Route1 Comments: Continued Data Breaches Demonstrate Need to Dispel Dangerous Myths
Toronto, November 19, 2015 – Despite increasing reports of the loss or theft of vital and confidential data, governments and private enterprises continue to avoid taking meaningful and cost-effective action to prevent it, according to Tony Busseri, Chief Executive Officer of Route1 Inc. (TSXV: ROI), a leading provider of secure access technologies for the mobile workspace to protect businesses and government agencies.
“The problem of data breaches, especially through mobile devices, is pervasive and challenging but it can be significantly reduced by eliminating some myths that have been used as excuses for inaction,” Mr. Busseri said. “These myths are the most dangerous and most strongly entrenched in the boardroom, among C-suite managers, and at the top of government departments and agencies. Few senior executives have IT network security backgrounds but they must recognize their ultimate responsibility to protect one of the most valuable assets of an organization – data.”
Employers and employees alike recognize the benefits provided by access to their organization’s network and data through smartphones, laptops and USB drives. The challenge is what to do when those devices, or the data on them, are lost or stolen due to compromised access credentials, such as passwords; or when malware or crimeware is planted within the organization’s network through mobile devices.
Recent examples of major data breaches, and their consequences:
- U.S. Court allows U.S. Federal Trade Commission (FTC) to continue $6.5 million lawsuit against hotel chain Wyndham Worldwide: August 2015
The regulator found that Wyndham had not taken adequate measures to protect against loss of customer data that was sold to hackers.
- U.S. Office of Personnel Management claims records – including fingerprints – of more than 22 million federal employees or contractors were “hacked”: June 2015.
Other reports find that internal security weaknesses were likely contributing factors. These include failure to use at least two forms of identity authentication to access the network, massive amounts of inbound connections from mobile and remote devices using virtual private networks (VPNs), and allowing users to copy files and records to mobile or remote devices.
- Target CEO resigns after security breach: May 2014
After a lapse by a supplier with secure access in 2013, about 40 million debit and credit card numbers were stolen along with the personal information of 70 million customers. The net cost was at least US$162 million and the company’s market capitalization fell by US$6.2 billion to US$55.8 billion.
- Condon v Canada: 2014, appeal by the Crown in 2015 denied and the case continues.
A lost USB key and hard drive leaked private data affecting 583,000 Canadians, including their names, Social Insurance Numbers, dates of birth, addresses and student loan balances. This resulted in a class action claim for breaches of contract, warranty, confidence and intrusion upon seclusion, negligence, and breach of Quebec privacy rights.
“These are only a small sample of recent incidents that have compromised the private information of millions of people, resulted in direct financial losses that could easily be in the billions of dollars, led to litigation and regulatory intervention, significant intangible damage to brands and reputation and, of course, the end of careers,” noted Mr. Busseri.
Route1 has examined the supposed barriers preventing organizations from mitigating this damage and has found that most are based on perception, not technology. Quite simply, they are myths.
Myth 1: “Hacking will happen: Nothing can be done to prevent data loss.”
Hacking may indeed happen but that is not the real problem. In most cases, “hacking” from the outside of an enterprise is an effect – not a cause – of data breaches. According to a Verizon survey of data breaches issued earlier this year, almost 90% of incidents can be traced to security mistakes made by the people within the organization. That includes the theft or loss of devices and unintended failure to follow security protocols.
“Many technological approaches that are in use today depend on everyone using them being perfect – to know and follow the protocols exactly, every time. But people aren’t perfect, and that is how and why breaches happen,” Mr. Busseri said.
When looking at a reported data breach, it is important to identify how it really happened. Even those reported as hacking probably started as something as simple as a USB dropped on the bus, Mr. Busseri noted. A November 2015 survey conducted by Imation found that almost half of senior executives had lost a device or had it stolen, and 93% of those devices carried work-related information, mostly confidential emails. The lost and stolen rate was only slightly better for less senior managers.
Myth 2: “Meeting regulatory standards is enough. We don’t need to do anything else.”
