A Good Security Response
Security will become more and more important in the future, at least in my mind. As we become more interconnected and dependent on digital services, if the level of fraud and security failures do not fall, many people will hesitate to use these services. I think certificates will be the future of digital security, but until we get better support for managing them built into all our OSes, I’m not sure we’ll move beyond passwords. I do think we need to move past passwords, but we’re stuck with them for now.
Recently Evernote had a security breach and they forced all users to reset their passwords. It was slightly annoying, but it was a comforting response for me. Two week after the incident I had to change the password on my iPad, which I rarely use. It was ironic since I was working on this particular piece when I reset my password.
I wasn’t the only one that thought this was a good response. In this article from Enterprise Security, a number of security professionals praised the way Evernote handled this incident. They note that Evernote had implemented good security practices (from what we know) and notified people immediately. I certainly appreciate Evernote moving quickly on this and am glad I had to deal with the annoying password change. I don’t use the same password on other sites, and this was a good reminder to me that I shouldn’t. It also served as a reminder to tell my family to do the same thing.
I’m not sure any company I’ve worked for would handle things this way. I haven’t had many security incidents at my previous employers, but I know in one case we were told not to disclose anything and fix issues. I’d like to think that most companies would disclose this, and I do think they should, but most wouldn’t. These things happen, just like break-ins happen in physical buildings. Companies should accept that, diagnose the issues, repair them, and move on. Customers will understand the problem and remediation steps. What customers don’t understand, or accept, is a company failing to inform them. Or failing to improve security when they know there are issues.
The Voice of the DBA Podcasts
We publish three versions of the podcast each day for you to enjoy.