Data breaches are much more expensive than data security

May 31, 2019 Derrick Harris

Nearly two years after hackers breached Equifax and accessed personal information on nearly every U.S. adult, the company’s cascade of financial hits continues. Last week, the investment analysts at Moody’s downgraded its rating of Equifax from “Stable” to “Negative,” a result of the company’s massive past, present, and future expenditures to defend against lawsuits and to bolster its cybersecurity posture. It’s a good reminder that proactive data security is a much better idea than improving security practices after the damage has already been done.

And if Equifax alone isn’t a scary enough story, consider the case of home-insurance and title company First American. It’s presently facing a lawsuit as a result of it leaving 885 million files containing sensitive client information on a wide open web server. The company claims there’s no evidence of “large-scale unauthorized access,” but even if that turns out to be true, the situation is a PR black eye and will likely cost a not-insignificant amount of money in legal fees. If it turns out data was stolen, First American could be in for serious financial impact.

On a related note, one could also look at what’s happening in Europe with the enactment of the General Data Protection Regulation (GDPR) last year. While a lot of GDPR discussion is focused around the idea of not abusing citizens’ personal data, the GDPR also imposes potentially stiff fines for data breaches where companies (or their service providers) have been negligent in securing personal data. It'll be interesting to see if GDPR cases establish any sort of baseline for data security practices, and how far any such standards might reach both legally and geographically.

Even if we accept that getting hacked is inevitable, there are still big differences between  companies leaving the door wide open to bad actors, and others, like Google, doing everything they can to secure their operations. The question is what a clearly defined standard for minimally acceptable security practices would look like.

Security starts from the ground up

So what’s an organization to do if it wants to keep data—especially personal data—safe? One option would be to consider it a “toxic asset” and store as little of it as possible, as security expert Bruce Schneier suggests and as the GDPR lays out as a best practice. But, as Schneier acknowledges, that’s not likely to happen with many companies, because they still see too much potential value in having it around—if not for analysis, then at least for easier billing, subscriber management, and other administrative reasons.

Given that, organizations need to get proactive about keeping all their sensitive data secure. And that means implementing best practices at every level of the organization—from infrastructure to applications, and from employee count to email hygiene. Some obvious solutions include:

  • Making data more secure via encryption, differential privacy, or some other anonymization technique.

  • Buying more software to detect threats or intrusions.

  • Hiring more security personnel.

  • Teaching (and perhaps forcing) employees to avoid phishing and other social-engineering attacks.

They’re all smart things to do, but none of them are foolproof on their own. What’s more, demand for security talent is so high (or, perhaps, companies’ requirements for security roles are so high) that a recent survey found cybersecurity second only to artificial intelligence in terms of hiring difficulty. In this case, throwing more people at the problem is not a scalable solution.

Some less-obvious (because they might not come from “security” vendors) solutions include automatically upgrading and patching application components, and, like Wells Fargo, regularly repaving application infrastructure in order to expunge any system-level malware or advanced persistent threats. Another practice gaining momentum at the application level is using tools that automatically scan code for vulnerabilities and offer guidance on how to remedy them.

Whatever is holding you back from getting your data security house in order, don’t let it be money. Especially for large enterprises storing huge amounts of personal data, all of this might very well cost less over the course of its lifetime than the fallout from a single major security incident.

What you need to know this week

The cloud subsumes all

Cray CEO on HPE deal: 'Massive cloud vendors' threatened our long-term survival in supercomputing (GeekWire): This is not the first time we’ve heard this type of complaint, and it won’t be the last. If your main business can be commoditized by a mega-scale provider, you should assume it will be. 

Top 3 cloud migration mistakes: summer 2019 edition (InfoWorld): They are not having a broader vision beyond “moving to the cloud”; not doing DevOps; and not transferring knowledge across the organization.  

Even Uber digitally transforms

Stack history: A timeline of Uber’s tech stack evolution (StackShare): This is an interesting look into how even “digital-first” companies like Uber are continuously evolving in order to meet new challenges and opportunities. 

Athena: Our automated build health management system (Dropbox): What’s good for Uber is good for Dropbox, too. Also, this is a good reminder that testing is a key to quality software. 

Automakers faced with a choice: Become data companies or become irrelevant (TechCrunch): This is probably an overstatement, but there’s no denying that automakers and everyone else needs to reckon with how data can improve their products. 

Walmart hires former Google, Microsoft and Amazon exec Suresh Kumar as new CTO and CDO (TechCrunch): Walmart is kind of the canary in the coalmine for the practice of hiring high-tech execs to lead its digital transformation. We’ll see how well those skills transfer from one type of company to another. 

The era of exponential improvement in healthcare? (McKinsey): An assessment of just how much technology might change the nature of healthcare in the years to come. The potential is there for huge advances, but execution will be critical. 

AI is about ideas

What boards need to know about AI (Harvard Business Review): The first and most important takeaway here is that AI “is math, not magic.” Also, it’s a long-term operational expense, not something that can be solved with a one-time investment. 

Applications of data science and machine learning in financial services (O’Reilly): Exactly what it sounds like, and a good starting point for folks in the space who haven’t yet begun applying them in earnest. 

Ford brings in startup to test walking robot deliveries (Wall Street Journal): This is Ford trying to beat Amazon and Uber at their own game. Because you can’t win the game if you don’t play. 

When quantum computing meets smarter digital assistants and more (Wall Street Journal): We’re probably at least several years away from truly commercially viable quantum computing, but most signs point to its emergence. Solving problems too complex the pattern-recognition capabilities of deep learning look like its killer app. 

HSBC to open 50-person artificial intelligence lab in Toronto (The Globe and Mail): AI labs and partnerships with universities (or existing labs) are a good idea for companies of the right size, with the right technical chops and in the right industries. Like banking. 

Chick-Fil-A can spot signs of foodborne illness from social media posts with 78 percent accuracy (VentureBeat): This is not exactly an earth-shattering application—words like “vomit” and “food poisoning” are pretty explicit, even accounting for the casual nature of social media posts—but it’s a fast way for a company to get ahead of potential problems. 

Other resources worth checking out

Top Emerging Trends in Cloud-Native Infrastructure (Gartner; subscription required)

The Three Magical Ingredients of Transformations (Gartner; subscription required)

Are You Ready for Multicloud and Intercloud Data Management? (Gartner; subscription required)

The CIO’s Role in Creating a Culture That Performs (Gartner; subscription required)

How to Organize AI Talent (Gartner; subscription required)

Cut the Digital Transformation Fluff: Creating Metrics That Matter (Pivotal webinar)

About the Author

Derrick Harris

Derrick Harris is a product marketing manager at VMware.

More Content by Derrick Harris
Build a Better Upgrade Practice with Pivotal Platform Automation
Build a Better Upgrade Practice with Pivotal Platform Automation

Reap the Benefits of Small, Constant Cloud Platform Upgrades

Microservices are still where software is heading
Microservices are still where software is heading

If you’re struggling to keep up with what seems like a software ecosystem moving at warp speed—microservice...