Regulators are challenged to keep pace with change and innovation, no matter what their areas of responsibility may be. For better or for worse, industry participants can move faster than authorities. This is certainly true in information technology and data security where advances are especially rapid.
“A regulator that believes it is sufficient to maintain data security standards that are even five years old is really not acting in its stakeholders’ best interests,” said Mr. Busseri. “Any organization that is satisfied to just meet those standards is setting itself up for failure.”
The FTC, for example, has asked Congress for specific laws to protect consumers from data loss but, in the Wyndham Worldwide case, used a general principle from the original regulations of 1914 – created more than 100 years ago. Unsurprisingly, businesses want to know the specific standards they must meet to avoid prosecution, but the FTC cannot adequately provide that guidance.
Myth 3: “We need mobile access to our data and that naturally means some leakage. It’s the price you pay.”
It is recognized that the days of employees working only at their desktops and then going home are over, whether they work in government agencies or private enterprises. They want to be able to access data remotely even if they “bring your own device” (BYOD). Mobile access allows them to work from wherever they are, which most see as a benefit, and their employers find it boosts both productivity and morale.
From their own experiences and reports of others, many organizations have come to assume that mobile access inevitably leads to some data loss. That is largely because most have relied on virtual private networks (VPNs) for mobile device management.
But VPNs can’t deliver some of the key attributes of secure mobile access. Authentication allowing the access to the network is driven by the software on the mobile or remote device, not by the user. There may be only one factor authorizing use when there should be at least two. User name and password are one factor, based on “what you know.” A second would be “what you have,” such as a smart card.
VPNs do not protect against serious data loss if a device is lost or stolen, and the technology cannot recover the data or determine who has gained access to it. They also allow data to move out from behind the organization’s firewalls, and can additionally introduce malware and viruses into the organization’s network.
Although they have become common in the industry, VPNs are not what many assume they are.
It stands to reason that if you allow an asset (data) to move outside of the most secure place for it (the enterprise network), and that the movement of the asset weakens the underlying security of the “safe place,” then the approach you are taking is flawed.
“Whether the data is intellectual property, employee files, client information, bid records, legal information, or anything else, an organization has a responsibility and strong business reason to be able to account for the data at all times,” said Mr. Busseri.
There are progressive technologies such as Route1’s MobiKEY that address all of the weaknesses of VPNs.
Myth 4: “Data security is just an operating issue. Our IT people can handle it if they use the same equipment as our peers”.
Increasingly, but probably too slowly, the secure management of data and mobile access is being recognized as a fundamental, enterprise-wide strategic issue. It is entering the portfolio of internal and external risks that can pose an existential threat to the organization.
In the Target example, proxy advisor Institutional Shareholders Services advised that seven directors be removed for failure to protect the company’s data, after the resignation of the CEO.
“Those directors were re-elected in this instance, but would they be in the near future? It is a good example of where blame is being increasingly focused – to the Board and the CEO, not just the head of information technology,” Mr. Busseri said.
Data can be an organization’s most important asset and, in the corporate world, directors have a responsibility to protect that asset and to manage the risks it may face. There are clear parallels: the Board of a trucking company needs to have systems and controls in place so it knows how many trucks it has, where they are, who is driving them, what they are carrying and for whom, whether they are safe, and when they may need to be replaced. However, there are also fundamental differences. The directors may have spent decades in the trucking business and know it well. The business may change but, essentially, a truck is still a truck.
But that is not true in IT, data management and security. In that world, change is rapid and new threats to protecting data emerge daily, particularly through mobile devices. Senior management and directors cannot be expected to keep pace with a continuing revolution in IT. They should be able to hold their IT departments accountable, but need to know at least what questions to ask since now they can be called to account as well, Mr. Busseri noted.
It is not simply good enough to have the same mobile access technology as the nearest peer. The technology has to actually work and, as incident after incident has shown, too many technologies used today are ineffective. They allow data to move outside secure firewalls and create vulnerabilities for the organization’s network.
