The Internet Society (ISOC) is the latest organisation saying, in essence, “security is rubbish – fix it”.
Years of big data breaches are having their impact, it seems: in its report released last week, it quotes a 54-country, 24,000-respondent survey reporting a long-term end user trend to become more fearful in using the Internet (by Ipsos on behalf of the Centre for International Governance Innovation).
Report author, economist and ISOC fellow Michael Kende, reckons companies aren't doing enough to control breaches.
“According to the Online Trust Alliance, 93 per cent of breaches are preventable” he said, but “steps to mitigate the cost of breaches that do occur are not taken – attackers cannot steal data that is not stored, and cannot use data that is encrypted.”
ISOC reckons the 'net's too interconnected for any single stakeholder to carry the can, saying organisations have “share a collective responsibility with other stakeholders to secure the data ecosystem as a whole. This includes vendors, employees, governments, and others. Should one of these links not function, the entire trust chain could be broken.”
“Protecting users should be a goal in its own right”, ISOC says, as well as being a “business necessity”.
One reason organisations don't pay enough attention to breaches is that it doesn't cost them enough – partly because what a breach costs users is not fully borne by an organisation that's been breached.
With users at the centre of security solutions, ISOC says, breached companies should “include the costs to both users and organisations when assessing the costs of data breaches.”
As the report notes, “organisations are spending more on prevention, but this has not yet noticeably lowered the number of breaches, or the impact and cost of breaches when they do occur. In turn, the cost of breaches, when calculated, typically focus on the cost to the organisation, and not the full cost for the users who were the ultimate victims of the breaches.”
The second recommendation is obvious – except there are so few countries that bother: “Increase transparency through data breach notifications and disclosure”. That feeds into the third recommendation, because disclosure would help hold organisations to “best practice” data security.
Fourth – if this recommendation gets traction, the backlash from businesses will be huge – “General rules regarding the assignment of liability and the remediation of data breaches must be established up front”.
All of this, ISOC hopes, would create a market for systems and security measures that are trusted, because they're independently assessed.
Special mention: IoT is a security 'black hole'
If Internet of Things vendors aren't already feeling “beleaguered”, they must be close – and ISOC singles them out many times in the report.
The ultimate reach of the Internet of Things means the default position of software companies – “you clicked on the licence, which limits our liability” – isn't good enough.
“This lack of liability could lead to significant externalities imposed by a broader range of devices including health devices, baby monitors, and a wide variety of sensors,” the report says
“Likewise, someone shopping for a baby monitor, WiFi router, or connected car, has no way to learn how well it has been protected from attackers.”
When the Thing in question is a connected car or a healthcare device, ISOC says disclaimers aren't good enough, because “the hack can also extend to personal safety, potentially at the cost of life and limb.” ®