In 2017, the news media reported that every single Yahoo! account had been hacked. Instead of learning about this at the time of the hack, and 3 billion people learned that their personal data, passwords, and other information had been accessible to the dark web since August 2013.
We’re used to seeing such stories, and as our livelihoods grow closer to our machines, we need to invert (perhaps surprisingly) our security models. Just as we do not die every time we get a cold, our systems shouldn’t falter because of a small breach. When I speak at security conferences, I often tell audiences that nothing is secure and that everything will be hacked (or it already has been). Instead of trying to harden security, we should assume that everything will be hacked. Our work culture might be 9 to 5, but hacker culture is 24/7.
Creating companies that move slowly, deliberately, and are focused on long-term growth is a harder sell for investors, but the returns can be much larger. Especially if we work on designing security models that are as elegant as the way a master sculptor might approach a piece of marble. We can create systems that are locally maintainable and store data in smaller and closer ways.
“In anything at all, perfection is finally attained not when there is no longer anything to add, but when there is no longer anything to take away.” – Antoine de Saint Exupéry.
It is impossible for a small startup to focus on being security experts and to provide their core service at the same time. Companies do well when they can maintain a core focus. Intel builds chips. Lenovo builds hardware.
An example: Grocery stores provide a core task, and security is just one concern. Grocery stores assume that some products will be stolen, and that amount is added to item cost. But grocery stores can’t be experts at security and groceries at the same time. Otherwise, the grocery stores would be too expensive, or the grocery store experience might suffer.They accept a certain level of security impact.
Early on in our use of IT, many people shared a single mainframe computer. Information was in the same room with the computer, and stored on punch cards or tape. When we got desktop computers, information was stored on floppy disks, hard drives, and CD-ROMs. Personal information was close to us, and now our photos, passwords, and credit card information are stored ‘in the cloud’ by a variety of companies.
When web apps emerged, it was the first time that the general public started storing personal information away fromourselves. And when that happened, hackers had a delicious target – data lakes. We need to experiment with new models in ways that function closer to us. If we go back to storing personal data close to us, and less-sensitive data far away from us, it could reduce the payoff for break-ins by hackers.
The model would work like this – and the example is personal healthcare. You would store your health information in your own database. This database would live on your phone or computers, but not the web. When you go to a doctor, you can share that information with them for a couple of hours in order to have them better understand you. When they perform any tests, they can share the results of those tests back to your data file, which you can then take home with you. When a hacker penetrates the system, they will only have access to what’s been shared in the last couple of hours. Another way is to blend this model with a closed approach, so that one hack only breaches a smaller set of user accounts.
As our connectivity moves from local to global, I believe that the answer to our security lies in a mix of the two. It is my hope that we’re still in the adolescent period of the web. Just like in the industrial revolution, we still need to innovate to see what works and what doesn’t.