As originally published by David Sable on Linkedin. Subscribe to the newsletter!
2017 was an epic year for cybersecurity disaster. It also marked a turning point in hacking. No longer were the targets individual corporations that fell victim to relentless attacks that ultimately breached even the most up-to-date security walls, or the sneak intrusions via holes in company software systems. Ransomware was small potatoes now. Sure, there were individual hackers and attackers more than happy to cause chaos for a big payday, but by 2017, the game had changed—as had the targets.
Damage, great damage, was the goal. Not just chaos but destruction. Mayhem. The individual hackers we have gotten to know and love via movies and TV were now whole countries bent on sowing discord, fear and paranoia in other governments. Still movie-like but more “evil empire” vs “kid on a skateboard with a hoody and PC in tow.”
The “elegance” of the 2017 big hack, as one cybersecurity expert (himself, a reformed hacker) explained to me, was that it wasn’t a frontal assault. No one could have seen it coming or detected it, as it was embedded in the software and services that were routinely shared, server to server, across the world by a financial service provider. An outsourced resource. Initially, companies spun in circles for days thinking it was ransomware, but soon, its evil intent became clear, as fried servers and laptops were junked across the globe and as Ukraine, the clear target, ground to a halt.
Fast forward to today.
SolarWinds, a dominant provider of IT infrastructure technology, whose products monitor and manage network, system, desktop, application, storage and database and website infrastructures, told analysts in October, “There [is] not a database or an IT deployment model out there to whom [we don’t] provide some level of monitoring or management.” On December 19th, SolarWinds reported that it had been hacked. The company has yet to ascertain the true damage done to its clients (many of whom are U.S. government agencies) and their client’s clients in chain after chain of potential breach.
In all fairness to SolarWinds, they are far from the only firm to be left completely vulnerable by difficult-to-detect hacks. FireEye, one of the leading global cybersecurity solution firms, is looking for a solution to the hack it sustained earlier this year, almost certainly by Russia, and is advocating for a strong U.S. government response to such attacks…I imagine because they are no longer as confident as they once were about providing ironclad security.
What really sets me off about the revelation of these hack attacks, is the feigned surprise of the companies, of the media, of our government, as if they have never before seen a supply chain hack or entertained the idea that an evil empire might target our corporate and government infrastructure.
This has happened before and it will happen again.
As that reformed hacker taught me in 2017, there is nothing that is hack proof. Nothing at all. Yes, we need to protect ourselves the best we can, but we must also understand that anything can be hacked. His view? Recovery is the critical issue. What is our corporate/governmental plan to get back on track? To have your systems up and running? To limit the damage?
And yet, as I read about the responses to our latest data disasters, I am concerned that we are not focused in the right areas.
No doubt, some of you are asking why I’m writing about data breaches. I’m a marketing person, not a techie…so here goes: my view is that we are not asking the right questions, nor are we focused on serious game-changing moves that could mitigate the next breach, which will come. We are asking the wrong questions and have yet to adopt the “we will get hacked” ethos. As a result, we are unprepared for large scale responses to data hacks when they come.
But now, let me go into full marketing mode and suggest a radical agenda that won’t prevent hacks but that will make their aftermath less severe.
From our marketing perch, we need to completely rethink the use of data in our industry and, most importantly, the types of data we keep and collect, especially as we know that even randomized data can be un-spun and made specific.
Do we really need your passport to provide a better check-in experience? Must I keep your credit card to eliminate friction? And how about your e-mail, land address and phone number?
Why do we let Facebook, Google and others vacuum hose our usage data and then sell it like it’s their own? Why do we give access to our systems and devices for more data sucking, which in return, we supposedly get better targeted advertising? Is that a legitimate value exchange, when they make billions and we get ads?
As marketers, our job is to help our clients, use insightful user data to create, develop, refine and distribute the kind of products and services that make a difference, an impact on their clients/users/costumers/consumers lives. It’s not to fund giant media machines that grind us all to bits and bytes and then wring their hands when our identities are stolen, or our accounts viciously hacked.
I’m guessing that corporate boards, governments and others involved in the chain of serious governance will keep their eye on the big picture.
But, my readers, it is up to us to change the game where we can. To be bold. To be creative. To innovate not in how to get more data out of all, but how to do more with less. Make the stored data less valuable/ less important and the impact of hacking will be greatly minimized.
One final thought. Brittany Kaiser was the former biz dev head of Cambridge Analytica. You can read all about her and take, like I do, her protestations with a grain of too little, too late salt. But given her pedigree, and what she has seen and done, her insight is invaluable and critical to study.
“If we want protection, we need to start thinking of our data as our property, because if no one has noticed, property is held up and protected legally.”
And that’s it. It’s your data, no one else’s. If you want my data, there is a price. Let’s start to demand accountability and legal protection.
What do you think?