Lessons from 2009: Functionality still trumps Security
Yes, you heard me correctly…
We still think about personal and corporate security only as an afterthought.
Despite all the regulatory and industry compliance that has been created and updated in the past 15 years, as we close out this decade, we are hardly any closer to proactively applying security guidelines in our personal or professional lives. Certainly, we don’t apply them ahead of convenience or functionality, in any event.
- We still leave our keys under our welcome mats, or inside our flower pots, or inside our garden gnomes.
- We still hate using passwords, still use feeble ones, and still write them down on sticky pads pasted to our monitor or the bottom of our keyboards.
- We still share the same password(s) across all our corporate accounts and our internet accounts.
- We still don’t lock our workstations when we leave our desks, or password protect our sensitive PDAs and smart phones.
- We still disclose sensitive information on websites that are not using SSL and are only “protected” by feeble passwords.
- We don’t pay for preventative information security solutions or apply best practices unless we think we *may* have been compromised.
- We prioritize new functionality over operational security, even though new features are a common source of security issues in the first place.
As consumers, we are willing to pay for products if they have the right features, but rarely will we inquire about how safe or secure they are – and even less commonly are we will willing to pay extra for safety or security. This gives the vendors no incentive to prioritize security until something bad has happened™. We’ve got to get past the acknowledgement that vulnerabilities are a given, and get to the place where we hold people accountable for issues that could have been foreseen and mitigated in advance.
We cannot expect to hold vendors accountable for security failures if we continue to value non-security features ourselves – not in a free market society, anyway. They’re only going to produce what we’re willing to pay for, and so far security is not what people clamor for.
What the Future Holds…
Having said all that, however, I predict that the next 15-24 months will bring more penalties for organizations small and large that fail to be proactive in their management of information security and privacy concerns. There will be embarrassing disclosures of personal data, and many more small-to-midsize firms will find themselves having to deal with the aftermath of data security breaches, given that 45 states currently have breach notification laws on the books, and a Federal breach notification law is on the horizon.
Expect the 2010 list of data breaches to be even larger than the 2009 list. It’s definitely going to get worse, before it gets better, and the consumer response to such negligence will be debilitating for the offending companies. There are lots of vulnerabilities floating around in the wild, in addition to targeted attacks by an increasingly sophisticated malware underground.
Now is the time for prudent business owners to make true information security a priority, recognizing that a secure enterprise is actually a business driver, and lowers the costs associated with attaining regulatory and industry compliance. Those who continue to approach security in a reactive way will spend more money, and use more resources, and generate less revenue than those who make information security an underlying part of their business operations. Security is a way of life, not a periodic event, and it’s about time we started behaving this way.
No matter how expensive we think security is, the costs are always less when paid upfront rather than after an incident. The question we should be asking ourselves isn’t “can I afford this security?” but rather “can I afford not to have this security?”
Collectively, we can hold organizations accountable for inadequate security and privacy practices and functionality – but we have to start with our own personal security. Don’t just pay lip service to security issues, or you could find yourself paying real dollars to rectify a huge mess in your personal or professional life.
Let’s start this new decade on the right foot, and not perpetuate the information security sins of the past.