By Dennis F. Galletta, Director, Katz Graduate School of Business Doctoral Program at the University of Pittsburgh
It is practically indisputable that we are in the midst of a perfect storm for customer data to be stolen, sold, and exploited as evidenced by the outrageous number of breaches in 2017 (Cameron, 2017), a low amount of concern about data security among millennials (Fleming and Adkins, 2016), and widespread security blunders in many companies (Seals, 2017). In the short run, there does not seem to be any improvement on the horizon.
I remain, however, optimistic, fueled by some patches of blue sky trying to show through, promising a brighter future. You can call me a dreamer, but I am optimistic breaches will slow significantly in the future. However, there is some bad news: Breaches will continue to increase for the next few years until three improvement areas are addressed.
On the firm’s side there is a spread of best practices in the industry; on the customer’s side there needs to be greater willingness to compromise convenience by a small measure. And on both sides, there is the need for increasing situational awareness by computer users at the firms and on the customer side.
On the firm’s side, best IT practices continue to rise to the surface as lessons of breaches are revealed and analyzed. Firms are continuing to increase spending on security, even though the spending is not yet addressing the most important vulnerabilities due to a lack of skill and understanding of the threats (Palmer, 2017). Fortunately, new curricula and courses on information security are appearing on many college campuses and in online sources.
US News (2017) reports the second best technology job is in IT security and analysts in that area average $92,600 in salary. Even at those rates, jobs in cybersecurity remain unfilled — with zero unemployment — because of 3.5 million unfilled global cybersecurity positions needing to be filled by 2021 (350,000 unfilled positions in the U.S. alone [Morgan, 2017]). With more education options, high pay, and bright employment prospects, more and more graduates will have the requisite skills. The horizon here is 5 to 10 years for supply to begin to approach demand.
Best practices also have made Internet of Things (IoT) developers much more aware of security issues than their counterparts who just learned how to design e-commerce websites in the mid-1990s. The stakes are indeed quite high here with items such as door locks, self-driving cars, and pacemakers needing to transmit information over the Internet, and vulnerabilities could be fatal. Yet, the most recent IoT hacking contest revealed twice as many vulnerabilities than the devices that were examined (Constantin, 2016). We are likely at the low point in IoT security, but the publicity surrounding the needs here are providing guidance that will likely lead to dramatic improvement. The horizon here is likely also 5 to 10 years.
On the customer side, there is currently an unhealthy emphasis on maximum convenience. Recent moves by Visa to remove signature requirements for chipped credit cards (Surane, 2018) could easily be perceived to raise the specter of damage from data breaches, rather than lower them. In 2006, Apple’s “Cancel or Allow” commercial ridiculed Windows Vista computers for requiring permission to access sensitive data on the users’ computers. As an early adopter of Vista at the time, I was thankful to finally have the chance to block that data, but the desire for maximum convenience was overwhelming in the general public’s eye.
One technology providing markedly higher security is multi-factor authentication. When customers, employees, or students log into a site, it requires answers to additional questions, an additional numerical “PIN number” provided via text message, or an additional click on a Smartphone app to approve the login. My experience with the technology is it requires additional time and effort to be logged in than before, and I have seen some users complain loudly about the new steps.
These are bad signs for security, but the publicity provided by recent breaches is going to be helpful. Bellis (2017) reports wooden locks and keys were first used in Nineveh, Assyria (now Mosul, Iraq) about 2,000 BC, following perhaps millennia or centuries of widespread use of ropes and knots for protecting possessions. One could imagine people locking up their possessions confidently with a wooden lock and returning home to find their plans foiled by an impact with a rock or scorching by a fire. The surprising thing is that it took almost 3,000 more years for a switch to all-metal locks (Quinn, 2017). Of course, some people can pick locks, so our security is not guaranteed.
There are three lessons here: First, it takes more time than anyone could reasonably expect to develop relatively good security tools. Second, and more important, over time people became willing to suffer some decrease in convenience to attain that security. Third, and even more important: we cannot be guaranteed safety.
It would be much more convenient to leave our home doors unlocked. However, people everywhere struggle with keys on a daily basis. We lose them in the house, we drop them in the snow or mud, and we stand in line to make copies of them — why do we expend so much energy to protect ourselves?
One explanation is offered by Protection Motivation Theory (PMT), which asserts before a person takes protective action, he/she must feel there is reasonably high severity and probability of a threat and they have the ability to cope in the first place (Boss, et al. 2015).
Once people discover there is indeed high severity and probability of a threat, they will undertake the additional effort without even questioning it. The horizon here is likely to be 3 to 5 years.
From the third perspective, that of both firms and customers, situational awareness is becoming more important all the time. Studies examining phishing messages found an alarming number of people click on phishing messages. One of our own studies (Moody et al., 2017) revealed over 41 percent of students clicked on a phishing message we sent to them. Many people do not know someone can disguise their “from” address and make it look legitimate. Links and/or attachments can be quite computationally dangerous, and only one click could install a virus or software to reveal all of the keystrokes when typing a password.