“The best way to protect data and to secure the network is to ensure there is no movement of the data outside of the enterprise network, period,” Mr. Busseri said. “Accessing data using a mobile device does not mean the data needs to be transferred to the device. It can be kept safe within the network with a different approach and unique technology like Route1’s MobiKEY.”
Mr. Busseri advises senior decision-makers to ensure that whatever technology they adopt requires at least two types of authentication to allow access to the network. He also reminds them that the most expensive or complex technology is not necessarily the best.
“You can’t use cash to plug holes in an IT network. Security should save money, not increase expenses,” he said.
“Many enterprises use virtual private networks for mobile access to data and they have demonstrated weaknesses. Why would an organization adopt a system they have seen fail elsewhere?” he said. “Doing the same thing over and over, but expecting a different result is one definition of insanity.”
Myth 5: “The cost of good data security is too high for the difference it may make.”
Poor security can cost millions. A 2015 IBM study finds that the average cost of a lost or stolen record is US$154. Add them up and the total is $3.8 million for an average data breach, a 23% increase in two years. That does not include the cost of insurance or reputational damage.
Good security is available for far less. Technology such as MobiKEY can be delivered for little or no capital cost, and in most cases these solutions reduce operating costs compared to other technologies widely used today.
“Organizations need to consider newer approaches that require less investment, lower ongoing expense and provide major savings from improved data security,” Mr. Busseri said.
ABOUT ROUTE1 INC. Route1 enables the mobile workspace without compromising on security. Its flagship technology MobiKEY uniquely combines secure mobile access, with high assurance identity validation and plug-and-play usability. Remote and mobile workers are able to securely and cost effectively access their workspace from any device without exposing the organization to the risk of data loss or malware propagation. MobiKEY customers include enterprises as well as the U.S. Department of Defense, the Department of Homeland Security, the Department of Commerce and the Government of Canada. Headquartered in Toronto, Canada, Route1 is listed on the TSX Venture Exchange.
For more information, visit our website at: www.route1.com.
For More Information Contact:
Tony Busseri, CEO
+1 416 814-2635
tony.busseri@route1.com
This news release, required by applicable Canadian laws, does not constitute an offer to sell or a solicitation of an offer to buy any of the securities in the United States. The securities have not been and will not be registered under the United States Securities Act of 1933, as amended (the “U.S. Securities Act”) or any state securities laws and may not be offered or sold within the United States or to U.S. Persons unless registered under the U.S. Securities Act and applicable state securities laws or an exemption from such registration is available.
Neither the TSX Venture Exchange nor its Regulation Services Provider (as that term is defined in the policies of the TSX Venture Exchange) accepts responsibility for the adequacy or accuracy of this release.
© Route1 Inc., 2015. All rights reserved. Route1, Route 1, the Route1 and shield design Logo, MobiDESK, Mobi, Route1 MobiVDI, Route1 MobiDESK, Route1 MobiBOOK, Route1 MobiKEY, Route1 MobiNET, IBAD, MobiVDI, MobiNET, DEFIMNET, Powered by MobiNET, Route1 Mobi, Route1 MobiLINK, TruOFFICE, MobiLINK, EnterpriseLIVE, PurLINK, TruCOMMAND, MobiMICRO and MobiKEY are either registered trademarks or trademarks of Route1 Inc. in the United States and/or Canada. All other trademarks and trade names are the property of their respective owners.
The DEFIMNET and MobiNET platforms, the MobiKEY, MobiKEY Classic, MobiKEY Classic 2, MobiKEY Classic 3, MobiKEY Fusion, MobiKEY Fusion2, and MobiKEY Fusion3 devices, and MobiLINK are protected by U.S. Patents 7,814,216, 7,739,726, 9,059,962 and 9,059,997, Canadian Patent 2,578,053, and other patents pending. The MobiKEY Classic 2 and MobiKEY Classic 3 devices are also protected by U.S. Patents 6,748,541 and 6,763,399, and European Patent 1001329 of Aladdin Knowledge Systems Ltd. and used under license. Other patents are registered or pending in various countries around the world.
Other product and company names mentioned herein may be trademarks of their respective companies.