How to Stop Breaches (A Special Holiday Roundup)
Having finished talking to Congress about data breaches, Troy Hunt has started a five part series of articles on how to fix them.
- Part one is all about Education, where the majority of breaches have involved a human element, whether it is just bad coding, and the sooner a human can recognize apossible security problem and fix it, the cheaper that fix is likely to be.
- Part two covers Reducing Breach Impact, covering the vast swaths of data companies collect but and their desire to collect as much information as necessary. However, what is initially thought of as an asset could instead be seen as a liability in the event that the data is disclosed in a breach. For example, the Expirian leak was that much more horrible since it included credit card numbers and drivers licenses. Troy argues for data minimization and expiration, to protect users data.
- Part three covers Ease of Disclosure, making it easy for people (whether security practitioners, a reporter, or a random individual) contact you in order to disclose a security issue, with reasonable assumption that you will be receptive, rather than litigous.
- Part four covers Bug Bounties, not just making it easy for people to report vulnerabilities, but ACTIVELY ENCOURAGING THEM TO and offering some renumeration incentive for disclosure to you vs to the black market.
- Part five covers Penalties, making the financial impact of a data breach matter to the bottom line, such that the ROI of security becomes much more serious.
Written on December 27, 2017