To stop data theft, pull the plug
Back in the 1980s, when I was the networking editor at InfoWorld, one of my jobs was to write profiles of corporate networks. One of those profiles was of the Adolph Coors Brewing Company of Golden, Colorado, now known as Molson Coors Brewing. I visited the company’s one brewery at the time, interviewed the head of IT and the top network guy, then asked for a copy of the very impressive network map they had on the wall.
"Sorry, we can’t give you that," they said. "It’s private".
"But we always print a map of the company network," I explained.
"Fine, then make one up".
And so I invented my own map for the Coors network.
There’s a lesson here, trust me.
Back then there was no commercial Internet. The Coors network, like every other corporate computer network, was built from leased data lines connecting the brewery with sales offices and distribution centers in every state except Indiana at the time. Such networks were expensive to build and the people who ran them were quite proud.
Today we just find a local Internet Service Provider (ISP) and connect to the Internet, a much simpler thing. If we want secure communications we build Virtual Private Networks (VPNs) that encrypt the data before sending it across the public Internet and decrypt it at the other end. We do this because it is easy and because it is cheap.
IT used to cost a lot more than it does today and cheap Internet service helps make that possible.
Cheap Internet service also made possible every major corporate security breach including the big retail hacks and data theft at Target and Home Depot as well as the big JP Morgan Chase hack revealed just last week that compromised the banking information of at least 89 million customers.
How cheap is IT, really, if it compromises customer data? Not cheap at all.
Last year’s Target hack alone cost the company more than $1 billion, estimated Forrester Research. The comparably-sized Home Depot hack will probably cost about the same. JP Morgan Chase is likely to face even higher costs.
Here’s the simple truth: it makes no sense, none, nada, for a bank to send financial transactions over the public Internet. It makes no sense for a bank or any other company to build gateways between their private networks and the public Internet. If a company PC connects to both the corporate network and the Internet, then the corporate network is vulnerable.
At Target and Home Depot the point-of-sale (cash register) systems were compromised, customer data was gathered and sent back to the bad guys via Internet. Had there been no Internet connection the bad guys could never have received their stolen data.
Taking a bank or retail network back to circa 1989 would go a long way toward ending the current rash of data breaches. It would be expensive, sure, but not as expensive as losing all the money that Target and others have recently done.
This is the simple answer, yet few companies seem to be doing it. The reason for that, I believe, is that professional IT management in the old sense no longer exists at most companies. And public companies especially are so trained to cut IT costs that they’ll continue to do so even as their outfits lose billions to hackers. Besides, those losses tend to be charged to other divisions, not IT.
Back at Coors they loved that I designed my own incorrect network map because it would be that much harder for an outsider to gain access to their network and steal data. IT people thought about such things even then. Until we re-learn this lesson there will always be network hacks.
Some corporate and government data simply doesn’t belong on the Internet. Why is that so hard to understand?