“We have a confirmed data breach.” Those are the words that no security or technology professional wants to hear.
Almost everything we do in our enterprise security programs as leaders, or consultants, or programmers, or analysts, or ethical hackers, or trainers or company business executives or (fill in the blank with another role including end users) is intended to prevent the moment when those words are said.
If you’ve ever been the person accountable for security and heard those words spoken, you know that terrible sinking feeling.
For others, think of how you would feel if you heard a doctor tell you that your tests came back positive and you do, indeed, have cancer.
But here's a reality check to remember: Data breaches happen more often than most people realize. John Chambers, the CEO at Cisco, reportedly said, “There are only two kinds of companies. Those that were hacked and those that don’t yet know they were hacked.”
Nevertheless, despite the bad news, not all data breaches have equal impact and ramifications.
All Data Breaches Are Not Created Equal
Back when I was the Michigan Chief Security Officer a few years ago, I got a call from another state technology leader who wanted a listening ear and some advice for the future. He’d just been interviewed by a local news reporter who asked him several questions on cybersecurity.
The reporter was friendly and helpful, but he was seeking reassurance that the state’s citizen data was being safely and adequately protected. He was looking for a feel-good story with the basic message “everything is fine here.” Since this was shortly after South Carolina’s data breach of more than 3.6 million records, my friend was especially concerned with his answer to one simple question: “Has our state experienced a data breach?”
Feeling caught off guard on this question, he said, “I am not at liberty to discuss this topic.” The truth is that his government had experienced a (very small) security breach in one department several months earlier, but he certainly didn’t want to talk about it to the press. No one wants to be in the headlines for an accidental news story that reflects badly on his/her public- or private-sector organization.
Since most states have breach notification laws, the reporter was clearly expecting a transparent yes or no answer — followed by a discussion of any relevant “yes” details. Since this reporter was trying to write a supportive story, he was surprised by the answer. Needless to say, the reporter’s reaction spooked my friend, leading to the phone call to me.
There Are Many “Minor” Data Breach Stories
In reality, I think this situation is a fairly common dilemma that security and technology professionals face. Of course, no one, including my friend, wants to lie. Furthermore, very few can say an unequivocal “no breaches,” without adding some caveat, such as “that I am aware of” or more likely “we’ve had no major breaches.” Still, who wants to explain the difference between major and minor breaches?
Digging even deeper, answering the breach question often gets somewhat complicated. Explaining a “minor breach” is a bit like telling your spouse you have easily treatable cancer. No one likes hearing the word “cancer” — even if the odds are good for a full recovery. Allow me to explain with a “very minor breach” story from Michigan government.
Once upon a time, Michigan government had a vendor who won a small contract award. The award announcement was supposed to be placed on a purchasing Web page in a secured area where only authorized vendors can gain access. However, the award announcement was mistakenly placed on a public-facing website. Since this contract was awarded to a sole proprietor, the company identification number listed was also that person’s Social Security number. Bottom line: This sensitive data was temporarily available to the public for more than 24 hours until the error was discovered and fixed.
In simple terms, we experienced a (very minor) data breach of one person’s sensitive information. In keeping with Michigan notification laws and internal government processes, the person was notified and the appropriate follow-up actions, such as issuing free identity theft protection, were taken.
While this type of internal error leading to a breach is rare, I believe that very small data breaches do occur in business offices more often than people realize. In the vast majority of cases, appropriate actions are taken to safeguard consumers and lessons are learned by staff regarding how to prevent future mistakes.
Are Breaches Inevitable?
So are some data breaches inevitable? Probably. But we can certainly reduce the risk of breaches through effective training of end users and technical staff, better coordination and information sharing and improving our overall cyberdefenses.
Of course, minor breaches regarding a few sensitive records are very different than major data breaches involving thousands or even millions of records. The recent federal government data breach at the U.S. Office of Personnel Management (OPM) has again raised this issue to the forefront.
In the black-and-white world of the reporter’s simple question, I would acknowledge that Michigan did experience a minor data breach of sensitive data for one individual. So what did I tell my friend? How would I answer that reporter’s question?
“Yes, we have had a very minor data breach in Michigan that was the result of internal administrative errors. Nevertheless, we’ve never experienced anything close to the scale of Utah or South Carolina or Sony so far.”
I would explain our organization’s cybersecurity plans, our data encryption, our actions to date and how seriously we take cybersecurity. And, hopefully, my words don’t make the headlines.
The Time Has Come for a New Data Breach Scale
Which brings me back to the original topic -- and next steps. I posted an earlier version of this blog on LinkedIn – and Venturebeat also ran the story. Many comments and other stories flowed from this topic, such as this piece in April 2015 from Meghan Carter at Everbridge and an article by Troy Hunt called “Security Sense: Hacking ain’t hacking” by Windows IT Pro.
And the verdict is in. Almost everyone agrees, we need a new data breach scale. I have heard from dozens of colleagues all over the nation, cyberinsurance companies, law enforcement organizations, government entities, nonprofit entities and standards bodies, institutes, university faculty and others. No one thinks this is a bad idea. Sure, there are many opinions on what should or shouldn’t be included, the timeliness of data available, the challenges this will face to get public acceptance and opinions differ on who should lead the effort.
At this point, I am convinced that the time has come for a data breach scale. Communication to internal staff, partners and the public is always the hardest part of incident response, so this new tool will certainly help deliver articulate information more clearly to data owners and stakeholders.
Questions abound. Who decides if a breach is minor or major? There are many “what, when, where and how” questions to be answered.
The scale could be like the Richter scale for earthquakes or the measurements for various stages of cancer or perhaps the different levels that weather forecasters use to describe tornadoes. The purpose is to describe more clearly the different types and scale of data breaches (or even perhaps other types of cyber incidents) such as denial of service attacks or destruction.
(It must be noted that even one person, who's data was accessed for unauthorized purposes, has a right to know what happened and doesn't think that breach is 'minor' if it involves their records -- no matter how many others are involved.)
What I know for sure is that not all data breaches are created equal. The breadth and depth of the recent OPM hack just underline the need for the breach scale. I have even heard that several organizations have begun working on this effort.
Stayed tuned for more details in the coming months. Meanwhile, what is your view? Do you agree that we need a new data breach scale?