There also must be rules that punish companies that leak user data (law)…
I think I found your problem here.
Upon reflection, I think your understanding of how insurance works is spot-on. Right now we’re treating this problem as a Black Swan, but soon it will be common enough to compile statistics, and Zurich AG will offer data security insurance. And you’re right, they will demand best practices in areas where the US Congress can’t, due to corruption.
Sometimes, the free market actually works.
I suspect, though, that “best practices” are going to be something like "You must change your password every two weeks, and passwords must be 35+ characters long and include numbers, upper and lower case letters, symbols, and at least three each of Egyptian hieratics, Easter Island script, and stick figures from Doyle’s “The Adventure of the Dancing Men”.
This will transfer the liability for breaches from the holder to the user, when wallets stuffed full of written down passwords get lost or stolen.
but bruteforced accounts are only one part of the problem - unsecure server setups are probably the source for mass data breaches.
No, the illusion of security is plenty for IT professionals, but it’s different when there’s actual money on the line.
I’ve never seen that distinction. The illusion of security is what “IT Professionals” fight against. We try for real, substantive security - but once management & government get done with it it’s typically little more than theater.
Just look at the TSA as a shining example. IT Professionals would look to Isreal for their methods of securing their airports - management looks to McDonalds on how they prepare lunch.
Which do you think we end up with? Every. Freaking. Time.
BTW “Best Practices” are often anything but. I’ve seen more companies who follow best practice that have worse security than a company that just tries to have good data security. Complying with best practices & standards (HIPPA, PCI, ISO, etc) can even reduce operational security by allowing management to curtail InfoSec’s activities by the restriction of budgetary allowances due to current state being “good enough” due to it “meeting X standard”. The ultimate result is it changes a challenging, dynamic discipline which is unique in each case it is applied into a one size fits all checklist. A checklist comprised of the lowest common denominator in most cases at that.
If you want bad security, just follow industry standards & best practices - and nothing more.
I’m sure various legislators are working on fixing this as we speak.
There’s a limit to what they can do to limit that liability before the system breaks down. If people have their personal information exposed by companies that can evade liability through legislative deals it can potentially erode user confidence to the point that it threatens the the livelihood of a great many businesses.
“Insurers aren’t experts in infosec, but they’re also not experts in fire-safety”
I 'm sure of part one but disagree strongly with part two. Perhaps “experts” is too strong, but insurers in general are very very good at dealing with fire safety. And they have local Fire Marshals to help, and codes that have been developed over decades (centuries in some cases) of experience.
But infosec is new. They don’t have a “grip” on the level of risk (so they’ll overestimate, typically). The engineering community has been through this experience before, and this time will be similar (ugh). Back then it was boilers and steam engines and - dang - some of them blew up and people were killed. Over time, codes of practice were developed and inspection became standard and, guess what, we hardly ever have a boiler explosion any in the country these days.
And so it will be with infosec. We are now seeing the effect of less-than-optimal software and no-thought security. These are phases that will pass and, as with the engineering debacles of two centuries ago, the peddlers of such trash need to personally spend some time in jail/gaol.
On the issue of insurance - there are few companies today that do not carry it. The only exceptions are the very largest companies that self-insure and even these often will do so anyhow. The downside exposure is just too big. But many companies, and their stupid Boards, neglect the exposure to cyber attack and don’t carry insurance. Of course, everyone is “insured” because, if you don’t buy it (i.e. laying off the risk) then you’re just insuring yourself.
This topic was automatically closed after 5 days. New replies are no longer allowed.
