Like many folks, I have been guilty of taking work with me on vacation and constantly checking email and attending to tasks back at the office while I should be using the time more wisely to rest, recover and refocus my mind. For the most part these last few weeks, I have managed to accomplish that difficult goal and unplug; something I highly recommend to anyone. However, the condo where I was staying dropped a copy of the USA Today at my door every morning and on one particular morning, work was staring at me right on the front page.
The headline touted that 500 million records were stolen in the last 12 months of this year. Of course, this is something I already knew, but personal experience and curiosity convinced me to read the article and think professionally even though away on vacation. In particular, that same morning I awoke to an email from American Express to my personal email account alerting me to a security issue with my credit card.
After calling American Express, there was of course an unauthorized online charge and the end result was a reissue of my credit card with a different number; something too many of us experience and certainly not an exercise in convenience. I was not surprised as in the previous 72 hours, I had been in Singapore, Hong Kong, Vancouver, New York, Los Angeles and finally Hawaii. Somewhere in that marathon of flying over 30,000 miles in just a few days I must have used my card at someplace where someone managed to steal the number and details. To the credit of American Express, they did agree to overnight a replacement to my vacation property which helped minimize the inconvenience, and even sent me a list of regular charges so that I could easily contact every business where I had recurring payments setup.
Reading the USA today, the most striking statistic mentioned was that 80% of businesses who were victims to hacking did not realize they were hacked; customers, or the authorities had to alert them to the hack. While I’ve written before about the detection gap between breach and discovery, it had not occurred to me that the situation was so severe. This metric is very sobering, as it means that 8 out of every 10 businesses we do business with have such ineffective security that they are unable to detect a breach on their own, and that is a risk to each of us as small business owners or consumers.
In many ways, the digital age we live in is not unlike the filth our ancestors lived in during the Middle Ages. Think about it for a minute as the comparisons are obvious. Back then, the plague ran rampant and many died before anyone ever figured out it was passed by fleas on rats. Many cities had no indoor plumbing and chamber pots were simply dumped each morning out the window and onto the streets. There was little, if any sanitation, and food borne illness was a daily reality. Even a simple cut or scrape could become seriously infected as little was known about microbiology and pathogens. So it seems sanitation in our digital world has many parallels to sanitation in the Middle Ages.
Sanitation in the physical world is not unlike sanitation on our digital world. Frequent washing of hands helps stop the spread of pathogens. Proper sanitation and vermin control has stemmed the plague. Indoor plumbing and sanitary sewage systems now prevent diseases spread by human waste. All of those things seem to be common sense and obvious to us because we can see and experience the physical world. But what about the digital world? It seems that what is unseen is far too easy to neglect.
Think about someone living in the Middle Ages. If such a person practiced reasonable sanitation methods, washed hands, took care with food, and avoided those who were ill, then they would have a reasonable chance at staying healthy. Can we create a similar practice and achieve sanitation in our digital age? Yes we can.
Passwords are always the place to start. I have blogged about strong passwords here before and it is worth mentioning again that use of a passphrase, of at least 15 characters, eliminates the low hanging fruit as these are difficult and time consuming to crack with today’s computing power. Cyber criminals will simply spend their efforts elsewhere since there are too many ridiculously easy passwords to crack. In addition to using pass phrases, it is also important to use different pass phrases for each site. It is much the same as in the physical world and using the example of disposable gloves is a good one. Would a doctor use the same set of physical gloves on each patient? Of course not! Using the same password on all sites is like using the same pair of disposable gloves. Think sanitation.
Vigilance is another area where we should focus on sanitation in our digital world. We need to pay attention and recognize when things are not right, just as our Middle Age ancestor would have been able to pay attention to sickness around him. Many things are inter-related and can provide clues to bad things around us. For example, someone drawing a correlation between the rat population and the number of people falling ill with the plague would have made the connection. But what about our digital world?
Getting back to my own example and experience with American Express, there are often events which correlate to each other. After dealing with the security alert and contacting American Express, the next day I had another email, purportedly from American Express, alerting me to a delivery failure. For a brief moment, I almost opened the email thinking something was wrong as I was expecting the replacement card, but something inside me said to stop and think for a minute, and upon observing the email, some things were simply not adding up.
For one thing, although the sender was “American Express”, the email address of the sender certainly was not. It was from a domain in Eastern Europe. Secondly, the delivery failure was not to the address of the vacation condo where I was expecting a replacement to be sent; it was to my home address. Finally, the email was not sent to the same personal email address as the original American Express alert, but to a different personal address which I sometimes use for online retailers.
By now, while not 100% sure, am reasonably certain that my account was compromised by an online business; perhaps one of the 80% who are not yet aware that they have been hacked? The cyber thief, after trying to use my card for an online purchase, was trying to get extra mileage attempting to fool me with a spear phishing email attack.
We all look forward to a time when the digital world will be safer and more secure, but the hard reality is that it is about as dirty and unsanitary as the physical world of our ancestors. Protecting ourselves from digital pestilence, requires similar sanitation measures as out Middle Age ancestors would have needed in their world. With careful attention, and reasonable protective practices, we can achieve sanitation in our digital world.
– Ted Lloyd, CISM