As Alexander Pope famously wrote, “To err is human; to forgive, divine.” The estimable Pope could afford to coin such highbrow quips because he was a poet, not a chief information security officer.
The JPMorgan Chase breach is the latest high-profile example of the risk that is inherent to all companies today. It is an especially pertinent example, given JPMorgan Chase’s position as the largest bank in the United States. But it is only the latest in a long list of organizations that have suffered a data breach. Thousands of organizations suffer data breaches each year, affecting millions of individuals. The consequences of these breaches range from inconvenient to catastrophic.
In June, a company called Code Spaces fell prey to a hacker who had gained administrative access to its network, and to its customers’ intellectual property. Ironically, Code Spaces offered technology companies a purportedly secure cloud-based code-hosting service that it could not protect. JPMorgan Chase will survive its mistake, although shareholders and consumers are becoming antsy. Code Spaces was not so lucky. Its systems and reputation mortally wounded, the company was forced to shutter within days of the attack.
Both JPMorgan Chase and Code Spaces were victims of human error and a common hacking technique known as phishing, which lures us into clicking on malicious links designed to pique our interest. Behind these links may be forms intended to usurp our credentials, or malicious code designed to clandestinely give the attacker control of our device. The hacker can use our stolen credentials or compromised device to search for data that can either be sold or used as collateral for extortion. In a corporate environment, if the compromised person happens to be someone with administrative privileges, the risk becomes exponential.
Phishing isn’t a new technique. It’s a “social engineering” ploy (preying on human trust and natural curiosity) that is nearly 20 years old. But while hackers once used phishing primarily to target individuals in hopes of plundering a single bank or credit card account, they now use it to compromise entire companies.
How is it that large, sophisticated organizations (including big names in the data security business) manage to be fooled by such simple, unsophisticated tricks? Behind all the millions of dollars’ worth of technology engineered to protect data, and the networks on which they are stored, are human beings – a species known to make silly mistakes.
The 2011 hack of RSA – a name synonymous with information security – should be regarded as the canary in the digital coal mine. RSA did everything according to the playbook and it still got hacked because someone who should have known better was fooled by a simple trick.
Whether motivated by genuine concern for the less fortunate, driven by curiosity, or merely caught in a moment of weakness, we’ve all clicked on something we otherwise wouldn’t (or shouldn’t) have. Maybe it was something sent by a friend, or a grim email from our bank informing us that we must verify our account. Either way, we did it impulsively.
Imagine that you clicked on that link while at work, and that you were one of a few dozen – maybe a few hundred – people granted administrative authority for your organization’s file repository. We already know that when we share folders, we don’t always remember to revoke access, so it is not so far-fetched to think that we wouldn’t know if we accidentally handed over access to our corporate file-sharing system.
Many companies are slow to adapt to these evolving threats. They continue to believe that if they invest a little bit more, the protections and firewalls that have failed them time and again will succeed as a shield against attacks that are virtually impossible to detect.
This brings us back to JPMorgan Chase and Alexander Pope. In addition to reminding us of our foibles, Pope also wrote, “The greatest magnifying glasses in the world are a man’s own eyes when they look upon his own person.” This is good advice as we design defenses that take account of human gullibility, which affects even the world’s most senior military officials. Because no matter how clever we may be, there is no solution for the human condition.