This weekend, Coke announced it detected a potential breach affecting 74,000 people, due to stolen laptops [Link to the AJC story].
It's almost like no one noticed. In fact, I only read about it because I was invited to discuss it (and other stories) on the Down the Security Rabbithole Podcast [episode link - go listen to my return behind the mic] with Rafal Los and James Jardine. That caused me to take a second look.
As reported, it almost read like the story of other breaches outlined in Into the Breach (link): stolen laptops, personal information on the drives, no misuse detected.
Until I read to the end of the short story. I found an interesting element that anyone responsible for security needs to consider.
When writing about the Target breach, I cautioned on speculation. Speculation is more harmful than productive - especially when done on a broad, public scale.
However, examining disclosed information is useful and productive -- especially when moving past shame and blame and using it for constructive improvement.
While the story of the Coke data breach was short, it managed to include some interesting details. What captured my attention is the admission that the potential breach was discovered when recovering laptops from a former employee. Oh, and that employee was responsible for the management and destruction of the laptops.
As noted recently (read: Where’s the harm? The real conversation we need to have about Target and other breaches), it is time to think about breaches differently. To that end, my own perspective is shifting to to place where breaches are likely to be part of our fabric going forward.
Except there is no excuse for this breach.
Three questions to ask, one consideration to improve
In the case of Coke, three questions come to mind:
- Why was this information on these laptops in the first place?
- Was it protected in any way? I know a lot of people automatically cite encryption as the answer, but that only works if it's implemented properly, the keys are managed, and it's actually used. It's why I prefer to ask the broader question about protection. Was any here?
- How was the process of disposal verified?
Setting aside the first two questions, the big lesson in this breach is process accountability.
Coke is a big company. They had a person (or team) responsible for management and proper disposal of equipment.
It didn't work. That means the process wasn't validated. The system didn't enforce accountability.
The reality, though, is that Coke is not alone. Organizations of all sizes have a myriad of documented processes and informal ways of doing things. Often at odds, and largely invisible and overlooked, this sort of breach is going to happen again.
The driving need for process visualization
In order to enforce process accountability, we need process visibility. When I work with clients to get a handle of new or existing (often out of control) projects, the first step is to bring visibility to the process.
In most cases, the process (system, solution, etc.) is not documented. More, it's often not fully known or understood. It takes several people from different teams to come together and literally diagram the process.
The result, always, is a bit of surprise. Often, the organic nature in which processes spring up is a bit messy. It not only introduces friction, but weaknesses and other inefficiencies.
Once visualized, people are often surprised at what it actually LOOKS like. That gives us the ability to come together and discuss the SAME process, consider improvements, and learn where to apply the right protections.
Proliferation of data, key questions
Over the years, I've learned that regardless of the organization (size, location, industry, etc.), data proliferates. Most of it is unnecessary, not helpful, and acts as noise.
Until we get a handle on our data (and information) and provide better ways to focus on what people really need, here are a few questions to guide discussions that lead to better protection:
- What sort of access, and in what format do people need with the data?
- How can least privilege work here?
- What happens when people are done with the information?
- Where do we need to make sure we have protections in place?
- How will we know when the process works?
The last question could have saved Coke. From available information, they needed a check on the disposal process; a way to know it worked as expected.
The opportunity of breaches to increase transparency
For the last six years, the parade of breaches has steadily increased. The uproar over Target (and others) isn't helpful, and neither is getting angry over the Coke data breach.
Each breach provides us an opportunity to call for and provide transparency. To encourage people to share details in a way that allow us to each improve our own practices, and incrementally improve how we protect information.
While it may not prevent the next breach, it'll improve how we detect, respond, and recover. That's a step in the right direction.