Companies focus on growth, lagging behind threat
'Devil-may-care attitude' toward data coincides with little consequence over security breaches, some say
June 15, 2012 — CSO — In the world of cybersecurity, the equivalent of a deadbolt lock on the factory door and keeping the lights on became obsolete years ago.
But too many companies are still stuck in the mentality that some security is enough, and a culture that values growth over security, says Shellye Archambeau, CEO of MetricStream, a provider of governance, risk, compliance and management services.
In the wake of recent data breaches of the popular professional networking site LinkedIn, the dating site eHarmony and the music site Last.fm, Archambeau said those companies are simply not keeping up with evolving threats.
"They aren't leaving their door wide open. But they're not counting on somebody having glass cutters either. Now you need to have wire mesh on your windows, because the people focused on hacking have more and more tools," she said.
Combine that with the fact that data "doesn't stay put," means that the need for more sophisticated and layered security ought to be obvious, Archambeau said. "Data is moving all over the place on many devices," she said. "So securing it is a lot harder."
LinkedIn, a mature, profitable company with an estimated 160 million members, is only one of the more recent examples of what experts say is a stunning lack of basic security among some data companies. Since the breach last week of about 6.5 million passwords, it has been widely reported that the company wasn't even following "Security 101" protocols.
As CSO reported last week, LinkedIn was protecting passwords with only the most basic encryption. The process, known as "hashing," scrambles a password with a mathematical algorithm and stores only the encoded, or "hashed," version.
But that is not nearly enough to stop today's hackers, who use automated tools that can test up to a million passwords a second. The current standard for security of stored passwords is to add a series of random digits to the end of each hashed password, known as "salting." It is relatively simple and can be done at no cost.
Not only was LinkedIn failing to do that, it does not have a chief information officer (CIO) or a chief information security (CISO) officer either.
Archambeau and others say one of the reasons for the continuing spike in successful data breaches is that "while companies get a bit of a black eye, there are no major consequences for it."
Nicole Perlroth reported in The New York Times that "part of the problem may be that there are few consequences for companies with a devil-may-care attitude toward data. There are no legal penalties. Customers rarely defect. And in LinkedIn's case, its stock price actually rose in the days after the breach."