Salt Lake City—It seems like every week a new hacking or data breach dominates the news. Unfortunately, that’s the new normal, said industry experts at a panel on the subject at Pluralsight LIVE Thursday.
Speaking as part of the tech company’s annual conference, panelists took audience questions about data security. The recent breach of data check giant Equifax, which potentially exposed private information of up to 143 million people, was the topic on almost everyone’s minds.
The Equifax breach was likely caused by an unchanged default password became a weakness for hackers to exploit. Dale Meredith, cyber security trainer and consultant, said that kind of weakness is all-too common in companies, in part because oftentimes people concerned with one part or another of a company’s system won’t think to tell other departments about things they’re changing or updating in the system. It’s a problem that stems from an overall lack of a sense of urgency or engagement.
“My biggest concern is complacency, because when you get complacent, that’s when things go awry,” he said.
Troy Hunt, Microsoft Regional Director and cybersecurity expert, said sometimes back-end developers won’t understand how their role fits into the greater whole, or how their work might affect someone down the line of ease of use.
“You’ve really got to take [developers] on a journey through the way things actually work,” he said. “Making them invested in it is going to be the best bang for your buck.”
Although the Equifax breach is one of the biggest to date in the U.S., and its effects will be felt for years to come, there has been an overall subdued response to it from the population in general, Meredith said. When asked if large-scale breaches were the “new normal,” Meredith said, “Maybe what’s ‘normal’ is that we’re all becoming desensitized. … I don’t know that any of us are very shocked when something like Equifax pops up.”
That laid-back reaction is particularly noticeable—and worrisome—from government entities, said John Elliot, a security, privacy, payments and regulatory specialist.
“At some stage, something will be big enough to force governments to regulate,” he said. “Is Equifax big enough, or is someone going to have to die? It will be regulated, and that will make all our jobs slightly more difficult.”
But Meredith said he thinks the scale and severity of the Equifax breach is significant enough to at least start a dialogue about how to make sure data stays secure, if for no other reason than it shows that any store of information is like a treasure trove for would-be hackers. While the Equifax data was largely financial-based, Meredith said he worries about the security of different kinds of data.
“I start thinking about what the next treasure box is going to be, and I think it’s going to be medical records,” he said. “I think that’s where we’ll start to see regulation coming in. I think that will be the big one.”
A relatively easy way to increase data security is by requiring more steps to access it for administrators and consumers alike, but that isn’t likely to happen; more steps means more time required to access information for administrators, which can get expensive, and consumers tend to dislike the hassle of that added security.
“[Multi-step verification] is a really good security control, but as soon as it causes frictions, [participation] drops off,” he said.
Even updates to computer systems, like the regular updates Microsoft gives for Windows 10, or programs are often considered too much of a hassle for many consumers to deal with. Add to that the occasional loss of compatibility with other programs or apps, and those necessary patches and updates stop being a valuable line of defense against the ever-shifting field of data security and turn into a bother for consumers, Hunt said.
The cliché for passwords is a person’s mother’s maiden name, or perhaps their dog’s name, or their birthdate. That information used to be a legitimate means of securing data, Hunt said—before, that is, the advent of social media, and the ensuing plethora of platforms allowing people to display all of their once-private information.
“We’ve got to change our attitude on that,” he said.
Even social security numbers, once information that people weren’t supposed to divulge except in certain circumstances, are now commonly used as identity verification at financial and medical institutions, said Meredith. And there’s so much sharing of information across different platforms, programs and apps that people don’t think about, he said.
“Mobile apps—what do they do in the back end? Education, I think, is the answer,” he said. “The education of the end-user is the only thing that’s going to help. That’s not even going to stop it, but it’ll at least put a dent in it.”
Hunt recommended anyone affected by Equifax—or worried about data breaches in general—enlist the help of a credit monitoring service. Some audience members expressed concern about how much personal information was on the internet and being seen or used by whoever stumbled across it. While people can protect themselves against being the victim of fraudulent loans, credit cards, or other damaging things being taken out in their name with a credit monitoring service, Hunt said, the loss of privacy brought by the internet is just the nature of the beast.
“Trying to take anything off after it’s been on the internet is like trying to take piss out of a swimming pool,” he said.
Added Meredith, “That’s the new normal.”