Author Archives: Adam Levin

Rated P for Private? It’s Time to Re-think Privacy

You probably know privacy is a thing of the past, that is unless you spend a lot of time digging for freshwater clams in marshlands of Loon Lake. Mark Zuckerberg said it years ago, but he thought it was a good thing. In the wake of the Equifax breach and Cambridge Analytica, the end of privacy is no longer scary. It’s neutral. We’ve reached a “Now What?” moment.

Is It the Algorithm or the Microphone?

We can all agree paranoia is bad for business, and there’s plenty to go around these days whether you’re on the marketing side of things, the breach side, or the consumer side.

With no expectation of privacy, we’ve become a little numb to the parade of stories–both reported by the media and anecdotal–of connected devices eavesdropping on us–serving ads for things mentioned in casual conversation. But we’re all online every day, and in the process leave a trail of cookie crumbs for marketers to find us. There’s no need for a hidden mic.

While many enjoy the convenience that facial recognition provides in retail micro-targeting products and services, others hate it. We’ve heard the cringe-worthy news about health apps sharing some of the more intimate details of our sex lives with Facebook, Google, and other third parties.

Some of us shrug it off. The convenience made possible by the forfeiture of privacy is worth it to them. For others, it is an unacceptable situation. This is unfortunate, because it’s not a situation. It’s new norm, and none of it inspires a feeling of security.

A worried customer or client is a hesitant customer or client. So, how do you ease that tension? I would argue that, ironically, you can do this by creating a high information environment, where everyone can make informed decisions about how they want to interact with businesses and services.

Moving Right Along…

The need to protect privacy no longer needs an introduction. There’s plenty of legislation. New privacy laws in New York and Nevada law will go into effect October, with California’s CCPA in January 2020. Maine and Vermont already have enacted stronger laws to that effect, and many states are expected to follow.

There’s a big “but” here. Without the right solutions provider navigating privacy law can be prohibitively expensive for small to medium-sized companies. Add to that the possibility of compliance costs in a marketplace with many different laws, and we have a potential company killer on our hands. Google may be able to weather a $170 million fine for non-compliance without flinching; most of us can’t.

A Modest Proposal

Once upon a time, Hollywood was faced with a similar situation. In the beginning, there was no ratings system and it was a problem. There were many family-friendly films and then there were those that would make Mae West blush, but there was no way for the audience to know which was which. The result was an opportunity cost. Some people avoided the movies because they were perceived as scandalous.

Enter the Motion Picture Producers and Distributors of America (MPPDA and later MPAA), which set guidelines later formalized as the movie rating system still used today. It’s not a perfect system, but the benefits outweigh its flaws. First of all, it’s voluntary. The MPAA created an opt-in industry standard, avoiding the need for legislation. The gaming industry also rates product.

Most importantly, it was end-user friendly. You don’t need to know anything about Rambo: Last Blood or Abominable to decide which is better for kids; one is Rated R and one is Rated G. A similar system might work for websites and apps.

Here’s a sketch of what that might look like:

P–Protected User: Data is either not collected or it is protected and in compliance with online standards such as the GDPR, CCPA, SHIELD, HIPAA, COPA or PIPEDA.

ND–Not Distributed: Personally identifying information is collected to personalize an experience (location, ad preferences, etc.) but it is not shared with third parties.

A–Anonymized: Non-identifying usage data is collected and shared with third parties. (Forget for the moment that there’s no such thing as anonymized data that can’t potentially be re-identified in today’s deep data environment).

S–Shared: User data is collected, shared, and/or sold to third parties. (Think: Naked in a glass house.)

If a collection of privacy and data use experts could get together on the creation of this rating system, privacy policies would no longer be so perilous.

Would it work? Online privacy is getting more complex with every new whizbang, regulation, law, court case, breach, compromise, and scandal. Any workable solution needs to counter that with a general approach that can be applied globally.

If this isn’t it, it’s time to figure out what is.

The post Rated P for Private? It’s Time to Re-think Privacy appeared first on Adam Levin.

This Common Mistake You May Be Making Right Now Exposed an Entire Nation to Identity Theft

A routine data project revealed that the personally identifying information of the entire nation of Ecuador might be online for all to see–just like, potentially, your data.

The information included records belonging to deceased citizens and more than 7 million minors. It was discovered by researchers from the security firm vpnMentor while conducting “a wide-scale Web mapping project.”

