In the programming phase of a software project, every security control is relaxed. You can see blank SQL Administrator passwords, full access privilege assigned to programmers’ group and so on. The signs of a poor security management. Now, you are thinking I had experiences only with small Italian projects. You are wrong…
The name of the Jennifer Laurence’s first dog is probably a public domain ‘secret’.
Some months ago, to change the password of a Sony’s PSN account (the Internet service designed for playing on-line games with PlayStations), you only needed the nick name and the birthday of the owner. To change an account’s password on the Apple’s cloud service, named iCloud, you needed only the e-mail address of the owner and the right answers to a couple of personal predefined questions. Yes, the risk is low, only a tiny group of people knows the name of MY first dog, but the name of the Jennifer Laurence first dog is probably a public domain ‘secret’.
Unsecured password changing procedure is a definitive proof of poor security design. That happened to some world class services. What are the costs for Sony and Apple?
Said that, service designers, programmers, CISO (Chief of Information Security Officers) must consider the behavior of users. They often mistake easiness with ergonomic and security with bureaucracy, ignoring the impact of their actions. As long as internet service designers consider cyber reliance as something to patch at the end of the developing phase of their product or a dead wood for the diffusion of their service, these will be everyday stories.
Since we were talking about actor’s privacy… who cares? But if we were talking of your savings you care a lot. What if the attack is against the online check service of engines of the airplane where we are flying over (see that) or a virus is affecting the lifesaving medical instrument in a major surgery ? May we talk about the PLCs of your shop floor ? The electronic control of your boiler ? The control system of the power plant near your town ? The connected info entertainment system of your car ? The fire alarm system of your office ?
In a recent report “Risk and responsibility in a hyperconnected world: Implications for enterprises” Mc Kinsey and World Economic Forum forecast a lost of about 3 trillions of US$ in the next 5-7 years if public or private companies and institutions will not develop a correct cyber reliance (you can find it here). In a scenario of the report, if companies will not trust Cloud security they will not adopt it. But the authors of the report do not limit the lost only to Cloud technology saying that “Backlash (will) Decelerate Digitization.…Government cyber resilience regulations become more directive, disturbing adoption of innovative technologies. As much as US$ 3 trillion in potential value creation from these technologies remains unrealized.”
Start a new era! Think about cyber reliance on your work, adopt ISO 27001 or any other standard in DEVELOPING your product.
Added 23 February, 2015
As explained in the above post, our common life can be affected by low cyber reliance implemented by companies with worldwide assigned high security rating. Car maker industry is a good example. You put your life-safety on their products daily, you consider their product ‘secure’. See here a significant example of a vulnerability in the BMW ConnectedDrive optional. As usual, the vulnerability it’s not in the hardware option itself, but in the unprotected way that the software uses to communicate between the end-point (your car) and the BMW servers. Hard to forecast?
Enrico Aramini is a food & beverage companies consultant since 1988; he developed SOFIT (Strategic Organization From IT) methodology. He is the founder of HTC High Tech Consultant that operates in Italy and USA since 1993. You can reach him at firstname.lastname@example.org.
Every logo, mark or image that appear on this post belongs to their owners.