Should We Assume We’ve Been Hacked?

The State Department confirmed a security breach of its unclassified email system on Monday – the fourth infiltration of a federal government agency computer network in as many weeks. It appears that no sensitive information was extracted, and according to a State Department spokesperson, “no classified systems have been affected by this incident.” The successful detection of these breaches raises hopes that new advanced detection measures are actually working.

In light of an increasing number of cyber incidents, more and more businesses and government agencies are embracing the ‘presumption of breach’ doctrine, which is evidence of a larger shift in the way cybersecurity planners are thinking about network security. By operating under the assumption that intruders have infiltrated the network, cybersecurity strategies are beginning to reflect a more cautious approach to managing risk. It is time for consumers to think this way too.

Your network has been infiltrated – so now what? This is the starting point for the presumption of breach doctrine. Conventionally, network security involves hardening the perimeter of the network to keep intruders out, while doing little to enhance security of the interior of the network. Presumption of breach not only seeks to fortify the outer defenses, but also assumes that the network has been infiltrated. By starting with this assumption, and actively seeking out intruders who are evading detection, breaches are discovered more quickly and consistently. More importantly, presumption of breach is about making systems more resilient so they can withstand infiltrations and continue to operate securely even if they have been breached.

However, all of this enhanced security comes at a price. Presumption of breach is considerably more expensive in the short term than conventional security strategies, as more resources and attention are directed at remediation, and ensuring that the network will continue to function in the event of a breach. For example, JPMorgan Chase CEO Jamie Dimon anticipates the company’s $250 million annual computer-security budget to double over the next five years in the wake of a massive data breach revealed in September that compromised the financial information of at least 76 million households and 8 million businesses.

As security planners begin to realize that conventional cybersecurity strategies are insufficient to meet these new threats, and that continuing to rely on conventional security practices will cost them more in the long run, organizations are faced with an investment decision – either spend more now to mitigate the risk of uncertain, high-impact scenarios (i.e. a massive data breach), or roll the proverbial dice. Companies like JPMorgan Chase, who have seen firsthand the ramifications of underinvestment in cybersecurity, are making this investment. However, businesses and government agencies are not the only actors who need to employ better risk management practices. Consumers can learn from companies who have transitioned to presumption of breach, and adopt a more risk-averse attitude towards protecting their data.

Individuals are notoriously irrational when it comes to evaluating risks, consistently undervaluing low-probability scenarios. However, events like last month’s Snapchat photo leak, and several well-publicized celebrity photo hacks have raised awareness amongst consumers of how commercial data breaches can impact their lives. Improving personal data protection also requires better risk management practices, but that means paying higher costs in both time and effort. This starts with practicing basic computer hygiene – keeping software up-to-date, downloading the latest security patches, and changing passwords frequently. However, there are a number of other precautions individuals should take that, while time-consuming and inconvenient, can greatly reduce the risk of losing control of your personal information.

The presumption of breach doctrine offers useful lessons for individuals.

By assuming that their information is vulnerable, consumers should take precautions as though they are being targeted by a malicious actor. First, personal information should be protected by building up an outer wall of defense by practicing due diligence before downloading new apps and programs, or visiting new websites, ensuring that they do not pose a threat to your device or your information. While this might seem like an onerous process, app markets for both smartphones and computers are not the walled gardens they are often assumed to be. Site advisors, which use heuristics to rate the security of websites, make this process easier, as do script blockers like NoScript, which prevent javascript from running on your computer.

Consumers should also inform themselves of the security reputation of the companies with whom they have bank accounts, share credit card information, and provide personally significant data. Other security tools like two-way authentication for getting into email accounts and password encryption are becoming increasingly accessible to consumers. While it is true that individuals cannot avoid entrusting their information to commercial networks and inevitably rely on the security practices of businesses, they are not helpless to ensure the integrity of their data being held by another party. Just as the presumption of breach doctrine focuses on the continued operation of a system while it is under attack, consumers can bolster the resiliency of their own data security by backing up their data, ensuring that important personal information is not erased. Enhancing personal data security may be inconvenient, but then again, a seatbelt is not particularly comfortable either.

Risk management practices by businesses, government agencies and consumers are still a long way from where they should be given the pervasiveness of these threats. Network security is, and always will be, an arms race between intruders and security experts, and it is evident that security planners are playing catch-up. Consumers can learn from the strategies being implemented by organizations to close the gap that reflect a more risk-averse security doctrine.

The tradeoff between convenience and security is nothing new, nor is it specific to the management of personal data online. However, the rapid evolution of threats to cybersecurity has outpaced the perception of these risks and the behavior of individuals to reduce them. Consumers can learn from the strategies being implemented by organizations to pull their behavior in line with the risks they face. There is no denying that better security comes at a price, but this could be a bargain compared to the cost of failing to defend against cyber risks.