According to vpnMentor’s report, the ongoing project made the discovery possible by scanning ports “to find known IP blocks.” It then searches for “vulnerabilities in the system that would indicate an open database.” When a compromise is discovered, the company then traces the data back to its source and delivers the bad news.

While the full extent of the damage done here is not clear, it’s sure sounds like a potentially Titanic-meets-iceberg level event.

What We (and the Bad Guys May) Know

The extremely granular personal information of more than 20 million people was exposed. Ecuador’s population is 16.5 million, which means nearly 4 million of the individuals affected may be deceased.

The data included personal and corporate tax ID numbers and bank account information–including current balance in the account, amounts financed, credit types, and the location of a bank branch used by an individual. The same information about family members was also available, as well as how people in the data set were related to each other.

All the essential information needed for account authentication and/or takeover were there, too. A short list of the available data included full name (first, middle, last); gender; date and place of birth; home and work addresses; email addresses; home, work, and cell phone numbers; marital status; date of marriage (where applicable); date of death (where applicable); and the highest level of education achieved.

WikiLeaks founder Julian Assange was even in there, Ecuador’s most famous asylum seeker.

Describing itself as an organization of ethical hackers, vpnMentor said in its statement about the discovery that it never sells, stores, or exposes compromised information, but rather uses the existence of a compromise or leak as a teachable moment.

Teachable Moments Are Expensive

Sponsored by IBM Security and independently conducted by the Ponemon Institute, the 13th-annual Cost of Data Breach Study found that the average per-record cost of a breach was $148 last year. That would put the cost of this compromise at nearly $3 billion.

So, what can we learn from this data debacle? The compromise was caused by–wait for it–a third-party vendor. According to CNN, the breach was found on an unsecured server in Miami, which appeared to be owned by an Ecuadorian consulting and analytics company called Novaestrat. While it remains unclear as to how Novaestrat gained access to the government database, it is presumed that someone currently, or formerly, in the Ecuadorian government handed over the data–no matter the reason–and in the process potentially exposed it to criminals around the world.

The first takeaway should be that you are only as secure as your least secure vendor and/or collaborator. In the realm of cyber-liability, that and three bucks will get you a cup of coffee to sip while you wait for the submarine to the unemployment line at the bottom of Loon Lake.

This sort of mistake keeps happening because people continue to doubt the persistent and pervasive threats we face in the business community and beyond.

It matters because the information exposed in this incident was sufficient for a competent identity thief to commit every imaginable identity-related crime. There’s gold and endless liability in them thar hills of data.

What You Can Do

Practice the 3Ms.

Minimize your exposure: Vet your vendors! Foster a culture where everyone from the mailroom to the boardroom is invested in privacy and data security. Train your employees from their first day and have an ongoing discussion about best security practices. Create a map of information access, and make sure your most sensitive data is only available to those who need to have access and practice proper cybersecurity protocols to keep the data safe. Have a sensible BYOD (Bring Your Own Device) policy, and remind employees about the importance of installing updates on connected devices. Hire a chief information security officer–never leave your security solely to the IT department.

Monitor your networks and your assets: Make sure regular assessments are conducted on the security of all your data assets–and don’t wait for a call from a “white hat” hacker.

Manage the damage: How an organization responds to a breach or compromise is a defining moment. It is crucial that you act urgently, transparently, and empathetically. In order to avoid an extinction-level event, have a robust incident response plan. Have a media plan, and consider putting a crisis management firm on retainer. Game various scenarios and have a team in place to help your clients, as well as both in-house and third-party experts who understand the timing and notification requirements in each state for various regulators, law enforcement officials, insurance companies, employees, and customers. Can your company really afford to roll the dice on cybersecurity?

The post This Common Mistake You May Be Making Right Now Exposed an Entire Nation to Identity Theft appeared first on Adam Levin.

Companies Can Have Their Identities Stolen, Too. Here’s What to Do About It.

When Twitter CEO Jack Dorsey’s account was hacked for roughly 20 minutes, we all got a glimpse of corporate identity theft, and why it matters. While the takeover was by no means a major cyberevent (and the account was quickly recovered), the fact remained that the CEO of a major company lost control of his account on a service that he literally controls.

Around the same time, an Instagram phishing scheme was circulating where users were prompted via a spoofed Instagram email to enter their logins and passwords after they were sent a 2-Factor authentication code. Instead of logging into their actual Facebook-hosted accounts, they found themselves on a replica of a legit Instagram page hosted in the Central African Republic. It was exactly the kind of attack that makes hacks like the one perpetrated against Jack Dorsey possible, and, more to the point, it’s why they happen literally every day. 

