My tastes in entertainment are pretty broad. While I really enjoy attending sporting events and when Bruce Springsteen is in town I lay aside nearly everything else to attend his concert (as I did in Boston on March 26), I’m also one who enjoys catching a Broadway or Off Broadway Show now and then. In fact, I over the next six weeks I will attend two Red Sox games and two shows at the New World Stages theatre in Midtown.
For a simple night out, though, give me a small club featuring one of the area’s top Blues performers. It doesn’t matter to me if it’s a cover band playing the best of Johnny Lee Hooker, Stevie Ray Vaughn, B.B. King or Robert Johnson, or local artists like Diane Blue, Racky Thomas, Rick “King” Russell or my personal favorite, Boston Baked Blues with front man and internationally acclaimed harmonica player, Vinny Serino. Give me the Blues and I’ll be happy.
But while I love the Blues, the “woe-is-me” type blues are not something that is much appreciated by financial companies…although you’d never know it by how often they have sung those tunes following breaches of data that have happened over the past 18 months. It seems like we’ve reached or even gone beyond the point where “Here we go again” just doesn’t quite cut it.
For what seems like the umpteenth time in the last year and a half, a major credit card processor has announced a breach of its customer database, meaning confidential information belonging to those customers has potentially been exposed to individuals who may (or may not) choose to use it to their financial gain.
This time around, MasterCard and Visa found themselves having to alert banks across the U.S. that one of its payment processors had discovered a breach of its files and as many as 10 million customers could have been affected by it. The breach, discovered in March, is believed to have occurred sometime between the beginning of the year and mid-February.
In admitting to the breach, the payments processor attempted to put a positive spin on the story, saying that it was “reassuring that our security processes detected an intrusion.” The problem is, by the time the intrusion was detected, the data had already been exposed. I’m not quite sure how that qualifies as “reassuring.”
The statement about the breach was also a bit on the cagey side when explaining the root cause of the breach it suffered, merely noting that it had called in law enforcement and “external experts in information technology forensics” to investigate.
External experts in information technology forensics? That sounds an awful lot like people who come in to find the holes – i.e., structural quality issues – in the applications that were breached. It also sounds like they will be looking into the very same structural quality issues that breached company could have and should have addressed before either deploying these applications, or, at the very least, during periodic assessment of the company’s IT systems to ensure that the integrity of the breached application was upheld.
It’s time for companies in the financial industry to realize that the “enemy within” – the structural quality of their data-hosting applications – is the true first line of defense, apply some measure of analysis and measurement to detect issues and then fix them.
Until then, I’m afraid we will continue to see more financial companies singing B.B. King’s “It’s My Own Fault” than we will see singing Muddy Waters’ “I’m Ready.”