Recent projects have drawn me into the esoteric, frequently scary world of information security. It’s probably just a coincidence; then again, sometimes a theme will capture the popular imagination and become a broader preoccupation. Certainly, high-profile data breaches at CareFirst, Anthem Inc., Target, Neiman Marcus, JPMorgan Chase, Experian, eBay, Home Depot and other household name enterprises have set certain industries on edge; 2015 is likely to see new data security regulations in the US and in Europe.
I’ve co-authored a study of CIO and CISO attitudes toward data security in Denmark (with client Trellis), where the prevailing business culture has viewed security as a distant concern and responded passively and reactively — at least up to now. New EU security regulations are likely to shake this culture out of its complacency this year as executives contemplate negative publicity, fines and sanctions in the event of a significant breach.
Complacency is one reason companies drag their feet in assessing and dealing with data vulnerabilities. Another, apparently, is the worry that it might be better not to know in advance about gaps in one’s security, because that advance knowledge itself could be discoverable and could be used against the enterprise in the event of a lawsuit. I recently ghost-wrote a blog post about a federal court ruling that could offer a way out of this dilemma, however: The retailer Genesco recently was able to avoid turning over data from its security consultants after its stores were hit with a cyberattack, because it had hired its consultants through its law firm, and therefore their work product was protected by attorney-client privilege. The ruling suggests a litigation defense strategy others could adopt.
The magazine SupportWorld has asked me for an article on security issues arising from Social Engineering — a pernicious breed of hacks that exploit weaknesses not in IT infrastructures but in the character of the humans who use them, especially our frail tendency to want to be helpful, cooperative and compliant. I’m working on the piece now, and I would like to invite your help.
Has your organization been hit by a social engineering exploit? Ever had the experience yourself? How did it happen, and what did you do about it? Your experience could be very helpful to colleagues and peers in other enterprises, and I invite you to share them with me and my audience. Contact me here to share your story — experiences don’t have to be attributed to you or your company to have value. Thanks in advance.