Need more evidence? How about the unnamed CEO who was recently scammed to the tune of a couple hundred thousand dollars thanks to an audio deepfake that convincingly mimicked the voice of his boss–the CEO of a parent company–including the most subtle nuances of his German accent. The money was wired to Hungary, quickly transferred to Mexico and then dispersed amongst an untraceable number of other accounts. 

Getting hacked is a fact of life, right up there with death and taxes. If you think you’re somehow above this third certainty in life, you’re all the more imperilled.  

I could provide countless other examples, but they all boil down to a lesson that businesses are learning the hard way and what their customers already know: it’s easier to fall prey to identity theft than it is to prevent it. 

The Goals of Business Identity Theft

If stealing an individual’s identity is lucrative, stealing a company’s identity can be the motherlode. Even a midsized company often have in their possession the data of thousands of customers, contacts, and contractors; a single official-looking email can open the door to innumerable types of fraud, both internally and externally. 

The attack doesn’t need to focus directly on monetary prizes: the hijacking of Twitter’s CEO’s account garnered a lot of the wrong kind of publicity–and there is such a thing as bad publicity. In the hacking world, the prestige of making Jack Dorsey look foolish for twenty minutes most likely exceeds an anonymous hack of 100,000 accounts. Reputation is a powerful currency, and compromising the leadership of any company with an online presence represents a potent boost. 

Consider what would happen were someone to hire that hacker to compromise a more important account–for saying’s sake, President Trump’s account. That control could actually affect world markets. The same could be said for hacks of any major leader in the public or private sectors. There is a huge financial upside to such hacking. It is crucial to bear this in mind at every moment of the day, and behave accordingly. 

That said, data leaks, account takeovers and breaches start to look positively quaint in light of the potential sabotage represented by deepfakes. 

People wire money on the basis of a phone call all the time. The harm caused by a phony corporate communication to shareholders or the general public could represent a catastrophic loss of money and confidence. Erratic behavior in the C-Suite can tank stock prices (just ask Elon Musk), and even crudely faked videos have gone viral (just ask Nancy Pelosi or Mark Zuckerberg). 

We’ll be seeing deliberate attempts to damage the reputations of businesses and their leadership as deepfake technology becomes more ubiquitous, and with that in mind it’s time to level up. 

What Businesses Can Do:

My advice for businesses faced with having their identities hijacked is similar to my advice for individuals–practice The Three Ms.

Minimize Your Risk of Exposure: Put resources into training your staff to recognize phishing scams and to practice good cyber hygiene. Vet contractors and vendors based on their security practices to minimize supply chain risk. Consider requiring employees to log in to a VPN (virtual private network), especially if they’re connecting to the company network remotely. It’s often the sloppiest of mistakes that give hackers access to your business. Training and sound cybersecurity policies can fill in the gaps where technology often fails. 

Monitor Everything: Establish a policy at your business about transferring funds; in the era of deepfakes, it’s important to know who is likely to request access to money, and how it should be handled. Always double check by getting confirmation on the phone. All systems can introduce vulnerabilities, especially the introduction of new technology. Create a culture where employees know that if they see something, they will be rewarded for saying something. Cybersecurity is a team sport. 

Manage the Damage: When it comes to a compromise of your company’s identity, honesty is the best policy. Own up to a data breach as quickly as possible (especially if you are subject to the GDPR’s 72 hour requirement), be transparent about lapses in security, and review any policies that allowed the compromise to occur in the first place. Jack Dorsey’s Twitter hack may have been embarrassing, but the company moved quickly to close the security loophole that allowed it to happen. Perhaps most important, have some empathy. Cyber-fails are scary. Remember, your news might be more traumatic for your customers or clients than it is for you, and act accordingly.

 

The post Companies Can Have Their Identities Stolen, Too. Here’s What to Do About It. appeared first on Adam Levin.

Prediction: 2020 election is set to be hacked, if we don’t act fast

Since 1993, hackers have traveled to Las Vegas from around the world to demonstrate their skills at DefCon’s annual convention, and every year new horrors of cyber-insecurity are revealed as they wield their craft. Last year, for example, an eleven-year-old boy changed the election results on a replica of the Florida state election website in under ten minutes.

