Serious security: Three changes that could turn the tide on hackers
We might not be able to win the war against hackers, but we can prepare better for the battles ahead.
It's all gone. All the passwords, all the user names, all the credit card numbers, the selfies, the fingerprints, the emails.
The state of tech security is currently so dire that it feels like anything you have ever stored on a computer, or a company or government has ever stored about you, has already been hacked into by somebody.
It's become so bad that it's already generated a mirthless cliché -- that there are only two types of companies: the ones that have been hacked and the ones that don't yet know they've been hacked.
That's a pretty poor return on the $75 billion spent on tech security last year.
So where did it all go wrong? Building secure systems is hard, especially when the security is being bolted on afterwards, as is often the case. And security is expensive and hard to justify as it doesn't come with a visible return on investment, making it easier to skimp on when times are hard.
On the other side are the attackers: lone hackers with enough time and interest to probe every potential weakness in a website, or the organised crime groups with the contacts to be able to turn a flaw in a company's security setup into a lucrative payday. Add to that the state-backed groups with the experience and the patience to lurk inside a network and then strike when the time is right for maximum impact.
The defenders have to get it right every time, whereas the attackers only need to find one weakness to bring the whole thing crashing down.
Even worse, the constant stream of breaches make it harder for us to care, and we become numbed and apathetic: it's not hard to wonder about the point of attempting to protect our personal data when the largest companies and government agencies are busy leaking it.
It's a problem that's not going to be fixed anytime soon either: the FBI's former cybercrime chief said that this is a battle that won't be won in our lifetime. But it's a battle that's important and increasingly close to home, especially as we start filling our homes with smart devices equipped with cameras and microphones.The data leaks and hacks until now will be insignificant compared to the potential security risks that will arise as the digital and physical worlds become more connected -- consider the threat of hacking Internet of Things (IoT) innovations like self-driving cars.
So what can we do? I'd suggest three decent starting points.
- First, as consumers we need to stop shrugging and accepting data leaks as business as usual. Security should influence our buying decisions: the organisations we deal with won't take security seriously unless customers and the public do, too. Our behaviour should signal to companies that good security can be a competitive differentiator. At the moment our apathy too often lets them off the hook. We as consumers need to understand the value of our data and then hold those that store it to account.
- Second, companies should design security as a fundamental part of the services we use, not a nice-to-have addition. Few hackers will give a new service time to implement security before attacking it, yet too many innovations (the IoT, I'm looking at you) seem to think security is a secondary consideration until they make it big. Until that changes, security will always be an afterthought.
- Third, the use of strong encryption should be the standard, not the exception. The digital services we use are now too intimate, too important, to be left unencrypted. The revelations of the last few years have shown us that no stream of data on the internet will go untapped by crooks or government.
These might seem like small steps, but we have struggled to take them until now. The security challenge is only going to get worse unless we act soon.
Agree? Disagree? Let us know in the reader comments.
ZDNet Monday Morning Opener
The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and the US.
Previously on Monday Morning Opener:
- Innovation and automation fail to excite Joe Average
- The one thing Google and the rest of us can learn from Apple about hype
- Why a bit of fast talking could save the PC from disaster
- Dell Technologies vs. HPE: A tale of two business model strategies
- Why identity protection is the next phase in security
- 3 things you can learn from the NFL about digital transformation
- Census 2016: A case study in the confluence of failure
- The dirtiest little secret about big data: Jobs
- Windows 10, Android, iOS, and the billion user question