Back-to-School: Aus dem Klassenzimmer des CAS Information Security & Risk Management. Basis für diesen Lehrgang ist das BSI-Grundschutzhandbuch, und die Teilnehmenden bereiten sich begleitend auf die CISSP-Prüfung vor. Somit ist es ein Teil des 15-tägigen Lehrgangs, ein CISSP- oder BSI-Fachthema als Blogpost aufzubereiten:

Information Security: Why do we protect our money better than our data?

Back in the fifties, Willie Sutton gave his reason for robbing banks as: “That’s where the money is”. Has that changed over the last few decades? And what’s up with the statement that data is the new money? What certainly has changed is that in times of digitalization it is no longer necessary to go personally to the bank if you want to steal some money. Rather, bank robbers of today have the opportunity to steal money from virtually any place in the world because of the world wide web. Only, modern bank robbers nowadays are called hackers and bank robbery is referred to as online fraud. Over the last two decades, in order to prevent hackers from stealing money, financial institutions around the globe have invested a lot of time and money into defending themselves against such attacks. We, the customers, are also aware of the risks and demand that the highest security standards are used by these companies or we will simply refuse to use their online platforms. No one wants to lose money, neither the companies nor the customers. However, is it true that at a time when companies such as Alphabet, formerly known as Google, or Facebook are among the companies with the highest market capitalization in the world, even ahead of financial institutions such as JPMorgan or Wells Fargo, banks are really the only place where the money is? If you look at the profits that Google makes every year, you have to conclude that dealing with data must be more lucrative than dealing with money. It really looks like data is the new money. That brings me back to the question “Why do we protect our money better than our data?”. Although we should know that the value or income from dealing with data seems to be much higher than dealing with money. And let us not forget that both, money and data that flow through the cables are nothing but a chain of ones and zeros. So shouldn’t they both be equally protected? I think the answer is quite simple: Unlike data, we can easily estimate the value of money. We see the value directly on the banknotes and are trained daily by displaying all goods in monetary amounts. We know what 100 Swiss francs are worth. But we are simply unable to estimate or define the value of our personal data. If we deal with money in the same way we treat our personal data at the moment, we would have to throw a few banknotes or coins out the window every few days. Which we would never do, because we would see the value we were throwing out. But our personal data is more than just our posts, search queries and tweets. Rather, sensitive information about us is stored by countless companies and authorities. And, in the name of user-friendliness, today almost everything is, of course, accessible via the web. However, in most cases we do not require the same security standards as we do, for example, for financial institutions. As far as theft is concerned, we see things differently between money and data. If someone is trying to steal money online, «they’re gonna have to pull it off», or in other words they have to move it. The data, in this case money, is deleted at one location and kind of newly created at another. This means that a bank account owner would surely notice if money were suddenly missing on his of her account and he or she would immediately inform the bank about the fraud. If, on the other hand, personal data were stolen, no customer would notice this, because, unlike money, the data only has to be copied and remains unchanged in its original place. What I am trying to say is that data theft will in many cases never be noticed, but money theft will always be detected. Or to put it another way, banks know exactly when they were attacked, the rest of the industry not necessarily. I think there has to be a rethinking on this subject. If we want to secure our belongings, we must learn to estimate the value of our data and treat data and money equally in terms of protection and security. And this applies to both the private and the business world.

---

Blogpost wurde erstellt von Andreas Altwegg im Rahmen vom CAS Information Security & Risk Management. Dozenten in diesem sehr praxisorientierten Lehrgang sind: Lukas Fässler (FSDZ Rechtsanwälte & Notariat AG) Rainer Kessler (Governance Concept GmbH), Andreas Wisler (goSecurity GmbH) Beim nächsten CAS live dabei sein? Hier der Link zur Ausschreibung CAS Information Security & Risk Management Persönliche Beratung für den Lehrgang gewünscht? Einfach Prof. Martina Dalla Vecchia ein E-Mail schreiben und einen Termin vorschlagen.