Password Theft Crisis: A Wake-up Call for ERM

A Russian crime ring has committed the largest data breach ever. According to a report in The New York Times, the ring allegedly stole 1.2 billion username and password combinations, and more than 500 million email addresses from some 420,000 websites.

From an enterprise risk management perspective, this is not the full story. It is a fact that a major theft on this scale is not unprecedented (remember Target?), nor did it surprise security specialists at this week’s Black Hat event.

The passwords were stolen not due to poor infrastructure, but rather poor risk assessments on customer and vendor behavior and poor risk mitigation tracking and follow-up.

Who’s to Blame?

While the initial blame is typically aimed at IT, the real story here is that many corporations have not done risk assessments on the security vulnerabilities of their products, customers, or vendors. Even though the expertise and knowledge is out there, without risk assessments, there’s no avenue to act on technology threats. Product, customers, and vendors are a new source of vulnerability, and organizations must expand the scope of their IT risk assessment process to include the business folks responsible for these relationships.

Today, and increasing in the future, almost every object in our offices and homes can be vulnerable to theft. Hackers have the technology to monitor your routines inside and outside the office via your wired thermostats and through their trendy fitness tracker employees. Additionally, employees are storing corporate information on personal devices and unknowingly broadcasting this information everywhere. Hackers are then circumventing corporate controls through these new uncontrolled devices, and every corporation becomes either part of the problem or is collateral damage. Lawsuits and class action are in the not too distant future.

ERM for IT Professionals

Traditional corporate infrastructure is not the weakest link, and IT Departments are inexperienced in the basics of the ERM process. As a result, they are struggling with conducting risk assessments from the corporate level down to the business areas where day-to-day decisions are made; and then face roadblocks in aggregating these results up to the senior leadership team and board to allocate resources.