Image

Exhibit A: Wrong Turn at Albuquerque
We use the following example fairly often to demonstrate the follies of placing all (most of) our faith in technological solutions. Imagine yourself stuck in an airport lounge, a few hours into your latest delay. What to do? Well, may as well catch up on some work because finding your bed prior to 3am isn’t happening today. Out comes your trusty laptop, and off you go…and time for us to us show you how technology, designed to protect your information, easily falls apart with one or two missteps courtesy of Homo sapiens. Let’s take this example to a bit of an extreme to over-emphasize the point. Imagine you take extraordinary steps, above and beyond the average user. Your laptop has logon brute force protection. Good move! In everyday speak, input the wrong password x amount of times, and the device begins to encrypt or wipe itself. You also have no significant data on your computer and instead opt to use an external encrypted storage device (fancy USB key) that uses an approved and tested algorithm. Another good move, especially if you are ready to enter the realm of quasi-paranoia and walk around with FIPS 140-2 Level 3 USB keys. (Sorry folks, Level 4 storage devices are usually reserved for government workers – normally because they are incredibly expensive – and may be mounted to concrete.) Here comes the critical part: what value do all these fancy and flashy yet robust and really really good protective technologies have when you connect to a public Wi-Fi connection? Nada. Zilch. Donut (minus great flavor). That super-secure $200 USB key has about as much value as a $2 one you were given “for free” at your latest conference. (Note to reader: Throw away “free” USB keys.) You see, unless you have done a deep dive into the cybersecurity world, one does not normally think about the fact that the Wi-Fi router in an airport lounge – or anywhere really – may be misconfigured (information leaks) or worse, compromised (information theft). But if you have done that deep dive, you will know that an airport lounge is an adversary’s dream. If we were to take on the role of the bad guys and we want to do some wholesale theft of some intellectual property or corporate information, we’d be hard-pressed to find a better place than an airport lounge, a place usually populated with tired and stressed-out business travelers who may be three glasses in of their favorite libation. Heaven help you if you are logging on to a corporate network – or anything you want to keep private – over public Wi-Fi. Here is the result of plugging into a public Wi-Fi network: all that cryptography and fancy tech on your device designed to protect you goes “poof.” It’s all gone, into the ether just like that. No amount of AI in the galaxy is going to prevent the data theft if the public Wi-Fi router is compromised. Why? Because that “road” (network connection) you are using is, by design, vulnerable and hazardous for the sake of convenience. Convenience is all fine and dandy except that nobody tells you that while “on the information superhighway” (Haven’t heard that one for a while, have you?) one wrong turn could leave you feeling like an anvil fell on your head. It’s kind of like just-in-time supply chain management: works great until there is a break in the supply chain, except in our example, you may not be able to rebuild the supply chain. Ever! That is why, when you use technology, ask basic questions. Why is it public? Why is it free? Why am I plugging into a network that countless others have plugged into? We teach children not to take candy from strangers, so why are we taking Wi-Fi from…strangers?! We say (justify?) it is for convenience, except that convenience comes at a cost, and everyday users have never been told what the full costs are. For Pete’s sake, even the executives and leaders of organizations may not be aware what potential costs are. And here’s the real kicker: we normally do not know what the real costs are. And why is it that we do not know what the real costs are? It’s because the “value” of data – or more specifically, information – in many cases is intangible, and with intangibility comes non-linearity. Or put another way: if you can’t reasonably calculate the cost of the SNAFU prior to the boom, there is a greater-than-zero possibility the SNAFU could cost you a world of hurt specifically because you just don’t know what will happen after the collapse. Too many variables are playing a role, many of which are out of your control. So before anybody gets all uppity about the benefits of convenience and how much more “efficient” it has made us, understand that there are costs you may not always see or feel. As recently as 10 years ago, maybe even five, the worry of a leaked e-mail, corporate document or getting doxed didn’t really keep you up at night. Now it does. One text message can change the nature of something in galactic proportions. That’s asymmetry, and the costs are rising. You see, the cost of network downtime, or even theft of something tangible, is usually calculable. But the cost of a damaging email or unsavory picture/video, especially if mismanaged during the aftermath, is incalculable. Depending which way the news cycle is going that day, the wrath of Twitterverse could be limited to a few embarrassing memes to forced apologies, demands for resignation, changes in corporate policies, federal investigations and even closing shop. Again, you just don’t know because of all the variables at play which is why it’s best, where possible, that you don’t find yourself in that situation in the first place. All in all, our increasing reliance on technology (and somewhat misguided dependence on technological solutions that we hope will bail us out of the mess we walk into) build fragility into the system, whether it is from an IoT perspective – as we outlined in our safe, secure and intelligent (S2I) article – or from our ever-growing inability to accurately gauge how to respond to a PR crisis. The difference between “phoning it in” and overshoot is not as clear as it used to be. Stakeholder expectations are increasingly dynamic. It’s for these reasons why cybersecurity is absolutely not a niche issue, as some still try to cling to. Cybersecurity is at the core of virtually every single business operation today, and just as there is money to be saved, there is money to be lost by some players, hence the pearl clutching. And who are those who stand to lose the most if this “focus on the person” paradigm shift occurs? Those who seek to sell you stuff, like vendors and software consultants, because they are still pushing the “focus on the tech” paradigm. It is in their interest to do so. But is it in yours? Again, we’re absolutely not anti-tech here. One of us is a gizmo geek, and the other drools at anything AI. We just understand the limitations of tech. So just as you are limited to the “pick two” mantra of “cheap, fast, and good,” there is an additional “pick two” mantra you need to consider, courtesy of cybersecurity guru Dan Geer, CISO of In-Q-Tel and famous non-user of a cell phone: pick two of “freedom, security, and convenience.” In the past, that decision didn’t seem as important as it does today, but then again, in the past we didn’t feel like we had a hole in our data buckets like we do today. Stay tuned for part 2 of this two-part series. About the Authors: Paul FerrilloImage

Image
