We spend so much time working toward a goal, delivering on an expectation, that it becomes business as usual. People trust me to do my job, I trust others to do theirs. Together we make great teams, great divisions, and a great company for our customers.
In the last two weeks, two major companies have lost my trust. One, Anthem, an insurance company, that had 80M customer medical records stolen and the other Lenovo, a computer manufacture, that installed software on their consumer laptops and desktops that intercepted TLS/SSL encrypted traffic using a self signed encryption certificate and embedded it into the operating system.
I trusted these companies like I know my company’s customers trust us. How can we prevent becoming the next untrustworthy company?
For Anthem, the problem was not following the basics of data security. Encrypt your data at rest, in flight, and protect your keys at all cost. Restrict data access to only those who need it – and ONLY the data they need. What a logistics nightmare to coordinate that among the entire company’s applications – but not as bad as the nightmare they’re living with now.
Regardless if you store your data in a colocation with insane physical and electronic boarder security or your own onsite datacenter with James Bond proof security – thieves don’t have to get out of their underwear to make off with a billion dollars with of data.
Lenovo had a simple task of maintaining their tradition of building computers that people want. Someone made the decision to install some extra software (presumably for profit) on their consumer computers that gathers “We thought [Superfish] would enhance the shopping experience…“. I call bullshit – the software was harvesting their customers data by decrypting encrypted browser traffic using a “Man in the Middle” attack. Lenovo decided to make an extra dollar and deceive their customers into thinking the lock on their browser actually meant they were secure. It took five months for the word to get out on the Lenovo malware, but in the week it hit the media – I’ve read about it everywhere. I’m watching LNVGY to see what happens when the stock holders finally figure out what this means.
It means companies large and small that buy one or thousands of their products in bulk may begin to question the integrity of Lenovo. If they installed privacy busting malware into their consumer goods – what kind of nefarious tricks were in the latest ThinkPad or X laptop in my business? Is my CIO’s bank account going to be hacked, company secrets leaked to a Lenovo partner in China, or my laptop used as a portal for Chinese hackers to run rampant in my network? A secret decryption chip and hook into the network hardware to leak secrets back to home base? Sure, it’s far fetched… or is it? Stranger things have been dreamed up.
Anyone can prevent these – stand up and say something. Call out bad ideas for what they are. Identify security risks when you see them. These are what makes great people, great. They take on the challenge instead of letting the big sleeping dragons sleep. Eventually they’ll wake up, on their own or with the help of someone, and lay waste to your kingdom.