Data protection is top of mind for many in the information security industry. Despite continued investments in technologies and increasing regulatory pressure, every year brings more stories of data thefts and security breaches. We are living in an era where private financial data is traded as a commodity in the underground market. The size of this data-trading economy now parallels that of the illegal drug trade.
Some argue that companies are not doing enough to protect data. In economics parlance, the cost associated with a data breach includes both private (internal to a firm), and external expenditures that other entities are forced to pay due to the breach. Traditional cost models rarely take into account any external costs. As such, the investment in protection technologies rarely matches the true cost of a data breach. It is time for us as a community to face up to these costs and look for alternative solutions, perhaps even ones that are traditionally deemed too cost-prohibitive.
One reason that fraudsters target data is that it carries value. What if we devalue the data, hence take away the incentive for data theft? One way to devalue data is to restrict what you can do with it. Take the case of credit cards. If we reduce general credit limits and make it difficult to obtain cards of high limits, we would significantly curb the appetite for stolen cards, and as a result reduce the volume of data theft incidents. Clearly, this approach goes against the modus operandi of those who are in the lending business. But if the recent credit market crash taught us anything, it is to exercise caution before extending credit. As data theft incidents become more common and the cost of protecting data rises further, financial institutions will, at some point, re-evaluate the true value behind data. Why not do it now?
One common pitfall of many security systems is the confusion of authentication with identification. Names, credit card numbers and birth dates are identifiers. The process of verifying identifiers is authentication, which should not equate to the simple possession of the identifiers. Imagine a payment card whose number is a one way hash of the spatial geometry of a person’s face and a PIN of some sort. A transaction is only authorized when a facial scan and the PIN verify the card number; the card is otherwise useless.
Also, compliance is a big driver in the adoption of security technologies today. However, compliance serves a penalty-centric role – if you are not compliant, there will be a price to pay. There is very little incentive structure set up to reward good behavior. The impact of reward structure on improving performance is well understood. It is perhaps time for the information security community to stop relying solely on compliance and start investigating how we can improve the overall data protection competency by rewarding good behavior. This should include rewards for good behavior internally within an organization, as well as across organizations at a society level.
In addition, just as “greenness” measures the company’s commitment to the environment, we need an analogous metric that measures the company’s maturity in its data handling operations. And just as greenness can help a company achieve social goodwill, a good data security reputation should result in customer loyalty and heightened trust. With such a metric and reputation framework in place, perhaps firms would be more inclined to internalize some of the external cost, if it will help them garner a more favorable reputation.
Clearly, implementing some of these ideas would require a thought shift and, in some cases, a complete overhaul of infrastructures, which can be an expensive undertaking. But if we do not change drastically the way we do things and the way we approach the problem, count on it, we have not seen the last of such cases as Hannaford Bros. and TJX.