Kempner: Why cyber muggers keep winning (and we keep losing)

It’s not uplifting to chat with cybersecurity experts these days, because our most sensitive data is not safe.

Sure, the businesses, government agencies and others that have our private information try to protect our valuables. They smack away lots of attempts by bad guys to grab our data.

But, ultimately, many of the defenders end up buckling, just like credit reporting agency Equifax recently did with Social Security numbers and other data on 143 million people. Why haven’t they done better?

I’ve heard a variety of answers.

“Right now, we have no way to measure the insecurity of our networks,” said Georgia Tech professor Manos Antonakakis.

We’re 20 years into cybersecurity efforts and we can’t do that? (As you might guess, he said he’s doing research to come up with such a measure.)

Security products “are not doing what they claim they can do,” Antonakakis told me.

Others told me the same thing when I stopped by a cybersecurity conference at Georgia Tech.

My visit was after Equifax disclosed its massive data breach.

“This is not going to be the last,” Sal Stolfo, a Columba University professor, told me.

He said it twice, just to be sure I heard.

He offered only a bit of hope: “Over time, things will get better. But they are not good now.”

People make mistakes. Employees click on links in emails that they shouldn’t, letting malware into the system. Software makers create “buggy” products.

And troublemakers with a financial or political incentive are mega motivated to find security holes.

“They are dedicated. They will look at every vulnerability immediately,” said Kang Li, a computer science professor who directs the University of Georgia’s Institute for Cybersecurity and Privacy.

Compare that with many big companies that store sensitive data. The bulk of their profit focus is usually on something else, like lending money, selling sweaters and hammers or providing medical care.

Li said he many corporate boards don’t dedicate enough attention and demand sufficient resources to protecting data.

Some cybersecurity researchers are frustrated with Equifax.

The company’s breach involved a vulnerability, one that a patch apparently had already been available to fix. Installing some security patches in a complex corporate network takes testing and a lot more work than it does on a home computer.

Still, Li told me, “there is no excuse.”

“I don’t think Equifax treated it seriously enough,” he said. “I think people should be mad.”

Alfonso Valdes, a research scientist from the University of Illinois, told me he wrote his congressman over the incident.

“I feel outraged as a consumer,” he said.

He put credit freezes in place, but he told me he still feels exposed by what he suspects will turn out to be “poor digital hygiene” on Equifax’s part.

“If you run a big digital warehouse, you have to be on top of this.”

Yet cybersecurity experts also told me that while you can take steps to limit attacks, there’s no guarantee of success.

“A strongly motivated individual can get into any environment and any company, given enough resources,” Tech’s Antonakakis said. “Why is that? Because they need to find one hole to get in.”

And there’s always a hole.

So here’s how companies try to prevent problems. First, of course, limit holes. They also monitor for suspicious network activity.

Equifax said the breach apparently began in May, but it was only discovered in late July.

“That sounds like a major detection problem,” Antonakakis told me.

It’s also not unusual. It now takes an average of 191 days to discover a breach, according to recent research by the Ponemon Institute.

Companies have other options to fend off electronic attackers. Stolfo at Columbia University suggests broader use of deception, like creating lots of copies of fake information so thieves don’t know if they are stealing the real thing.

Or more companies could avoid storing super sensitive data on consumers.

That’s the premise of Atlanta-based startup Evident ID. Under its system, individuals can keep their personal information locked up on their smartphones, then give companies permission to determine that the encrypted data has been verified, using Evident’s system as a go-between.

“We are trying to help businesses avoid these large-scale attacks,” said David Thomas, Evident’s CEO and co-founder.

Rather than hackers getting access to millions of records in one swipe, they’d have to break into millions of individually encrypted records held in different places, he said. “It changes the economics so it isn’t worth the effort.”

Jessica Rich, a former head of consumer protection at the Federal Trade Commission (and now a vice president at Consumer Reports), told me one reason big breaches keep happening is because companies don’t pay enough attention to protecting consumer information.

Congress needs to pass a tougher law that cracks down on such organizations, she said.

We consumers have to shape up, too. Create better passwords. Don’t give away personal information on social media that can be exploited by scammers. Update software promptly. Put in place tougher security programs.

None of that is enough, though, if organizations that hold our data don’t do better.

Reader Comments ...

Next Up in Business

Atlanta airport official on leave after conflict of interest concerns
Atlanta airport official on leave after conflict of interest concerns

Atlanta Mayor Kasim Reed has placed a high-ranking official at Hartsfield-Jackson International Airport on leave for possible conflict of interest – news that was immediately turned into political ammunition in the campaign to pick his successor. The action was taken against Cortez Carter, deputy general manager at the airport, whose wife owns...
Growth in tech jobs contributing to rise in Atlanta office rents
Growth in tech jobs contributing to rise in Atlanta office rents

The Atlanta area saw some of the largest increases in office rents on a percentage basis in North America over the past two years, and one report said the region’s boom in high-tech jobs has played a role in that. Metro Atlanta ranked third among the Top 30 tech markets in overall office rent growth, with rates increasing nearly 18 percent from...
This app could reduce the dangers of concussions in young athletes
This app could reduce the dangers of concussions in young athletes

Startup of the week: Who they are: PRIVIT What they do: Their app seeks to keep young athletes safer by helping coaches and trainers report and properly treat concussions and other injuries and medical conditions. Why it’s cool: There’s been plenty of buzz recently about the dangers of concussions in impact sports — including the...
The future is here: Augmented reality apps to use on iPhone or iPad

With the release of an updated mobile operating system in October, Apple’s new augmented reality platform is ready for take-off. The first generation of AR apps is available in Apple’s App Store, allowing millions of iPhone and iPad users to view three-dimensional computer-generated graphics on top of a user’s real-world view. With...
Why I’m skipping wireless charging on my iPhone 8 Plus

I’ve had the iPhone 8 Plus for about a month now, and while on launch day I thought I’d be most excited about wireless charging, I’ve found I’ve abandoned my wireless charger in favor of fast charging. I’ve come to like wireless charging when I’ve used Samsung’s phones, as it’s quite speedy, but Apple...
More Stories