Saturday, March 10, 2018

Are we paranoid about cyber security?

The government is worried about cyber security. They consider it a big risk. They want to put a lot of resources to combat this risk. They want to train a lot of cyber experts.

They want to strengthen cyber security for the government agencies and the business community.

I think they may be over-reacting to the risk and may be putting in a lot of resources that will be costly, and will also make life difficult for the ordinary users.

To deal with the risk or hype of cyber security, we need to apply our common sense and identify the risks that are real and those that are not critical.

You hear about hackers who intrude into database and download customer data, and worse, publish the data into websites.

If the information concerns name, telephone numbers and email addresses, it does not really matter. In the old days, when telephone directories are published, the name, address and telephone numbers are available. They are not kept private, unless the subscriber request the data to be unlisted.

It may be more harmful if the password is disclosed. The concern is that the hacker can use the password to access other websites of that person using the same password.

Really? There must be a million records that are published. The risk that someone is going to hack into a specific person's account is one in a million (less than the risk of dying in an accident). Who wants to take the trouble, unless he or she is targeting a specific person. And that would be a crime, right?

Even the publication of personal data in a website is a crime. It is easy to ask the owner to take down the website. If the culprit can be caught, he can be sent to jail.

There is the risk that the hacker can alter the data. This risk can be better protected by having an audit trial to highlight unauthorised alteration to the data. Once detected, there are backups to establish the correct the correct data.

Actually, it is not easy to hack into a database and alter the data. It require a professional hacker. Still, it is a risk that require some protection, but one need not be paranoid about it. It is similar to the risk that someone will fire a rocket into my home, and that can be more harmful.

We must not overlook the real risk that our own employees could be the people responsible to alter the data. There are more employees than professional hackers.

Knowing this risk from internal people, I prefer to rely on an effective audit system to highlight unauthorised alteration of data (whether from internal people or external hackers) rather than to over-invest in sophisticaled cyber security measures.

I write this article to generate a discussion about the real risk of cyber security. I may have over looked some of the real risks, and I welcome someone pointing them out.

I assure these experts that I am aware about the things that professional hackers can do, but I look at the practical outcome. Is it so serious? I also live each day knowing that someone can shoot me with a gun or break into my home and office to steal my assets.

As my friends know, I do not have a paranoid fear of things that I do not really understand. I apply my common sense to them.

Tan Kin Lian

No comments:

Blog Archive