We’ve become completely desensitized to data breaches. When was the last time you read a report of a breach for longer than a few minutes? If you don’t work in security, did you even go past the headline? Be honest, if you even read about the latest breach, it was only for a moment, you made sure it wasn’t someone who you have an account with, and you moved on. I’ve done it, too.
Breaches are coming at a faster and faster pace today, with larger and larger numbers and impact. Yet, the repercussions seem to be diminishing. The US government rarely gives more than a slap on the hand and the public’s ability to even remember who’s been breached and who hasn’t is almost entirely diminished. And these are just the breaches we know about.
I used to think that companies were simply irresponsible with data but I’ve learned that isn’t a universal truth. Companies are against greater and greater threats, forcing them to figure out how to do more with less, every day. To add to that, the government scrutiny on security in recent years has forced companies to spend precious time meeting regulations, which doesn’t always equal enhanced security. For every company that takes security seriously with fully equipped, funded and talented staffs actively working to secure their network, there are several more that barely consider security. Even some software companies are guilty!
For several large companies that have recently been breached, at least some of the blame goes to a vendor. Target was hacked because their HVAC vendor didn’t secure their HVAC system. Others have just simply had their vendors phished, which gives attacker’s the ability to take advantage of inherit trusts between companies. The level of detail it takes to secure large networks is growing every day, which is a tall task without increasingly motivated, sophisticated, and funded hackers.
It’s to the point that one of the largest collections of breached data seen publicly, collection #1, isn’t even the largest or newest database of breached data he has! And it sold for a tidy sum of $45. This data is literally worth more to us then hackers.
So if it’s worth more to us, why are we putting all our data in to big buckets with everyone else? Cloud computing has companies quickly putting data into the same severs as everyone else. And trust me, it’s incredibly efficient and for organizations today, the costs of running your own infrastructure simply don’t make sense anymore. But my fear is that the second and third order of consequences to this trend will work against us in some way.
These are thoughts I’ve been pondering for some time now. For me, it’s hard to see a way forward that is prosperous for lawful citizens that doesn’t include a massive shift to decentralization. I say lawful because I believe without strong protections on data going forward, our data will continue to be exploited. Not every company that has your data wishes to exploit you, but some of them do. One bad apple spoils the bunch, but in this case it’s far more than one apple.
As far as protections go, governments newest ideas of data protections may be good, but they also add a lot of overhead. Companies can only tolerate so much regulation before it becomes too burdensome, because budgets aren’t infinite. As much as we would like companies to spend every dollar it takes to be as close to perfect as possible about protecting your data, that amount of money, for some companies, may be too much; particularly small companies. Which is where decentralization comes in.
If companies can deploy apps that don’t require them storing data of their customers, their time and cost savings are immense. And not just in security and compliance, but in application development too. My hope is to see new, small companies come out with applications that are built for the every day users that are completely decentralized. This means your data stays with you. And if your data stays with you, we no longer have the giant, centralized databases hackers love to go after. And this is just one benefit, there will be numerous other benefits from a decentralized internet.
There’s no doubt there will still be people trying to attack decentralized applications but the economy of scales changes in a decentralized internet. If a hacker can only get data from one user at a time, they’ll have to work much harder to build up large databases of breached data. I suspect they’ll begin to lean heavily on social engineering, which they already use successfully every day in today’s internet via phishing, robot calls, Fake Microsoft support calls, etc. However, I believe if decentralized apps were the default for most people, security professionals can shift their focus to a much smaller attack surface. That would consist of web application security, protocol security, and social engineering controls. I believe this will result in a better security model for everyone. Companies can spend less and get better results. Consumers will get cheaper products that actively protect them.