It has become a common thing anymore to get yet another notice via email or snail mail that some company you do business with has been compromised. I received yet another one this week from my health insurance provider. They point blank say that our personal information, health records, social security numbers etc have likely been compromised. This is Anthem Insurance. Now any company that has access to information like this must have proper control types over their network. They need to have management, technical and operational controls. They need to have a serious focus on security no different than a bank or anyone else who has access to information of this nature that could ruin their customers if "bad people" get their hands on their financial or personal information. There needs to be consequences for these companies when this sort of thing happens.
For anything of this nature there should be a criminal investigation. The company should be found liable if they failed to take all of the appropriate precautions, steps, and processes to ensure systems are hardened, monitored, and a continuous review process is in place. Sadly we don't hear anything of the sort. Well I should say "rarely", once in a blue moon does a company get raked over the coals, but it isn't very common. Why is that? You know what we hear? In my letter like the others in the past I have gotten... "We will provide 2 years of service with AllClear ID at no cost to you!" Well HOWDY DO! Why thank you so much... It appears you allow criminals into your systems, they have access to sensitive customer information that could impact them in a financial way and possible identify theft and your answer is to pay for a couple of years service with some company that does what? Once your personal information and social security number are out there in the wild your pretty much SCREWED! Just what they think providing 2 years of coverage with this company will do is a complete joke. As far as I am concerned they should be required to provide that service for LIFE for the person that was impacted due to their possible negligence.
Now, Yes I should stop and take a breath and say... Maybe Anthem did everything they could and the "bad people" still found a way in... Yes, it is possible that Anthem did everything they were supposed to and this still happened. I say PROVE IT!
Frankly having spent so much time over the last few weeks crawling through Comptia Security + and thinking about the controls and policies that I have been responsible for and have implemented there is a lot of ways things can go wrong. Today as we move everything online, into cloud, social apps, and mobile everything security has to move forward(higher) on the priority of things within any business. If your customers personal data, drivers licenses, dates of birth, addresses, social security #'s, and financial information is on your systems then priority has now moved to the top of the list of things to do. For a medium to large company this means full time dedicated staff focusing on security. Giving companies a "pass" by allowing them to screw up and then offer a couple of years of coverage with yet another company because they let your PII out in the wild has to be some sort of joke. I have done a fair amount of work on systems around PCI compliance and I can say that for systems that process payment cards the security reviews and steps we have taken have been pretty thorough, however there is still room for improvement. It is however a step in the right direction and this level of interest needs to be spent on systems that process Personally Identifiable Information(PII) as well.
Again is is possible that Anthem did it all correctly? Sure BUT given the controls, processes, policies, and tools at our disposal today and a company as large as Anthem they should have that staff, those controls, and the ability to keep customer information secure. Maybe what it will take is serious fines and penalties for negligence that allows this sort of thing to happen before companies will take it seriously? I don't know what the answers are to be honest. What I do know is that it has become common place now for yet another company to get "hacked" and their stance is "OOPS", here is a couple of years of "coverage" with a company that is supposed to keep you from being screwed... That isn't going to fly... It should be proven that these companies did it right or pay up... Then maybe it will be taken seriously? I can only hope something changes.
Be vigilant, harden those systems, use patch management, and perform those design reviews... Bad people are looking for a way in... Don't let it be your business or your employer that is facing the consequences of poor security policy and worse yet don't let your customers pay for lax security or poorly implemented security. Treat this like it is your money on the line and lets see if that doesn't put a whole new light on security... :-)