Remember George W. Bush’s 2004 re-election campaign? Of course you do – Vice President Dick Vader was running the country from the White House basement while President Bush II was telling us how much safer we all were as a result of the government’s hard work. What was the self-evident evidence of our safety? We hadn’t had another September 11, so of course we were safer – what don’t you get?
Skeptics – and I promise you I wasn’t the only one – asked themselves how anyone could prove a negative, that is, how could anyone say with certainty that something didn’t happen as a result of their efforts and activities? It would have been just as valid for the government to claim that since September 11 the U.S. had introduced a rigorous program to halt total solar eclipses over North America. Is it working? The self-evident evidence: have you seen any total solar eclipses since then? The ipso facto conclusion you’d be forced to draw: our swell new total eclipse policy is alive, well and working as planned. And when would we know if the program were somehow flawed in some not-so-obvious way? To get that answer, you’d need to wait for the next total eclipse of the sun.
I can think of a different analogy that faces every hotel company in business today. Is your rigorous program to halt the prospect of data compromise working? Provided your system is thus-far unscathed, your self-evident evidence is that yes, your system safeguards are alive, well and working as planned. And when would you know if your safety steps were somehow flawed in some not-so-obvious way? To get that answer, you’ll need to wait for your turn in the system-breach barrel.
The latest occupant of the barrel is Mandarin Oriental Hotel Group. It’s too early to know what actually happened – let alone how, when, where or why – so this is not a rush to judgment. It’s really quite the opposite: I’ve been long acquainted with key members of the MOHG technical staff, and if anything, they have been overly protective of their data, their guests’ data, their guests’ privacy and the integrity of their systems and network. I think the negative that MOHG is about to prove is the sad reality that good security works right up until it doesn’t. Given adherence to established guidelines and best practices, you’ll find that you’re reasonably if not fully protected until the nanosecond that someone finds an unanticipated way in. That is the tremendous negative with which we all are forced to cope.
In the world of system security, there is no silver bullet; if there were, we wouldn’t be having huge, costly and embarrassing breaches… or even this conversation. Let me caveat that statement by noting that data can be more rigorously protected if you are willing to pay the price. With heightened security comes heightened complexity: making your data worthless to steal also makes it difficult (if not impossible) for your systems to consume or share. But supposing that you were willing to throw disproportionate funds at the problem, you, too, could operate a system every bit as secure as the one at the NSA.
Oops, bad example. I stand by my contention that there is no silver bullet, no unassailable secret maneuver that keeps your data absolutely safe and you absolutely comfortable. The typical problem isn’t some IT wonk asleep at the switch; you’re up against a 24x7x365 barrage by bad guys who intend to erode, circumvent or destroy whatever your good practices have built. Sadder yet, a breach could just as easily come from one of your own good guys who might open the wrong email or inadvertently share a file with the wrong flash drive. In one swift and fell swoop, a friend rather than a foe can usher chaos in through the gate that you’ve so meticulously built and guarded.
Odd truisms govern the world of system security. Do the wrong things and you’re likely to pay a heavy price; what you don’t know or don’t learn or don’t bother with could cost you the ranch. Do all the right things and… well, sometimes you end up in the same situation. That’s not an excuse for bypassing the time, effort and investment that good security demands – it’s just a reminder that sometimes bad things happen to good practices.
Best of luck to our friends at MOHG.