Not long ago, I was ignoring the usual inflight safety message as I waited for takeoff. It's the rare airline that makes these interesting and this certainly wasn't one of them. The only phrase that ever sticks out for me relates to the oxygen masks: "If you are travelling with a child or someone who requires assistance, secure your mask on first, and then assist the other person."
Now as a parent, this runs counter to every instinct I would have to make sure my kids could breathe. I get it - if I pass out, I'm not much use to them, but it always feels like it would a far harder thing to do in a real emergency.
Earlier this week, Ashley Madison very kindly provided us with a lesson about the current state of privacy and security on the net. Just yesterday, Lifelock followed up with a lesson that sounds an awful lot like those airline safety messages: Secure your own enterprise before securing the data of others.
I'm going to pick on Lifelock here for a bit (no pun intended), but, as with Ashley Madison, this issue is hardly unique to the identity theft prevention company. You see, Lifelock was already dinged by the FTC back in 2010 for its lack of security infrastructure and policy relating to user data. As Wired reported,
"The FTC found in 2010 that the company had failed to provide 'reasonable and appropriate security to prevent unauthorized access to personal information stored on its corporate network,' either in transit through its network, stored in a database, or transmitted over the internet."
The FTC followed up this week with a new complaint, alleging that Lifelock had failed to address these deficiencies. More than a few outlets have been happy to point out the irony of a company founded to protect identities failing to provide the necessary security to, well, protect identities.
What too many companies fail to realize (Lifelock included) is that security is everything. Yes, it's especially poignant for a company like Lifelock, but security is at the heart of almost every business-customer relationship in our digital age. Whether those customers are businesses or consumers, if you can't protect their data (or at least give it the old college try), you probably shouldn't have it in the first place.
Obviously there are long-term hacking campaigns that combine sophisticated spear phishing, watercooler attacks, drive-by malware, and many other techniques to wear down the defenses of even the best-prepared organizations. Breaches are going to happen, in some cases despite the best efforts of crack security teams. More often than not, though, breaches happen because of a combination of careless users, poor policies, and inadequate (or poorly configured) hardware and software.
Lifelock didn't even encrypt user data. They were cited for poor password management, bad patch management, and policies that didn't appropriately limit access to sensitive data.
Now let's stop for a minute. I put "Lifelock" at the beginning of that sentence, but could you replace it with the name of your organization? I hope your answer is no, but I have a sneaking suspicion that for too many of you, the answer is yes.
Some industries are more heavily regulated than others or come under more frequent scrutiny, but no matter what your line of business, it's critical that you have your security ducks in a row before other people's data hits your network. We used to refer to "other people's money" in a cavalier fashion, describing how we'd use money and resources that weren't actually our own. Now, though, we should be talking about other people's data. And we can't be the least bit cavalier.
If our systems are secured in really smart, multifaceted ways, then and only then can we feel comfortable about playing with other people's data. And, more pragmatically, worry less about the FTC looking our way.