Before 2014 was more than a few hours old, we got news of yet another massive data breach. This case involves 4.6 million user names and phone numbers of Snapchat users — including mine. Passwords weren’t compromised but phone numbers associated with the account were posted online (minus the last two digits) by a group whose stated intention was to embarrass Snapchat for not having fixed a known security risk. On the same day, the official Skype account on Twitter was hacked, reportedly by the group calling itself the Syrian Electronic Army. Only weeks earlier, 40 million Target accounts were compromised.
In both the Snapchat and Target cases, there was really nothing users could have done to prevent their accounts from being compromised other than not using a credit or debit card at Target or not following Snapchat’s suggestion of providing your phone number to enable it to help you find friends.
I think about security risks a bit like I think about transportation. If you’re driving your own car, there is a lot you can do to increase your safety. You don’t have complete control — another driver could slam into you — but there are plenty of things you can do. But if you’re on a plane, you’re pretty much at the mercy of the airline and the various government agencies that regulate air travel. Sure, it’s up to you to put on your seat belt and stow your objects during takeoff and landing, but other than that, there’s not much you can do.
Airline safety is regulated by the Federal Aviation Administration, but Web and app security is pretty much up to the individual company you’re doing business with. While I’m reluctant to propose federal regulation, I do think government should play some role in protecting consumers, given the risk and consequences of these breaches.
One issue with regulation, said National Cyber Security Alliance CEO Michael Kaiser, is that “technology is complicated and forever changing.” Unlike the airline or food industries, the underlying technology used by some of these online sites is constantly evolving. But government, said Kaiser, can help encourage “a culture of security from day one.”
I agree. Sometimes it feels like companies think about safety, security and privacy as something they can put off rather than bake in from the start. It’s almost like an automaker with a new model waiting until it had shipped a few thousand units before getting around to installing brakes, seat belts and air bags.
One thing government has done is this: The National Institute of Standards and Technology has issued a Preliminary Cybersecurity Framework that lays out a series of steps that various sectors of the economy can use to implement best practices in cybersecurity. The executive order, signed by President Obama last February, called upon the institute to establish a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” for assisting organizations responsible for critical infrastructure services to manage cybersecurity risk.
The trick is to avoid government micromanagement of how companies protect their infrastructure while encouraging companies to improve their security. It’s a tough balance because there will always be forces trying to get government to put the hammer down on companies with lax security, and there always will be forces arguing that the government should keep its hands off industry for fear that it can stifle innovation. The answer lies somewhere in between, where government holds industry accountable while at the same time allowing industry to use its own talents and resources to find solutions.
There is also the trade-off between security and convenience.
We can make sites and services more secure by requiring things like dual factor authentication or perhaps biometric devices like fingerprint readers or iris scanners. But these would come at a cost to convenience. As any airline traveler will tell you, post-911 regulations to make the skies safer have also resulted in longer lines and more invasive security procedures that many of us grumble about every time we go to the airport.
In the meantime, it’s up to each of us to do what we can. We can’t police the servers that companies use to store our data but we can make sure we have strong passwords and good PC and network security.
Having a secure password wouldn’t have protected Snapchat users in this breach, but it’s still a very good idea. Of course you also want passwords you can remember. My strategy is to think of a phrase and then use the first letter of each word in that phrase with at least one uppercase character plus a symbol and a couple of numbers. For example, the phrase I met Susan Jones in 1992 could be ImSJi#1992. To avoid using the same password on every site, I add a letter or two at the beginning or end that I associate with the site. I also use a password manager like Roboform or Lastpass so I don’t have to type in the password each time.