A cyber “cold war” has been raging across the digital world for over a decade where the goals of intelligence and disruption have been driven by individual, corporate, and state agendas. The recent spate of attacks on Australian companies is not new, however three key things have become more transparent to the public.
The first is that trusting an organisation, their people, their processes, and ultimately, their software, to look after the safe use and protection of your data is a fundamentally risky proposition. Before we throw too many stones though, everyone needs to understand that every piece of software has potential vulnerabilities in the form of exploits that range from deep technical ones, through to humanity failure and when you add to this the quick share mentality of the hacker community allowing newly discovered exploits to spread globally in hours, the corporate world generally ends up playing catch up post data breach.
The second is that a movement to greater accountability has arisen where the corporate collectors and users of digital information and transactions can no longer disassociate themselves from the responsibilities of safeguarding this data. Legislative changes requiring organisations to notify if breached and ever-increasing penalties have now made the boring data breach a front page media item as the average person is now interested.
Thirdly, there’s money to be made in cyber attacks – selling the data, ransoming the organisation to delete the stolen data, selling access to the compromised systems, the list is long.
Questions are now being asked by the average citizen. Can’t companies protect their systems? Why do they need to keep my personal data?
Keep in mind that many of the systems under attack weren’t built yesterday, and when they were built, the creators simply digitised the analogue processes that had been in place for decades. Think back to opening a bank account in 1980 where you were required to bring into a branch 100 points of identity. Paper forms were filled in, photocopies of the documents were taken and then stuffed into a filing cabinet for future reference. When this process was digitised, the filing cabinet was a database and the idea that someone on the other side of the planet may be interested in it wasn’t even on the horizon as the internet didn’t exist. Someone would need to be sitting inside the organisation to access the system. Fast forward to 2022 and the ethos of being able to ring-fence systems to protect them has been compromised by mobility, globalisation, and cloud. Further to the problem is that the methods associated to user identity and account protection have lagged behind with band-aids such as two factor, multi-factor, biometrics, and AI being completely misrepresented as being fit for purpose solutions to this very human-centric problem.
Governments need to take a large amount of accountability for this lagging as the regulatory and legislative rules have been compiled in conjunction with advisory and industry stalwarts that reinforce the need for their technologies and processes. The key reason we are seeing an exponential growth in data breaches is not because the hackers have become smarter but simply due to the fundamental flaws in existing identity and authority technologies and processes that continue to be touted as the gold standard. Simple social engineering, multi-factor fatigue, and the fact that humans are involved leads to accounts being compromised and data being leaked. If the government truly wants to solve this problem, then they need to lead with the adoption of new technologies that solve the underlying issues once and for all and place hard timelines for organisations to clean up their systems and processes.
Technologies such as Cipherise exist that completely eradicate transferable identity and control the use of systems with mutually assured threads unique to every use. This ensures people cannot be tricked into giving away access to a system and furthermore, Cipherise provides a decentralised, secure data wallet which ensures large-scale data breaches are a thing of the past.
In closing, companies cannot continue to simply add more locks to the door in hope that it deters someone from trying to see what’s behind it. Whilst hackers can get a large return from a small investment, we will continue to see breach after breach after breach, and this will only change when we flip the economics such that a large investment generates little to no return.