In recent weeks we've been inundated with news about data breaches involving the loss of hundreds of millions of very private, very personal records. The US Securities and Exchange Commission (SEC) itself admitted to a hack of its EDGAR filing system, a hack that actually occurred last year but only recently came into the public eye.
An SEC public statement by Chairman Jay Clayton notes that
"even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face. That stark reality makes adequate disclosure no less important. Malicious attacks and intrusion efforts are continuous and evolving, and in certain cases they have been successful at the most robust institutions and at the SEC itself. Cybersecurity efforts must include, in addition to assessment, prevention and mitigation, resilience and recovery."
Cyber criminals are to be admired for their constantly evolving art and ingenuity. We must be prepared to respond in kind.
However, recent statements that security breaches occurred due to unforgivable failures to change a default password, or a system administrator not communicating the need to implement a patch, may be efforts to invoke the "Chewbacca Defense".
The term “cyber” was coined over half a century ago in reference to “the control of complex systems … in mechanical networks”. Although our definitions have changed, the security functions of a modern business are complex systems.
A system that can be compromised by a single human failing speaks more of a failure to implement checks and balances, “four eyes principles” and systemic controls, rather than one that can excuse itself due to a single point of (human) failure.
The cyber security of a modern business is a complex ecosystem and we all play a part.
“One last security question: can you tell me the email address you used for this online purchase?” said the woman on the phone. “The email address?” I asked. “Yes please,” she replied perkily. “You mean the email address you just emailed me on, telling me to call you for a security check?” I asked, apparently with insufficient irony. “Yes, that’s right,” she replied.