Three-hundred and twenty-seven million Marriott user accounts compromised. 100 million at Quora. 148 million from Equifax. Those all pale in comparison to the 3 billion user accounts compromised from Yahoo in 2013.
Ask yourself this: do you find yourself becoming outraged or saying “ho-hum” every time you hear about the latest record data breach? Society seems to be agreeing with the latter answer.
I was recently sitting in a room with some of the world’s brightest minds at a Secure Technology Alliance consortium meeting in Washington, DC, trying to figure out how to better authenticate and secure our digital world. It was easily the most-brains-and-experience-per-square-foot meeting I’ve ever been in focusing on better and more pervasive authentication.
Many of the presenters talked about how bad things are today, with continued phishing and unpatched software making Swiss cheese of most organizations’ security defenses. This is despite myriad competing great authentication solutions, which are undermined by seemingly indifferent users.
“Why don’t users care more about security?” was a common question asked during breaks. Many other presenters pointed out that many of the problems each of us were pointing out were the same problems 30 years ago. It was a room full of people dedicated to figuring out the remaining hard problems and trying to get the right authentication solutions developed and standardized.
I caused a bit of hubbub by stating, “Maybe we already have the security that we deserve?” Someone countered saying, “How can you say that with all the big breaches happening every day?”
“Exactly!”, I responded.
It’s hard to sell better, more secure solutions when society is saying the status quo is fine. All the security experts in the room would not say everything is fine, but that’s to be expected. We’re security experts. We care about making computing significantly more secure.
State of security not impacting lives of most people
If you ask the average person about the current state of computer security, they would probably agree that it’s bad, but it’s really not impacting their life all that badly. If it were, they wouldn’t use computers. In the face of tremendous online crime, consumers appear to be adopting more and more technology, and trusting even more of their lives to digital things. More and more online purchases are being made. People are adding apps to their phones, not deleting them. People are using less cash and more credit and debit cards.
I know it flies in the face of what we computer security experts believe, but perhaps as bad as things are, what we have today is the best we’re going to get…at least without a digital equivalent of a 9/11 event. As bad as things are, society and its digital self are humming along just fine. Sure, there are billions of records compromised each year. Sure, your credit cards get compromised and reissued once or twice every year or two. Even when that happens, it really doesn’t inconvenience you that much.
Fraud is now less inconvenient and is the cost of doing business
Years ago, if someone stole your online identity or credit card, it could really mess up your life. You might even be personally responsible for the fraudulent charges. It might have taken you a year to clean up your credit record, if ever.
Today, the bank is probably proactively notifying you that they spotted some fraudulent charges on your card, and that your new card is in the mail to be delivered to you tomorrow. You aren’t responsible for any of fraudulent credit card charges, and your credit history record is not impacted.
Some people are still being significantly impacted and sometimes incur significant problems and financial losses, but they aren’t the norm. As long as the average person isn’t getting bothered too much by poor security, companies and processes aren’t likely to change.
These days when a big data breach occurs, most people aren’t impacted, beyond having to change their password. The business itself might be momentarily financially impacted. One or more people might be fired. A year later, the company’s revenues and stock price are usually up.
That last outcome explains why people and companies aren’t taking computer security more seriously. I’m not saying it’s right, but as long as the pain isn't too bad, they are unlikely to change their behavior, especially if it means inconveniencing the customer and missing easy sales.
As one bank executive told me, “Fraud is still [a] rounding error in our company.”
Security investment a hard sell
We do need better computer security, especially as things become more critical and more connected between our real and digital lives, but it’s hard to tell people to spend more money on something that may never happen.
Airline security experts knew people could sneak bombs in their shoes, clothes and water bottles before 9/11 happened, but imagine how airline customers would have reacted if told to take off their shoes, dump out their water bottles, and undergo full body scans, while going through airline security before 9/11. It would have pissed off many customers to the point that they would have stopped flying. Once 9/11 happened, we’re all in line taking off our shoes, dumping water, and getting scanned, as if it were as normal as breathing. A few people still complain, but airline travel is up, not down.
In general, humans are great at reacting correctly once the pain has happened. It’s easy to sell batteries during a hurricane. It’s easy to sell hurricane shutters after a hurricane. It’s not so easy if it’s been 50 years since the last hurricane hit a particular area.
What I’m saying is, as bad as computer security is today, perhaps it’s the “right” amount of computer security for the times. Otherwise customers would complain more and computer security would truly get better. There’s a reason why computer security is still so bad for most organizations. There’s a reason why billions of records are still being stolen each year, year-after-year. The pain isn’t that bad. Not for the customer and not for the company.
Easier customer recovery vs. better security
Instead of making computer security significantly better, vendors responded by making the customer recovery process easier and faster. That strategy, at this time, appears to be cheaper and easier than actually significantly improving computer security…at least until it isn’t. I’m still staying at Marriott. I love Marriott and the points I earn. Equifax still has my credit history, and I still use my Yahoo account. I expect to have my credit card unexpectedly replaced by my bank in the next year or two. I’m not thrilled about it. No one is, but society overall seems to have made its choice…at least until a 9/11 event happens on the internet.
Right now, society is OK with OK security, flaws and all, as long as it doesn’t inconvenience them too much when the breaches happen. It might not be the security we deserve, but it’s the security we apparently can accept.