Kempner: Why cyber muggers keep winning (and we keep losing)

It’s not uplifting to chat with cybersecurity experts these days, because our most sensitive data is not safe.

Sure, the businesses, government agencies and others that have our private information try to protect our valuables. They smack away lots of attempts by bad guys to grab our data.

But, ultimately, many of the defenders end up buckling, just like credit reporting agency Equifax recently did with Social Security numbers and other data on 143 million people. Why haven’t they done better?

I’ve heard a variety of answers.

“Right now, we have no way to measure the insecurity of our networks,” said Georgia Tech professor Manos Antonakakis.

We’re 20 years into cybersecurity efforts and we can’t do that? (As you might guess, he said he’s doing research to come up with such a measure.)

Security products “are not doing what they claim they can do,” Antonakakis told me.

Others told me the same thing when I stopped by a cybersecurity conference at Georgia Tech.

My visit was after Equifax disclosed its massive data breach.

“This is not going to be the last,” Sal Stolfo, a Columba University professor, told me.

He said it twice, just to be sure I heard.

He offered only a bit of hope: “Over time, things will get better. But they are not good now.”

People make mistakes. Employees click on links in emails that they shouldn’t, letting malware into the system. Software makers create “buggy” products.

And troublemakers with a financial or political incentive are mega motivated to find security holes.

“They are dedicated. They will look at every vulnerability immediately,” said Kang Li, a computer science professor who directs the University of Georgia’s Institute for Cybersecurity and Privacy.

Compare that with many big companies that store sensitive data. The bulk of their profit focus is usually on something else, like lending money, selling sweaters and hammers or providing medical care.

Li said he many corporate boards don’t dedicate enough attention and demand sufficient resources to protecting data.

Some cybersecurity researchers are frustrated with Equifax.

The company’s breach involved a vulnerability, one that a patch apparently had already been available to fix. Installing some security patches in a complex corporate network takes testing and a lot more work than it does on a home computer.

Still, Li told me, “there is no excuse.”

“I don’t think Equifax treated it seriously enough,” he said. “I think people should be mad.”

Alfonso Valdes, a research scientist from the University of Illinois, told me he wrote his congressman over the incident.

“I feel outraged as a consumer,” he said.

He put credit freezes in place, but he told me he still feels exposed by what he suspects will turn out to be “poor digital hygiene” on Equifax’s part.

“If you run a big digital warehouse, you have to be on top of this.”

Yet cybersecurity experts also told me that while you can take steps to limit attacks, there’s no guarantee of success.

“A strongly motivated individual can get into any environment and any company, given enough resources,” Tech’s Antonakakis said. “Why is that? Because they need to find one hole to get in.”

And there’s always a hole.

So here’s how companies try to prevent problems. First, of course, limit holes. They also monitor for suspicious network activity.

Equifax said the breach apparently began in May, but it was only discovered in late July.

“That sounds like a major detection problem,” Antonakakis told me.

It’s also not unusual. It now takes an average of 191 days to discover a breach, according to recent research by the Ponemon Institute.

Companies have other options to fend off electronic attackers. Stolfo at Columbia University suggests broader use of deception, like creating lots of copies of fake information so thieves don’t know if they are stealing the real thing.

Or more companies could avoid storing super sensitive data on consumers.

That’s the premise of Atlanta-based startup Evident ID. Under its system, individuals can keep their personal information locked up on their smartphones, then give companies permission to determine that the encrypted data has been verified, using Evident’s system as a go-between.

“We are trying to help businesses avoid these large-scale attacks,” said David Thomas, Evident’s CEO and co-founder.

Rather than hackers getting access to millions of records in one swipe, they’d have to break into millions of individually encrypted records held in different places, he said. “It changes the economics so it isn’t worth the effort.”

Jessica Rich, a former head of consumer protection at the Federal Trade Commission (and now a vice president at Consumer Reports), told me one reason big breaches keep happening is because companies don’t pay enough attention to protecting consumer information.

Congress needs to pass a tougher law that cracks down on such organizations, she said.

We consumers have to shape up, too. Create better passwords. Don’t give away personal information on social media that can be exploited by scammers. Update software promptly. Put in place tougher security programs.

None of that is enough, though, if organizations that hold our data don’t do better.

Reader Comments ...

Next Up in Business

Should you talk about your pay? Career experts weigh in
Should you talk about your pay? Career experts weigh in

Even with nearly every cultural taboo thrown to the wind− from discussing sexual orientation to politics; one last conversational taboo still exist among Americans − how much we get paid. "These days, it's okay to talk about the troubles we're having with our children or even our marriages," noted one blogger from PayScale...
BB&T recovering after 'technical issue' left customers without access to accounts, cash
BB&T recovering after 'technical issue' left customers without access to accounts, cash

Millions of BB&T customers were locked out of their accounts Thursday night and Friday morning due to an outage that bank officials said was caused by a "technical issue." The interruption of services was first reported Thursday night and appeared to last until just before noon Friday. “At this time, many of our services...
Krog Street Market developer plans redo of aging Atlanta hotel
Krog Street Market developer plans redo of aging Atlanta hotel

The developer of Atlanta’s Krog Street Market plans to convert an aging extended stay hotel in the Piedmont Heights neighborhood of the city into an eclectic boutique hotel. Atlanta-based Paces Properties said it has signed a deal with Texas hotelier Liz Lambert and her Austin-based hospitality company Bunkhouse to retrofit the...
UPS to add new electric delivery trucks to fleet
UPS to add new electric delivery trucks to fleet

UPS plans to deploy 50 electric delivery trucks as part of its fleet of brown vehicles, a move it expects could give a boost to adoption of electric vehicles across the industry. Sandy Springs-based UPS in its Thursday announcement said the trucks – which it is partnering with electric vehicle manufacturer Workhorse Group Inc....
Kempner: Big Delta squeezes Georgia and metro Atlanta’s poorest county
Kempner: Big Delta squeezes Georgia and metro Atlanta’s poorest county

Here’s what we should never forget about Delta: it is fabulously good for Georgia’s economy, and it never tires of squeezing fellow Georgians for more profits. Picture more than 500 local high school students showing up at the headquarters of mighty Delta Air Lines to protest. They were there — at the urging of Clayton County...
More Stories