This year was no exception. Participants revealed all sorts of clever attacks and pathetic vulnerabilities. One hack allowed a convention attendee to commandeer control of an iPhone with a non-Apple-issue charging cord, one that is identical to the Apple version. Another group figured out how to use a Netflix account to steal banking information. But for our purposes, let’s focus on election security because without it democracy is imperiled. And if you think about it, what are the odds of something like DefCon being permitted in the People’s Republic of China?

Speaking of China (or Russia or North Korea or Iran or…) will the 2020 election be hacked?

In a word: Yes.

In 2016 Russia targeted elections systems in all 50 states.

A CNN article about DefCon’s now annual Voting Village, described the overall problem: Many election officials and key players in the election business are not sufficiently worried to anticipate, recognize and meet the challenges ahead.

While many organizations welcome the hijinks of DefCon participants — including the Pentagon — the voting machine manufacturers don’t generally seem eager to have hackers of any stripe show them where they are vulnerable… and that should worry you.

DefCon participants are instructed to break things, and they do just that. This year, Senator Ron Wyden (D-Ore.) toured DefCon’s Voting Village and he left with these words: “We need paper ballots, guys.”

Was the Senator right? It’s the easiest solution, but not the only one. Because elections machines are thus far preeminently breakable, we still need audited paper trails.

Paper trails are mission critical

After railing against previous findings of DefCon participants, Election Systems and Software (ES&S) CEO Tom Burt reversed his position in a Roll Call op-ed that called for paper records and mandatory machine testing in order to secure e-voting systems. It’s a welcome move as far as cybersecurity experts are concerned.

After a midterm election featuring irregularities in GeorgiaNorth Carolina and other smaller hacks, and warnings from the likes of Special Prosecutor Robert Mueller, there has been no meaningful action nationwide when it comes to election security, while the specter of serious interference remains. Senate Majority Leader Mitch McConnell (R-Ky.) has steadfastly refused to allow even bi-partisan election security legislation to come to the floor for a vote, much less a debate, and for that reason he and the Republican party are blameworthy for placing politics above protecting our most cherished democratic right.

While the news is on overheated cycles covering every tweet, or sound bite, uttered by President Trump, critical issues like cybersecurity are not being addressed, and this matters — given recent DefCon news of election machines connected to the internet when they shouldn’t be, and the persistent threat of state-sponsored attacks on our democracy.

Think DARPA’s $10 million un-hackable election machine proves all is well? Not quite. Bugs during the set up of the DARPA wonder machine meant that DefCon’s participants didn’t have enough time to properly break the thing. In the absence of definitive proof to the contrary, we have to assume it can be hacked.

What Now?

Instead of discussing the nation’s Voter ID laws, we need to focus on securing the vote.

It is well-established fact that Russia attempted to interfere in the 2016 election in all 50 states, and Israel — an ally of the president — recently disclosed that the Russian government identified President Trump as the candidate most likely to benefit Russia, and used cyberbots to help him win. The fact that President Trump won the election on the strength of just 80,000 votes spread across three key swing states shows how important it is to address the issue. We’re not talking about a blunderbuss approach to hacking the election here. Plausible outcomes can be constructed. It’s been known to happen before.

Some experts think it may soon be too late to secure 2020 against the threat of state-sponsored hacks. I do not. But I think the time to delay to score political points has passed, and now is the time for action.

The post Prediction: 2020 election is set to be hacked, if we don’t act fast appeared first on Adam Levin.

How I Learned to Stop Worrying and Love Vendor Risk

Insider risk, supply chain vulnerability and vendor risk all boil down to the same thing: the more people have access to your data, the more vulnerable it is to being leaked or breached.

This summer brought an interesting twist to that straight-forward situation: Can data leaked by an employee or a contractor be a good thing?

In July, a Belgian contractor who had been hired to transcribe Google Home recordings shared several of them with news outlet VRT. The leak revealed that customers were being recorded without their consent, often times after unintentionally triggering their devices. Google’s response was immediate. They went after the contractor. (Never mind that they were doing something that they had denied. The leaked recordings were for research!!!)

“Our Security and Privacy Response teams have been activated on this issue, are investigating, and we will take action. We are conducting a full review of our safeguards in this space to prevent misconduct like this from happening again,” the company said in a press release.

Translation: We’re not sorry we got caught doing whatever we want, but we are sorry we hired the wrong vendor and will try not to do that again.

An Apple contractor shared a similar story with the Guardian a short time later. Recordings taken from the company’s audio assistant Siri were also being transcribed by third-party contractors. This time the news was worse. The company’s watch was consistently recording users without any explicit prompting. Weeks later, a contractor for Microsoft went to Vice with what at this point had become a familiar story, this time in connection with both Skype and Cortana.

