As part of my Enterprise Analytics class at Arizona State University this fall, I cover security. While I know a fair amount on the subject, I sure wouldn't consider myself an expert. People like my friend, noted security guru Mike Schrenk, have forgotten more about the topic than I'll ever know. (At least I know my limitations.) Schrenk was kind enough to host a 20-minute guest lecture for my class in October via Skype and his insights fascinated me and my students.
We all know that security matters – or at least we should. More specifically, leaked quarterly earnings can spell disaster for investors out of the loop. Job postings on ostensibly "secret" projects can shed light into a company's future products and services. And then there are the routine, high-profile and increasingly dangerous hacks. Many, many hacks. But did you know that even boring metadata such as check sequence numbers might reveal a heck of a lot more than you would think?
Schrenk described how one of his retail side businesses received monthly payments from a vendor. (Call it XYZ here.) Those check numbers seemed to be sequential. Here's a simple example of what he described with dummy data:
As shown above, Mike received an average monthly check of $28.10 from XYZ. However, the sequence of check numbers gave him an incredibly valuable and unexpected insight into XYZ's financial situation: The company only appeared to cut 20 check checks per month. Let's say that Mike's side business accurately represented XYZ's other customers. Equipped with this information, Mike deduced that the company was generating roughly $562/month in commissions. At a 10-percent commission rate, that meant XYZ sold about $60,000/year in total annual sales.
Is this model foolproof? Of course not, and the only way to truly verify this information is to look at XYZ's books. As Mike freely admitted, for all he knew, XYZ paid different rates to larger or smaller vendors. Still, it's safe to say that XYZ management probably did not know that it potentially tipped its hand on the health of its finances via something as prosaic as check numbers.
Returning to the central question of this post, what does security mean in an era of big data?
The short answer is: Much more than you think. Schrenk's example struck a nerve with me. We know that employees shouldn't indiscriminately share confidential data with competitors and the public at large, but what are companies inadvertently letting web sleuths know?
Simon says: With security, there are more questions than answers.
I suspect that XYZ management is hardly alone in ignoring digital breadcrumbs and metadata. I certainly can't compile a list of everything that an organization ought to lock down, but it's evident that even seemingly useless information can be useful under the right circumstances.
What say you?