Rookie mistakes. Everyone makes them. Even crafty old veterans fumble the ball every once in a while. In the field of data security, however, small mistakes can result in really big problems. This morning, university student Dan Farrall reported that the job application website which GCHQ, one of Britain’s intelligence agencies, uses sends plain text passwords to applicants via email.
Now, there are plenty of reasons why this is a ridiculously bad practice and can expose very sensitive information to the wrong people. I won’t go into them here, and hopefully some of the pitfalls are obvious. If you want to see how widespread this anti-pattern is, check out the site PlainTextOffenders.com.
It’s not just password security that’s susceptible to oversights, or laziness, or miscommunication, or whatever it is that exposes vulnerabilities. Often times we’re just an angle bracket away from SQL injection, or a right-click away from global access.
The lesson here is that we cannot take security for granted. Even the organisations you would assume are most equipped to secure your data may not have visibility into everything they manage.
It’s certainly not the case that password encryption is beyond the grasp of the partner of an intelligence agency like GCHQ. In fact, in the majority of cases, there is a known solution for the security challenges we face. But the volume of data we manage, the interconnectedness of our systems, organisational bureaucracy, and frankly, people, make security much harder than it seems. This case in particular highlights the need to do a thorough check of your third party providers and their business practices, especially in the area of security.
We have to focus on the basic “blocking and tackling” if we stand a chance at becoming a culture of data security and privacy.
Here is a Top 5 list that can help both individuals and organisations begin to practice defensive driving in today’s world.
1. Without the ability to access and share information securely, almost every business process will be impaired. For individuals it’s not much different—imagine losing control of your Gmail account.
2. Once we learn to recognise the value of our information, we need to understand where it’s stored and how it’s shared. Information can easily be copied and replicated to many systems and formats.
3. Wherever we have assets that need to be protected, we need basic controls around them - such as authentication, authorisation, auditing and alerting. These controls won’t stop all attacks, but they’ll certainly stop most of them.
4. Once you’ve got the right controls in place for secure collaboration, people need to stick to them. Unsanctioned public cloud services or plain text password resets by third party providers are examples of what not to do. Unfortunately, services that the organisation doesn’t know about or approve of are entirely outside of organisational control, and so is the information stored in them.
5. When information can’t be shared it has little to no value. When it’s available to too many people, or the wrong people, it’s a liability. Information is most valuable when it’s available to the right people, and only the right people