Customer data security is our highest priori- ha ha ha whatever, suckers
Shadow IT casts its darkness over us all
Something for the Weekend, Sir? I would like it to be known that mine is bigger than yours. And yours is bigger than everyone else's. Only losers waste their time with small. We do big.
The IT industry is notably keen on letting us know that everything they do is big, especially when it comes to data security breaches. Cyber-attacks on individuals are never reported and small-time identity theft isn't of much interest to anyone.
Oh no, we much prefer those events labelled as "unprecedented" and "biggest ever", even when initial estimates of the vast numbers of people affected and immense financial sums involved are invariably superseded by considerably more conservative figures.
And so it was with the great Tesco Bank's loss of billions of pounds from some 20,000 user accounts last week... a wild estimate subsequently revised to a relatively dull £2.5m and 9,000 users.
Each time NASA or some other American agency is hacked from abroad, as they seem to be on a monotonously frequent basis if they are to believed, hints are dropped about organised crime in Russia or Chinese government-backed interference. Yes, after months of investigation by armies of spooks, it usually turns out each hack was conducted without malice by an acne-ridden bloke in his early 20s living with his mum in Barnsley.
Bigging-up is just human nature. Jack the Ripper, we're led to believe, was a toff wearing a top hat and carrying a Gladstone bag. He must have been posh and have had medical training to do what he did, you see. He may even have been a member of the royal family.
Yeah, right. Bollocks.
They say this about every serial killer – right up until the moment the police collar the offender, whereupon he turns out to be an ordinary labourer or lorry driver. The reason Jack the Ripper has never been unmasked is certainly because he was a humble cretin no one's heard of.
"There's no doubt that this was a hugely sophisticated, coordinated and advanced attack," says Nigel Hawthorn, chief European spokesperson at Skyhigh Networks, in relation to the Tesco Bank attack. He may be right but in the light of experience, I would like to express that there is a doubt.
Once the commentators have bigged-up the crimes, the affected organisations feel compelled to big-up their public relations response. Usually this takes the form of a statement along the lines of: "The security of our customer accounts is our highest priority."
Yeah, right. Bollocks.
If customer security was their highest priority, this would mean making a whacking great profit from their customers would be secondary. Yet these companies continue to lose customer data with wild abandon while continuing to be obscenely profitable.
It's like when airline companies say: "The safety of everyone on board is our highest priority." If that was even remotely true, we'd be provided with a silk parachute, Scuba gear and a distress beacon under each seat, not some plastic waistcoat and a fucking whistle.
And don't get me started on how bosses in finance gang up on lowly customers whenever it suits them. One of my major clients suffered a data breach in its PAYE system a few years ago and blandly informed its affected employees that their entire digital identities had been pilfered by unknown persons and that they should cancel all their credit cards and change all their passwords.
There, obligation met in full. Now get back to work, underlings.
I was in the office when one of these employees received the email. He immediately phoned his bank, which told him that because he was aware of the data breach before they were, any loss from that moment onwards would be his own fault, not theirs.
Each time there is a major hack of this type – every couple of days, by my estimate – a great deal of hot air is expended by commenters about how crap conventional logins and passwords are, which is true.
More recently, a new explanation has risen to the top of proposed causes of insecurity within large organisations: "shadow IT".
Unfortunately, "shadow IT" sounds cool. That's because shadows are dark. It evokes the dark side of the Force, the Dark Side of the Moon or whatever. For me, "shadow" is forever reminiscent of SHADO, the ultra-funky protectors of the Earth from the UFO threat in the futuristic 1980s.
For those unaware of this latest jargon, "shadow IT" is when people bring their own unsupported gadgets to work and install their own dodgy software.
Yes, I know this used to be called "BYOD" and was supposed to be a good thing but apparently it is now bad again. It turns out that bosses have now decided that forcing their employees to buy their own kit and plug it straight into their steaming cesspit of IT insecurity might risk compromising their non-existent data protection safeguards. Who knew, eh?
But can you blame the employees? My experience of working on contract within large organisations is that even the most basic IT procurement is a black hole so deep and impenetrable that it makes "shadow IT" seem positively effulgent.
I remember an occasion when a team request was submitted to purchase five licences of a screen grabbing utility costing $10 per desk. Two months later, the team was still awaiting approval.
In the meantime, I purchased and installed my own copy of a much better and more expensive utility, and added the cost to the bottom of my invoice, which was settled as usual.
So there you go, I am an "shadow IT" culprit myself and, although I no longer live with my mum, my darkness obsession may yet be revealed as the cause of the next world's biggest data theft.
Is it my fault that dark is cool? I defy you to convince me otherwise. Ah well, it's just money.
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust