Much to the chagrin of actual hackers, the term “hacking” has been co-opted in countless ways that bear little resemblance to actually breaking into computer systems. An intrepid homeowner might be a DIY hacker. Makers rarely object to the hacker moniker. Savvy homeschooling parents are hacking their children’s education and Silicon Valley entrepreneurs are hacking their brains with supplements and stimulants.
So it should come as no surprise that mainstream media throw around the term “hack” pretty loosely. The Houston Astros, according to the headlines, were “hacked” a couple weeks ago by front office employees of the St. Louis Cardinals. Not exactly a bunch of Johnny Mnemonic types, right? And, in fact, this can barely be called a hack. It turns out that former Cardinals employees who were now working with the Astros simply reused the same passwords with both organizations.
How many times are data breaches the result of employee error, lost devices, or internal leaks? There are plenty of bona fide hacks out there: Lengthy spear phishing campaigns that let hackers deeper and deeper into networks, unsecured wireless, cross-site scripting attacks...the list goes on. But when is a hack really a hack? And when is it just carelessness, mistakes, and poor security practices?
Hacking used to imply a concerted effort to covertly enter a secure system. Hackers exploit vulnerabilities, inject malware into systems, attempt to hide their actions and move about within a network. Trying someone’s old password on their new company’s database? Not so much.
But when it comes down to it, the definition that we give to hacking doesn’t really matter. The end result is the same. Data and information that should have been kept private ends up in the wrong hands. Whether that’s baseball playbooks, credit card numbers, or nuclear launch codes, we’re still talking about a security breach.
At its most fundamental level, security has two purposes:
If bad guys get in and/or your data gets out, no matter what the reason, security has failed. If my dog gets out and does his business in the neighbor’s yard, it doesn’t matter if she leapt the fence, broke her lead, or wandered out when the kids forgot to close the door. I still need to retrieve my dog and clean up my neighbor’s lawn. Cybersecurity isn’t all that different, except that cleaning up my mess is free, my neighbors are only a bit grumpy, and cleanup takes a plastic bag. Data breaches can cost millions, customers launch class action suits, and cleanup can take years.
So let’s not worry about the expanding definition of the word “hack”. Let’s know that what we’re really talking about is a security failure - a data breach if you’re feeling diplomatic. Let’s get users to take reasonable precautions, set up policies to enforce those precautions, and buy hardware and software to enforce those policies. What matters is the data, not how they got posted on the web or sold to cybercriminals.
Want to know more?
Why not become a CSO member and subscribe to CSO's mailing list.
Get newsletters, updates, events and more right here