Data security for mechanical contractors

March 4, 2014
Large data breaches have been occurring for some time now. Several experts doubt that the contractor was responsible for the breach at all. Everyone, from the individual consumer to the mechanical contractor to the merchant to the bank itself, needs to be more proactive in protecting their link in the economic chain.

Recently the public read the “big news” that a mechanical contractor may have been connected to a large data breach. As someone that has been involved in data privacy for more than 10 years, I say poppycock!

First of all none of this is big news. Large data breaches have been occurring for some time now. Secondly, several experts doubt that the contractor was responsible for the breach at all.

But my biggest problem with this news is that it trivializes this important issue. Everyone and I mean everyone, from the individual consumer to the mechanical contractor to the merchant to the bank itself, needs to be more proactive in protecting their link in the economic chain.

My own identity was stolen in 2003. I never found out who did it, and I don’t really care if I ever do. My experience motivated me to urge everyone to do everything possible to make sure it doesn’t happen to them.

According to the Identity Theft Resource Center, an organization that both helped me and then trained me, there have been 4,327 data breaches since 2005, putting more than 600 million records at risk.

What these numbers don’t tell is that many databases that are breached don’t even know how many records were taken. So theoretically we could be easily talking over a billion records. I think the late Senator Dirksen from Illinois would have agreed that these numbers no longer have meaning, except to point out that this is a real problem and has been for a long time.

The number of records stolen in a given breach isn’t relevant. Whether it’s 10 records or 10 million, it doesn’t change the way we need to look at this problem. We need to start looking at this as everyone’s problem rather than just pointing fingers at who may have caused it.

So who is at fault?

Just about everyone is at fault. Perhaps you think this is an evasion. Let’s look at this closely. Today our economy thrives on easy transfer of funds. If you clamp down on the system it becomes harder to transfer funds from buyers to sellers and it slows down the economy.

How many people think anyone is going to be in favor of that solution? So you end up with a system that has weakness at each point of transfer. That means in any given financial transaction the merchant, the buyer, and each bank in between is a point of weakness that can be exploited.

Each person in that transaction is part of the problem and part of the solution. I actually covered “protective actions” in a previous article for CONTRACTOR. In reality, however, the biggest prey is the merchant. The criminal will usually have to do some work to get the data they want.

If they go after a person they get one or two accounts. Banks are theoretically much more secure. If they go after a merchant they are going to have thousands or even millions of records to take at once. Here is where we come around to needing almost everyone to solve this problem, since anyone that has a password on the merchants system is a possible point to go after.

So now we are back to whether or not the contractor was at fault. The truth is that we don’t really know right now. However, many security experts will tell you that when a breach is discovered it is often something that actually happened years before. Other experts go further, stating that breaches like this happen due to multiple points of attack from multiple criminal organizations.

In this recent attack a couple experts have even said that this might have been an inside job. Inside not necessarily meaning an employee of the merchant, but some other entity with direct access to this information (the contractor did not appear to have direct access to credit card info).

To go any further into this gets pretty scary. If you recall the movie, “Men in Black,” there is a line about how people are better off not knowing about all the bad stuff happening out there. This is the case with data security.

If you really knew all of the risks and threats out there you’d get rid of your computer, smart phone and credit cards and hide out in a safe room protected by a Faraday cage. Most of us will not choose to live that way. Taking this out on the merchant or the contractor is just as ludicrous. The truth be told, those two entities are the biggest victims of the whole event, and hopefully people will be smart about this and not punish them further. But where does this leave us?

You never know when you are going to learn something profound. In this instance it happened in the early 1980s while I was kitchen manager for my fraternity at 33rd and State in Chicago. I was talking to the exterminator and he said something that has stuck with me. You can’t plug all of the holes that the bugs are getting in through. And you can’t kill all the bugs. Even if you do it will just attract bigger bugs. So what you do is drive them off.

What he was really saying is you want to be the hardest victim. I actually find it to be a bit unethical to push your problem to someone else (and also a short term solution at best), so I say let’s raise the bar. Again.

I remember well the early days of Internet and e-mail where there were no viruses and no spam. It was really magical. Things changed, and after a while we all had virus protection and spam filters.

Well it’s time to change again. I am not a security expert, but I don’t think you have to be one to realize this.

Of course this is not something an individual or even a company can do. So, while we wait for the change to happen we need to set up systems and standards to protect our passwords and our data. We need to separate our sensitive data from our non-sensitive data and then encrypt it whether it’s on a server, in an email or even during back-up.

And we need to scrutinize our own vendors on the same terms. So let’s react without overreacting and make our businesses more secure.

Dan Bulley, senior vice president, Mechanical Contractors Association Chicago, is an expert on safety, green building and construction technologies, such as BIM and mobile apps. Bulley serves as a resource to MCA Chicago member contractor companies on technical and code matters. As a former officer and board member for the Illinois Chapter of the U.S. Green Building Council and former president of Illinois ASHRAE, he continues to work with those and other related organizations.

Voice your opinion!

To join the conversation, and become an exclusive member of Contractor, create an account today!