A silver bullet will never slay Canadian security problems
After reading the title of my latest post, you can probably guess that I’m going to be writing about the latest security breach to impact millions of Canadians – LifeLabs. In the past day I’ve read many articles talking about the hack itself, why LifeLabs chose to pay a ransom, and the level of risk this hack represents to Canadian consumers. And to be sure, in the next few days we’ll see many more articles looking at what consumers can do to protect their data after an incident like this. But that’s only part of what’s troubling about this hack.
In a few reports about the LifeLabs hack, it’s been suggested that had the company encrypted its data, perhaps hackers wouldn’t have bothered to attack. While encryption is certainly a valuable and effective security solution, this discussion is indicative of a broader problem – the suggestion that one solution can effectively prevent a hack or breach.
This isn’t a new mindset among enterprises. It was only a month ago that Guy Cormier, president and CEO of Desjardins, the largest federation of credit unions in Canada and a company also at the center of a massive data breach, suggested to lawmakers that they needed to pave the way for modern security measures to meet increasingly challenging threat landscapes. That’s true – we do need lawmakers in every country to look at what can be done to encourage the adoption of better and more sophisticated security measures, but Mr. Cormier also championed one particular technology – digital ID procedures as a more effective, long-term security solution. Again, while this technology is worthwhile and effective, it will not end the tide of hacks and breaches in and of itself.
The reliance on one solution to solve all security woes is where traditional enterprise security thinking breaks down. As I’ve mentioned in the past, enterprise security – particularly data security – requires new thinking and a strategy that leverages several different solutions. This is the reason why data privacy legislation including GDPR and CCPA doesn’t specify a particular solution to achieve compliance. Put quite simply, one solution can’t do all of that.
Consumers deserve more
Even if we put aside the fact that the ‘one solution strategy’ is inherently flawed, consumers deserve better than post-breach treatise on what they can do to better protect their data. The fact is, many consumers do everything they can to protect their data, but without knowing how their data is protected once it is handed to an enterprise, they’re still vulnerable. Consumer data is not unlike gold in an armored car. While the gold is in the car, everyone is confident the gold is well protected, but what happens when the gold reaches its destination? How is it protected once it leaves the car?
Like any consumers, LifeLabs users entrusted some of their most personal information – their ‘gold,’ if you will – to an organization that still cannot articulate exactly how it was protected or how they’re improving their protections after this hack. Though LifeLabs is now offering post-hack consumer protections to lower the risk of identity theft for its users, that will never be enough.
Consumers deserve to have their sensitive data well protected by enterprises like LifeLabs, which means a robust, end-to-end security strategy as opposed to a silver bullet ideology that’s doomed to fail.