Equifax is still finding ways to make the story worse.

In the latest round of congressional hearings, Richard Smith, Equifax's former CEO, confirmed that the lack of encryption on the stolen data was not caused by an error or oversight, but by a conscious decision not to encrypt. That decision seems questionable, to say the least, given that the people whose data Equifax lost had essentially no say in whether their information was part of the database to begin with.

As perplexing as Richard Smith's testimony may have been, it was the company's new interim CEO, Paulino do Rego Barros Jr., who provided the day's most difficult-to-believe sound bite.

Read more ...

The world got a glimpse of the future in December 2015, when hackers—presumably Russian—shut down a Ukrainian power station, leaving hundreds of thousands of people without electricity.

Although numerous reports had documented the vulnerability of power grids to cyber threats, the Ukraine breach was the first large-scale demonstration of the havoc a hostile organization can create with an attack on public infrastructure. In this case, power was restored after a few hours with relatively little lasting damage. The next time, things may be much worse.

Read more ...

We’ve seen it in countless horror movies. The good guys, on the run from a homicidal maniac, barricade themselves inside a house. They booby-trap the yard, seal off the doors, and board up the windows, only to discover that the killer is already INSIDE THE HOUSE.

As familiar as the plotline might be in slasher films, it’s even more common in the world of cybersecurity. Organizations spend millions on firewalls, intrusion detection systems, and other perimeter defenses, only to find that their sensitive data is being compromised by their own employees and business partners.

Read more ...

Consider a typical AES encryption key: 256 binary digits, arranged into one of an unthinkably large number of possible combinations. You feel safe using that key, because you know that it would take every computer in the world, working nonstop for longer than the age of the universe, to produce that exact same combination of digits. Assuming you keep it protected, the only people who will ever know the key are the ones who are supposed to have it.

But have you ever stopped to wonder where exactly that combination of digits came from? The people trying to steal your data may be wondering the same thing.

Read more ...