Whistleblower or Data Leak?

The typical narrative is that someone with inside knowledge of a company or its technology is able to exploit it to some sort of ill purpose. The accused hacker behind the recent Capital One data breach had previously worked for Amazon Web Services and was able to exploit her knowledge of a common firewall misconfiguration to steal customer data: more than 100 million records. Anthem and Boeing similarly suffered large-scale breaches perpetrated by insiders.

What makes the rash of recent data leaks noteworthy is that external contractors had access to data that they didn’t think they should have, and they did something about it. With the exception the leaked data in question was passed along to press outlets for the express purpose of preserving customer data. And it worked, at least in the short term. Apple and Google suspended their use of human transcribers, and Microsoft has made their privacy policy more explicit.

HR or IT?

What’s interesting here (other than the revelation that just about every major IoT speech-recognition product on the market has been spying on us without telling us) is what it reveals about insider risk.

It seems increasingly apparent that risk has as much to do with a company’s HR department as it does its cybersecurity policy. A single disgruntled employee with an axe to grind is a familiar scenario, and one that can be mitigated through careful data management, but widespread unhappiness with a company’s ethical practices is significantly more difficult to manage. It brings to mind that semi-old adage, now-defunct company motto at Google: Don’t be evil. Or rather, be nicer to make yourself less of a target.

Google has had to contend with internal protests ranging from its involvement with Chinese censorship to its work with U.S. border and immigration agencies. Both Amazon and Microsoft experienced similar unrest among employees for their contracts with ICE. While none of these have led to large-scale data breaches yet, knowing that there are potentially thousands of employees and contractors with access to sensitive information and a motive to leak, it is a matter of serious concern.

The new law of the cyber jungle: Widespread disapproval exponentially increases one’s attackable surface.

While employee whistleblowers are nothing new (just ask Enron or Big Tobacco), it’s semi-terra incognita in our era of massive data breaches. We’re used to thinking of any kind of data breach and any kind of data leak as being a bad thing, and it usually is. But there is a grey area when companies are not playing by the rules in an environment where people are highly motivated to call them out for bad behavior.

What’s the Takeaway?

From a strictly technical perspective, even a well-intentioned data leak has the unfortunate side effect of showing where in the supply chain companies are most vulnerable. If hackers weren’t aware that organizations were entrusting intimate customer data to external contractors, they most certainly know it now.

The post How I Learned to Stop Worrying and Love Vendor Risk appeared first on Adam Levin.

Expect More Spam Calls and SIM-Card Scams: 400 Million Phone Numbers Exposed

As much as I love this one friend of mine, nothing is private when we’re together. You probably have a friend like this. The relationship is really great so you stay friends despite all, but this particular friend simply cannot know something about you without sharing it with others no matter how hard you try to get them to understand it’s totally uncool. 

Facebook Is an Open Book

They did it again this week with news that 419 million records, including phone numbers and user IDs, were scraped from Facebook and stored in a database that was just sitting online accessible to anyone who might like to peruse it. More than 130 million of those compromised by the discovery were American users. Another 18 million were UK users. A whopping 50 million hailed from Vietnam. 

Facebook later claimed about half that number were affected, or 220 million records. 

The information is at least a year old, which was when Facebook stopped allowing developers to have user phone numbers. So, we can call this a Facebook privacy facepalm legacy attack. It’s a sad state of Facebook privacy news fatigue that the urge is so strong to create privacy fail sub-categories—but there you have it. Introducing the legacy fail. 

Why It Matters

Some of the information out there was granular enough to allow a variety of scams, but the most serious is SIM-card swapping scams, where a criminal, armed with enough information about you, and most crucially your phone number, arranges to have your number moved to a phone in the criminal’s possession. 

Once the number has been transferred, the criminal has control of any accounts that are identified by caller ID (including many financial institutions) as well as any accounts protected by two-factor authentication. It is believed this was the method used to recently hack Jack Dempsey’s Twitter account. 

What You Can Do

Assume that you are a target, and tighten your protections. Your phone provider will have tips on the best practices to avoid SIM-card attacks, and common sense can be your guide regarding any unexpected phone calls, and practice the Three Ms:

Minimize your exposure. Don’t authenticate yourself to anyone unless you are in control of the interaction, don’t over-share on social media, be a good steward of your passwords, safeguard any documents that can be used to hijack your identity, and freeze your credit.

