“There is a limit to what customers can do because customers are entrusting organizations with data, with personal data, that they need to protect,” said cybersecurity expert Mourad Debbabi.
Damian Dovarganes / AP files
The recent personal information data breaches, such the Capital One breach announced this week, show that companies are not taking cybersecurity seriously, expert Mourad Debbabi says.The provider of Costco Wholesale and Hudson’s Bay credit cards announced on Monday there was a breach of security on July 19 affecting six million Canadians’ personal information. One million social insurance numbers were compromised.It’s at least the second time this year that Canadians have been affected by a data breach. In June, 2.7 million Desjardins Group members were victims of a data breach caused by an employee who accessed and leaked internal data.Data is being stolen directly from the company or organizations that house it and not from the individuals themselves. This makes companies responsible for protecting the data, says Debbabi, who is a Concordia professor and the NSERC/Hydro-Québec Thales senior industrial research chair in smart grid security.“Customers can do a lot of things to protect themselves,” Debbabi said. “For example, they can change their passwords often, they can use two factor authentication, they need to be alert to protect themselves from phishing attacks and they need to have appropriate security software on their machines like anti-viruses.”However, all these measures are not enough, Debbabi said. “There is a limit to what customers can do because customers are entrusting organizations with data, with personal data, that they need to protect.”“Very often, when we security experts talk to (companies) about the security of the data, we get the answer that ‘it’s taken care of,’ ‘it’s well done,’ or ‘don’t worry about it’ until these events happen.”“We are experts in cybersecurity and we understand that there is no perfect security,” Debbabi said, adding that he doesn’t understand why companies would leave data “sitting unprotected somewhere accessible.”Related
“If you have something precious in your home, are you going to leave it on the table?” Debbabi asked. “No, you are going to put in a safe, you are going to make it difficult to access.” He said the same logic applies to protecting data.According to Debbabi, these events demonstrate that companies need to have a proper security architecture and proper defence mechanisms to protect the data, including encrypting it. He added they also need to audit their security operations regularly to make sure there are no loopholes.It is not clear whether the Capital One data was saved in the cloud. The company said in a statement: “this type of vulnerability is not specific to the cloud.”Regardless, Debbabi said “cloud technology is wonderful,” but he asks, “is the security model as it is right now mature enough to host sensitive data?” He said the Capital One data breach might demonstrate that the model could be flawed.Debbabi explained that he has seen companies use the cloud to store data to save money on building their own security bubble. “I call upon these institutions to tighten their security, to take it seriously and to not look at security as an expense that doesn’t generate any profit,” Debbabi firstname.lastname@example.orgTwitter.com/mia_anhoury