As more of the world continues to digitize, security is always a factor. Few would disagree that the future of society’s ability to conduct e-commerce is intimately tied to its ability to secure that commerce. Fresh on the tail-end of the holiday season revelation of a massive data breach for US retailer Target Corporation, a new, widespread weakness dubbed “Heartbleed” has surfaced. The details are complex, but the end result is that a bug in the encryption software OpenSSL “attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.” OpenSSL is used in around half a million websites and services.
OpenSSL is open source and its contributors are volunteers. However their unfortunate surprise underscores the persistent arms race that exists between entities interested in strong encryption and others who would seek to find ways around that encryption. For a strategy relying on strong information security, the uncertainty around how much risk an organization is exposed to can be complex. There is always a risk that encryption will be broken, either by user-error in the Target case, or by a flaw in the system itself with the OpenSSL case. The question then becomes what is the value of the potential risk? Losing customer data can be costly, depending on the scale of the loss. The same goes for proprietary secrets lost to a breach.
It would seem that the way forward is to accept the uncertainty as fact. The problem is not if a breach will occur, but when. With endlessly increasing connectedness across many industries and the technologies used to interact with them, this much seems clear. Kaspersky Labs, a respected leader in the industry suggests a series of best practices that minimize exposure to risk, build multiple layers of protection and perhaps most importantly, remove human impediments to technology where possible. If the stories in the news are any indication, there is still work to be done. In closing, how much effort should be made in crafting an organization’s strategy to adequately address security risks? How should consumers react to their own risks resulting from company’s online strategies?