Monitor your accounts. Check your credit report religiously, keep track of your credit score, review major accounts daily if possible. (You can check two of your credit scores for free every month on Credit.com.) If you prefer a more laid back approach, see No. 5 above.

Manage the damage. Make sure you get on top of any incursion into your identity quickly and/or enroll in a program where professionals help you navigate and resolve identity compromises–oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions and employers.

The post Expect More Spam Calls and SIM-Card Scams: 400 Million Phone Numbers Exposed appeared first on Adam Levin.

If You Have to Ask How Much a Data Breach Costs, You Can’t Afford One

According to IBM Security’s 2019 Cost of a Data Breach Report, the average time to identify and contain a breach was a whopping 279 days, and it took even longer to discover and deal with a malicious attack. The average cost of an incident was $3.9 million, and the average cost per record, $150.

A malicious hacker can do serious damage to an organization. Breaches are not a cheap date. Capital One estimated the first-year cost of its recent breach would be $100-150 million. Add to that figure the aggregate cost of as many as 30 other companies suspected hacker Paige Thompson may have hit, and it should be abundantly clear that the damage that can be racked up by just one sociopath is astounding. Equifax was recently ordered to pay $700 million in damages for its megabreach, a figure many derided as a wrist slap.

By now, it shouldn’t be news that the probability of a breach or data compromise hitting your company, or one you do business with, is right up there with two more familiar likelihoods; namely, death and taxes. Likewise, the particular cause of a data breach or compromise is about as predictable as our individual approaches to death and taxes.

You need look no further than very recent news to illustrate the point.

U.K.-based Suprema sells a security tool used by organizations worldwide, including law enforcement. It allows users to control access in high security environments. It’s called Biostar 2, and it failed, leaking fingerprints, photographs, facial recognition data, names, addresses, passwords, and employment history records. Reports say 23 gigabytes of data containing 30 million records were in the wind, including data used by London’s Metropolitan Police, Power World Gyms, Global Village and Adecco Staffing. The cause, human error. The cost here is twofold. Fingerprints in the wind stay in the wind. They can’t be changed. There is no way to put a price on that, but at $150 per record, we might spitball and put it around $4.5 billion.

In other news, an FDNY employee flouted department data security policy by downloading data on a personal, unencrypted hard drive that subsequently went missing. The drive contained sensitive personal information and protected health information associated with more than 10,000 people treated or taken to the hospital by the department’s EMS. It was reported there were also nearly 3,000 Social Security numbers possibly exposed. This leak “only” comes in at a potential cost of around $1.5 million using the $150 a record estimate in the 2019 Cost of a Data Breach Report published by IBM Security. The cost of this unnecessary diversion is of course unknowable.

Another all too familiar way companies get got is by proxy. Choice Hotels recently reported the compromise of 700,000 guest records, which were exposed when a vendor copied their data. The mismanaged data was subsequently discovered by a hacker and held for a ransom, a request the hotel reportedly ignored. Ironically, the data had been on the server to test a “security offering” so there was nothing to ransom since the data was only copied from a server that was still controlled by the company. (That said, ransomware continues to be a very real threat, and it relies for the most part on employee error.)

Honda had a comprised database with more than 134 million records, and the Electronic Entertainment Expo, or E3 as it is popularly known, leaked press badge information that included names, phone numbers and home addresses of attendees, and do you know what these entities as well as all of the aforementioned organizations did not do? They didn’t do cyber right.

We all need to listen to the wisdom of The Office’s Dwight Schrute who said, “Whenever I’m about to do something, I think, ‘Would an idiot do that?’ And if they would, I do not do that thing.” True that’s easier said than done, and Schrute is a fictionalized proof of that. Human error is not the only threat to a company, but it is the most persistent one. Many of the hit parade of hacks were avoidable, but without an organizational culture predicated on staying safe, it’s hard to make must progress in the war against stupid mistakes.

Data breaches and compromises are expensive, result in an enormous amount of collateral everyday life damage and are more common than inter-relationship bickering. As with love spats and their aftermaths, there is always room for improvement. While it is folly to believe that any company can be made 100% hack or leak proof, they can become harder-to-hit targets. Security can be baked into all processes–from onboarding to new product launches to the storing of key data. They are more avoidable than one might be led to believe, but it requires a sea change in attitude and more importantly a complete change in the way everything digital is done with security always foremost in any given process.

The post If You Have to Ask How Much a Data Breach Costs, You Can’t Afford One appeared first on Adam Levin.