I tell my students not to trust an email containing an attachment or link from their mothers. First, it could have been sent by someone else posing as their mother. Second, it could have been sent by her, but without her knowing about the danger in the attachment or link. Third, it could have been sent by her computer without her knowledge. All of these could be lead to serious security problems, but many people are not aware of this. A recent Verizon study found 63 percent of breaches were caused by capturing a password, and one of the three sources is by the incidence of phishing messages.
People who find out about “man in the middle attacks” realize using a coffee shop Wi-Fi connection is quite risky. A person can take a device into a Starbucks coffee shop and make that device broadcast a Wi-Fi connection they call Starbucks. A trusting customer can log onto that device which does eventually link to the Internet, but in the meantime the device can snoop into many of the interactions made by customers. Demonstrations have revealed such attacks are not difficult.
Hotel business centers or Internet cafés are also risky. A device that looks like a thumb drive can be inserted into a computer tucked way below a desk or otherwise hidden from direct view. This device, called a “keylogger,” can send out via Wi-Fi or Bluetooth every key that is tapped by the unsuspecting user. This action will reveal everything typed, even if a website is shown as “secure” by the “https” at the beginning of the URL (Web address).
The need here is for people both inside and outside the firm to better understand how to opt for safer behavior. Only click on an attachment if you expected that particular attachment at that time outside of the email itself. Only use an encrypted connection when using coffee shop or hotel Wi-Fi. Inspect the computers in a business center or Internet café. Use complicated passwords that can be “rebuilt” by reciting a song or making use of a mnemonic. Here we have many challenges, needing to educate a large number of people, so I believe the solution horizon here is 10 to 15 years unless firms adopt multifactor authentication, which will shorten it to perhaps 3 to 5 years.
Therefore, my optimism is on a delayed fuse. Currently I am pessimistic and believe we’ll see more breaches. However, as we have more breaches, it should lead to better communication about some of these problems and solutions and perhaps firms will decide sooner rather than later to adopt required multifactor authentication.
For now, please work hard to hire your security personnel, adopt multifactor authentication, spread the word about why, and adopt other security best practices as they arise. These measures will hopefully reduce costs of doing business, liability due to identity theft, and headaches for consumers. But first, we need to get through the next few years before we can improve our prospects significantly.
Bellis, Mary (2017) “The History of Locks,” ThoughtCo, https://www.thoughtco.com/history-of-locks-4076693, April 13, 2017 (last retrieved January 19, 2018)
Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., & Polak, P. (2015). What do users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. Cameron, Dell (2017) “The Great Data Breach Disasters of 2017,” Gizmodo, December 27, 2017, https://gizmodo.com/the-great-data-breach-disasters-of-2017-1821582178 (last retrieved January 18, 2018).
Constantin, Lucian (2016) “Hackers found 47 new vulnerabilities in 23 IoT devices at DEF CON.” CSO, September 13, 2016. https://www.csoonline.com/article/3119765/security/hackers-found-47-new-vulnerabilities-in-23-iot-devices-at-def-con.html (last retrieved January 18, 2018).
Fleming, John and Adkins, Amy (2016) “Data Security: Not a Big Concern for Millennials.” Gallup News, June 9, 2016. http://news.gallup.com/businessjournal/192401/data-security-not-big-concern-millennials.aspx (last retrieved January 18, 2018).
Moody, G. D., Galletta, D. F., & Dunn, B. K. (2017). Which phish get caught? An exploratory study of individuals′ susceptibility to phishing. European Journal of Information Systems, 26(6), 564-584.
Morgan, Steve (2017) “Cybersecurity job market to suffer severe workforce shortage,” June 22, 2017. https://www.csoonline.com/article/3201974/it-careers/cybersecurity-job-market-statistics.html (last retrieved January 18, 2018).
Palmer, Danny (2017) “Businesses increasing their cybersecurity budgets, but spend it in the wrong places,” January 26, 2017. http://www.zdnet.com/article/businesses-increasing-their-cybersecurity-budgets-but-spend-it-in-the-wrong-places/ (last retrieved January 18, 2018).
Quinn, Brendan (2017) “The history of locks – from ancient Egypt to the present day,” The Telegraph, December 12, 2017. http://www.telegraph.co.uk/property/home-improvement-tips/history-of-locks/ (last retrieved January 19, 2018).
Seals, Tara (2017) “Poor Security Habits Plague Large Enterprises,” Infosecurity Magazine, Nov. 17, 2017, https://www.infosecurity-magazine.com/news/poor-security-habits-plague-large/ (last retrieved January 18, 2018).
Surane, Jenny (2018) “Visa won't require signatures, a move Walmart long sought,” Chicago Tribune, January 12, 2018, available at http://www.chicagotribune.com/business/ct-biz-visa-no-signature-20180112-story.html) (last retrieved January 18, 2018).
US News (2017) “Information Security Analyst Overview,” US News and World Report, available at https://money.usnews.com/careers/best-jobs/information-security-analyst (last retrieved January 18, 2018).
Verizon (2016) 2016 Data Breach Investigations Report (http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf).