In late 2014, the Municipal Bond Insurance Association experienced a breach in security when a large amount of customer data was found through a Google search. The UCLA Health System had a similar issue which involved patient communication records. The Pentagon Defense Information Systems Agency had a database with contractor data that was exposed. The Texas State Department had the personal information of children in Family and Protective Services exposed. The State Court system of Kansas had a data leak which included Social Security numbers and driver’s license information of employees, plaintiffs, and defendants.
See the pattern yet? Let’s add one more piece to the puzzle: they all use a database system made by Oracle. Oracle, in 2012, found a security flaw in their database software and released a patch that fixed this issue relatively quickly. Now guess how many of the above-named entities actually installed that patch. If you said none, you are correct. All of the entities experienced the same issue, with the same symptoms, from the same cause. The cause: poor security plans which were either not executed or not maintained. Meaning, two years later, anyone with an internet connection and Google can find your sensitive data.
How did this happen? Oracle notified their customers of this issue (as they are supposed to) and gave them the solution. You would think it would be a relatively straightforward thing to fix. For the most part, yes it's simple to apply the patch and go along your merry way. However, it is possible for things to go awry when patches are installed. They may be minor glitches or they may be complete shutdowns of an application. It has happened before, but in recent years it has become far less common.
But IT professionals remember these situations. They remember the 20 hours of unpaid overtime they put in to repair a server that ceased to operate because of a software update. They remember the hundreds of calls they or their counterparts fielded when the critical system went down because of a bug. They remember being called into the CEO’s office and being grilled as to why things aren’t working the way they should be working.
Could you blame them for being hesitant to install updates that might create extra work for them? You could, but these people have a hard job, and not one that is truly understood. Does this excuse their actions? Absolutely not. In fact, it is very likely some of those responsible for these IT system breaches were fired, reprimanded, and/or sued. Not wanting to deal with the issue, cost them way more than the ten minutes it would have taken to install the patch.
What’s the moral? Hackers are an issue; there is no doubt about it. But to prevent hackers, you have to stop focusing on external issues and focus on internal. Reacting to a digital threat is not always a bad route to go and sometimes this is the best course of action. Being proactive could have prevented all those entities from losing data and trust from those they serve. While it is expensive, having an external auditing service come in and evaluate your company can save you millions in the event of a breach.
