In February of 2005, ChoicePoint, an Atlanta-based company that provides consumer data services to insurance companies, US government agencies, and other businesses, announced that unidentified individuals had accessed its database. Posing as legitimate businesspeople, the scammers gained access to tens of thousands of consumers' personal information, including social security numbers and credit reports.
This security incident, the latest in a long line of similar occurrences, got me thinking: sometimes asking the right questions is more important than getting the right answers. Of course, for those directly affected by this breach, that's really neither here nor there. (Roughly 750 individual cases of identity theft have emerged due to this incident.)
But for the rest of us, for whom a similar breach is all too possible, it's something to think about. Sometimes the mere exercise of questioning how someone might exploit a system -- no matter how dubious or obscure the method -- can help prevent it from actually happening. This type of brainstorming can expose weaknesses that the company needs to address.
Secure computing today depends on so many more factors than just taking care of your organisation's own security. That means companies can't just base their entire security strategy on depending on Windows Update and antivirus signatures to do their jobs.
Internet security is about more than installing a firewall, disabling cookies, running anti-spyware software, and not opening email attachments from people you don't know. It also means knowing when other people aren't doing these things -- and doing something about it. That requires becoming actively involved not only with keeping software secured and updated, but recognising and understanding Internet security trends as a whole.
It's become apparent to me that ChoicePoint wasn't asking the right questions about its Internet security -- particularly since confidential consumer information is this company's bread and butter. Large, centralised databases represent one of the biggest threats of Internet security. These online databases of personal information are excellent targets for predators because they provide the most access to information with the least amount of work.
As such a large information broker, ChoicePoint should have recognised -- and tried to prepare for -- this threat. Unfortunately, too many companies, lacking a real understanding of Internet security, depend too much on the claims and opinions of others without delving too much into researching security.
Readers should ask more questions about their own organisation's security. Companies are the best source of insight into their own security. In my opinion, it's vital that we continue to question any and all methods and devices designed to improve computer security because someone else is already out there questioning how to defeat it.
