In this article we consider privacy and security (P&S), IT systems vulnerabilities and possible outcomes.
Here is a fictitious scenario.
A company has developed a custom made CRM (Customer Relation Management) system some years ago which has confidential personal information in its database. It was made in a hurry and it cost more than expected. “We used the technology that our IT service provider suggested”, comments the system responsible, “I know the service provider very well; the CEO is a good friend of mine”. When looking at the details, not all non-functional best practices are in place. Examples are like application logging implementations, password and data encrypting management practices, access control policies, processes for batching of servers and databases, processes for operations and further development. The CRM business owner is not expert in technology. The company has a privacy officer and a person who is responsible for the management of the customer register. The privacy officer and the lawyer of the company try their best that the GDPR (General Data Protection Regulation, a regulation in EU law on data protection) is followed as it should. The GDPR defines the responsibilities and obligations for data controllers and processors, and these should be covered for example in all contracts. However, there are situations that even if the contracts are well made, the project team members do not know what these responsibilities and obligations mean in practice. Many people has access to the system and data, and there is not a single view to the P&S practices.
Does this sound familiar?
There are at least the following possible scenarios how the company treats its IT and the P&S.
In the first case, the company has very little or no own IT people, and it has a full trust on the IT service provider and its knowledge to provide secure IT services. Alternatively, the company has own IT people, but either because of the lack of technical competence or negligence, the IT matters are not treated in a professional manner. In the third scenario the company has competent IT professionals who know the IT systems well and consider causes and consequences. In all cases it can vary whether the P&S processes are in place and are they followed. In addition to this, there are also companies who have great internal P&S practices, but use the personal information for advertising or other purposes in a manner that is really not accepted by the end user. For example, how many of you read the Privacy statements before starting to use a new mobile or web application? User may accept terms and conditions which allow the application to read his mobile phone data content, track his movements and much more. If you want to protect your privacy, make sure you read the Privacy statements before starting to use new services.
Coming back to system vulnerabilities. Let’s assume a situation that the IT responsible raises a concern that the P&S is compromised in the system or development. For example, the system is using a technology that has known vulnerabilities; it was cheap to build and now we have to live with it. Company does not have a systematic life cycle process for internal and external employees; how to make sure that all unused accesses are terminated? Or, is there a conflict with the GDPR if the IT service provider uses Git for development? A business unit directly ordered a customer facing mobile application from an IT vendor; what is a possible problem? what next?
The changes cost, they take time to implement and the business person who should finance the P&S change does not necessary understand the need and the urgency. The P&S improvements do not have direct business benefits. The security officer and the privacy officer are involved, but it can happen that the outcome of the discussions are some non-technical action points which are not application security or security process related. All parties look the problem from their own perspective and there is a lack of common understanding. As a result, the important changes are never made.
Then in some day, it turns out that the system was compromised and all data was lost. The hacking was not detected when it occurred and it was noticed by somebody external to the company.
Whose fault is this?
It the old days IT was simpler. A system was consisting of a couple of servers, they were physically isolated, access was limited, etc. You knew where your data was. Nowadays IT is big and fast: the system can consists of group of servers and can be located in several hosting centers or clouds. The application development speed and productivity have increased, there are several sophisticated programming languages, ready-made libraries, and a one button click can produce hundreds of lines of codes. At the same time the IT lifecycle has decreased significantly. When a new software or hardware is in use at the market, there is already a newer version waiting for publishing. The hectic development cycle and the amount of technical layers lead to the increase of bugs and vulnerabilities.
Who has the control?
This is the unfortunate situation we are facing today: technology is becoming increasingly complex that for a single person a deep technical understanding of the whole stack is not possible. What are the alternatives? A group of IT professionals who all take care of their own expertise areas. Here the problem is the boundaries of the knowledge; it may be covered or then not. This is another type of “bug”, ie., a discontinuity in the knowledge which leaves the vulnerability accessible by an external person ie., a hacker. Another alternative is we have a person with ability to understand how a request, signal or bit propagates through all technical layers, and then be able to identify and find the soft or problematic areas. We call this that the person is having technical leadership. The amount of these people is scanty. The third option is to use automation, like intrusion detection and prevention systems, continuous integration and delivery tools, infrastructure as a code methods, etc. However, even if you have some software that shields your system, the hacker may use more sophisticated methods than yours, like machine learning algorithms, to find the security vulnerabilities.
It is very hard to have maximum security. Security is like a peeling of an onion. When you peel one layer of the security away, the next security layer appears out. If there are enough peels the hacker gives up and chooses an easier target. How many layers is enough? Nobody knows, but there should be enough. A good assumption is that you always have some vulnerabilities in your system and the target is to mitigate the threat.
Let’s be very pragmatic and consider concrete areas what can be improved.
Leadership and company culture: Like in many other areas, the good practices start from leadership and attitude. The P&S needs to take seriously at all levels and especially at the top management. Leaders should sponsor and prioritize the P&S related decisions. The P&S thinking should be embedded into company culture from which it flows to all daily activities, for example documentation, application development practices, architectural principles, design by P&S, coding guidelines, audits, operations, controls, etc.
Infrastructure security and cloud: If there is a limited technical knowledge available, lack of P&S resources or money, a good practice is to use cloud based applications instead of custom made on-premise “cheaper” solutions. Many well-known cloud providers have addressed and solved some (or most) of the P&S problems; you can build the architecture in a loosely coupled way, utilize tested software packages/products, enable services like audit trail and logging which are natively built to the cloud, use robust access controls and tracking, and to use many ready built data encryption features. In a custom approach you need to take particular attention to all of these P&S areas and have right skills to do the work.
Continuous process: Some P&S related things are one time implementations, but most of them are continuous processes. The key P&S processes should be identified, assigned to knowledgeable persons, defined, continuously improved and follow-upped. This is a part of the company culture.
P&S tools: Use tools for P&S automation. Good P&S solutions are seldom free. If something is very cheap, then usually something is not properly made. Here one can argue that for example in the public cloud the P&S tools are free. Yes, they are free as such but you pay their price when you use the computing services of the cloud.
Technical competence: This is perhaps the most problematic area. There are not enough IT-professionals with deep knowledge available compared to the need and there is a war of talent. When companies are outsourcing IT, it may be that internally there is not a single person who has enough technical competence to keep the things in order. Also, the hiring managers should understand what technical leadership means. It already requires quite a lot to understand what you are needing. Question therefore is that if I am not able to get the necessary skills to complete my IT work, should I leave this business, or do I make the business with risk? My guess is that there are many companies out there who have taken the (non-calculated) risk.
We are now living in the world where new technologies emerge at accelerating speed, system complexity increases and the threats of the cybersecurity have become as reality.
Are companies well prepared and can people trust on that their P&S information is properly treated?
My answer is no. In too many cases the P&S has been assigned and outsourced to the privacy officer, security officer, lawyer and a group of few people who see the matter important. The rest of the organization then considers the problem has been taken care of and not concerning them. The P&S is not seen as a shared objective and the P&S culture is missing.
I quote academician Georg von Wright who stated: “People have to suffer before they learn”. This seems to be true in cybersecurity as well as climate change type of big matters. We have to experience a series of catastrophic events before the P&S gets the status it should have. It is naive to believe that we have made enough and things are fine now.