The new year appears to be continuing a trend begun in 2008 — ever increasing hype concerning the level of data security threats faced by public and private entities. This hype is not just about increasing public breach disclosures (which have primarily been driven by the increase in breach notification laws) given it also manifests in: the perceived threat of involuntary corporate transparency brought into public view by the “Wikileaks Effect”, the fact that papers such as the LA Times are able to report as true the powerful Stuxnet worm was able to trim years off of the Iranian nuclear program, and the fact that the Organisation for Economic Co-operation and Development (OECD), in a recent report, paints a picture of a world where “[p]reventative and detective security technologies will not provide protection against all the threats [so] considerable effort will be needed to mitigate and recover from losses.” OECD Report (dated 14 January 2011) at 82.
For example, in the LA Times article, the Stuxnet worm was removed from its unique Iranian context and given broad scare appeal: “Now that Stuxnet is in the public domain, experts are deeply concerned that hackers, criminals or terrorist groups could use some of the vulnerabilities it reveals to attack systems that control power grids, chemical plants and air traffic control.”
Third-party threats have indeed shifted but that shift took place over five years ago – when organized crime realized that stealing data could be more lucrative — and much safer — than traditional criminal activity. The ego-driven hackers of yesterday may still exist in the form of the hackavists of today but they remain a minor threat compared to the threats driven by organized crime. But that is not something new.
On the other hand, the hype that has filled the data security landscape has only risen to a fever pitch these past several years. Not exactly sure why this is happening. It may be the fact that more big business has entered the data security consulting/technology space – well equipped with PR firms in tow. It may be because news organizations have found a new bogeyman that can help drive sales. It may just be the case reporters and pundits truly feel the hype is justified.
No matter what the cause, one thing is for certain. This hype does not help companies or governments better protect themselves. Employees faced with this barrage of hype may be just a bit more lax — thinking there is little they can really do to prevent a theft. This would be a grave mistake given that a significant source of data loss incidents is directly tied to employee negligence. As well, if hype causes a CFO to think that state-sponsored incidents such as Stuxnet may be an imminent threat, he or she may suggest diverting resources from more important initiatives like employee training.
There are obviously ongoing data security threats faced by companies that are very real and not going away any time soon. Marching into 2011, focused companies will weed the hype and address these many challenges utilizing a cost-effective risk management approach. And, should they need legal or consultative advice, they will choose seasoned partners with the lowest volume setting. Smart companies realize that succumbing to the hype is a zero-sum endeavor that will only benefit those who feed off the hype.