Companies focus on growth, lagging behind threat

'Devil-may-care attitude' toward data coincides with little consequence over security breaches, some say

In the world of cybersecurity, the equivalent of a deadbolt lock on the factory door and keeping the lights on became obsolete years ago.

But too many companies are still stuck in the mentality that some security is enough, and a culture that values growth over security, says Shellye Archambeau, CEO of MetricStream, a provider of governance, risk, compliance and management services.

In the wake of recent data breaches of the popular professional networking site LinkedIn, the dating site eHarmony and the music site Last.fm, Archambeau said those companies are simply not keeping up with evolving threats.

"They aren't leaving their door wide open. But they're not counting on somebody having glass cutters either. Now you need to have wire mesh on your windows, because the people focused on hacking have more and more tools," she said.

Combine that with the fact that data "doesn't stay put," means that the need for more sophisticated and layered security ought to be obvious, Archambeau said. "Data is moving all over the place on many devices," she said. "So securing it is a lot harder."

LinkedIn, a mature, profitable company with an estimated 160 million members, is only one of the more recent examples of what experts say is a stunning lack of basic security among some data companies. Since the breach last week of about 6.5 million passwords, it has been widely reported that the company wasn't even following "Security 101" protocols.

As CSO reported last week, LinkedIn was protecting passwords with only the most basic encryption. The process, known as "hashing," scrambles a password with a mathematical algorithm and stores only the encoded, or "hashed," version.

But that is not nearly enough to stop today's hackers, who use automated tools that can test up to a million passwords a second. The current standard for security of stored passwords is to add a series of random digits to the end of each hashed password, known as "salting." It is relatively simple and can be done at no cost.

Not only was LinkedIn failing to do that, it does not have a chief information officer (CIO) or a chief information security (CISO) officer either.

Archambeau and others say one of the reasons for the continuing spike in successful data breaches is that "while companies get a bit of a black eye, there are no major consequences for it."

Nicole Perlroth reported in The New York Times that "part of the problem may be that there are few consequences for companies with a devil-may-care attitude toward data. There are no legal penalties. Customers rarely defect. And in LinkedIn's case, its stock price actually rose in the days after the breach."

Archambeau believes enterprise leaders do care about securing their data, especially when they amount to the "crown jewels" of the operation, as is the case with LinkedIn. But she said she thinks part of the problem is a cultural attitude she calls the "startup mentality."

"Companies only exist when they are taking risks," Archambeau said. "The environment and culture around that - that's all good. But at same time, as companies mature, they need to understand not only how to take risks, but how to manage it. They're not doing enough on that."

Why they aren't mystifies some experts. Security makes obvious financial sense. Jeremiah Grossman, founder and chief technology officer (CTO) of WhiteHat Security, told Nicole Perlroth at The Times that the cost of setting up proper password, web server and application security for a company like LinkedIn would be a one-time cost of "a couple hundred thousand dollars," while the average breach costs a company $5.5 million, or $194 per record.

If there are no severe consequences for lax security, however, what will force enterprises to take security more seriously? Some argue for legal or regulatory penalties for breaches. In California, a unique state law aimed at protecting health records, the Confidentiality of Medical Information Act of 1981, provides for damages of $1,000 per person, per violation. That law is currently being tested in court. 

Paul Kocher, president of Cryptography Research, in an interview with Perlroth, compared the decline in airplane fatalities -- thanks to the Federal Aviation Administration in 1958 and better security and maintenance regulations -- to computer security threats, which have increased 10,000-fold since 2002.

The reason for lax security in the face of those threats, he said, is a lack of liability.

Archambeau said she would prefer to see industry collaboration rather than government bringing a regulatory or legal hammer down. "I'm a big proponent of industries coming together and setting standards," she said. "Regulation is a fallback to when nothing else works."

Join the discussion
Be the first to comment on this article. Our Commenting Policies