by Mike Davis, alliantgroup Chief Information Security Officer, and Rick Lazio, alliantgroup Senior Vice President
January 4, 2019 | published in SIIA
No, it’s not a fait accompli; where one gives up due to the inevitability, but quite the contrary.
Are we tired of hearing about data breaches (DB) yet? Sure, this is a natural reaction as the number of DB disclosures continue to increase. Security professionals are keenly aware of the DB risks, yet there are conflicting theories about the effect of frequent DBs on consumers and their behaviors. We’ll explore a few views on what DB fatigue (DBF) is, how to move past it and the protections needed either way.
So, how much DB news is too much? When do people tune out the news and warnings of data breaches? During 2018 there were successful hacks against every sector. The ITRC is a great resource to find the DB facts as opposed to us getting into too much detail here.
The overall DB statistics from January 1, 2005 to November 5, 2018 (cumulative totals), provide a snapshot of the problem:
Number of Breaches = 9,557
Number of Records Exposed = 1,139,052,488
It’s no wonder there’s such a condition as DBF being talked about. The recent breaches involving major U.S. companies (Facebook, Amazon, Dell, USPS and now Marriot (500M accounts)) makes this even more evident. In addition, the most recent Ponemon data breach cost report found that DBs cost companies an average of $3.8M (globally) and $7M (for U.S.). Those with the most to lose have “inelastic” customer bases (limited clients, competitive industry, etc.) and struggle the most – around 60% of all small/medium businesses are out of business within 6-12 months of a breach.
The issue of cyber security has become so much of a problem for both U.S. businesses and political organizations, that Washington has decided to step in. President Trump recently signed a bill into law that made the Department of Homeland Security (DHS) the main agency to oversee civilian cyber security. The DHS branch, Cybersecurity and Infrastructure Security Agency, is now on the same level at the DHS as the Secret Service and Federal Emergency Management Agency, emphasizing how serious the federal government is taking the issue.
The Root of the Problem
Some argue that the more consumers are confronted with security incidents, the more “fatigued” they become. Thus, they are less likely to protect themselves or respond to the companies at fault for losing their personal data. This “I can’t be bothered” attitude is what hackers count on for their profits. If consumers believe there’s nothing they can do to prevent future breaches they tend to become apathetic. The sense of no control can be contagious, as there are so many breaches where one fades and another emerges. It can be like the “crying wolf” effect. After so many breaches without any real impact, folks stop paying attention. Then they get a false sense of security – thinking this happens all the time, so I don’t need to be diligent. Folks tend to get upset and then get angry. This is when we go back to what’s easy, convenient and what we’re used to.
Another causal factor from DB fatigue can be a lack of accountability following an incident. When a retailer is breached, consumers don’t stop shopping there. Since businesses don’t see any long-term damage, they don’t think it will hurt customer trust. Thus, companies don’t routinely feel the economic consequence of customer anger (adding to the sense of apathy). For example, when our credit card is compromised, we get sent new ones with no financial liability. Once this happens a few times, it goes from being a nuisance to more of a ritual. It’s just the cost of doing business. People are now judging companies less on whether they are a victim of an actual data breach, and more on how they deal with it.
We are well past the tipping point for breaches. With so many back-to-back breaches, it’s hard to see how we can collectively do anything to stem the tide. To avoid the potential loss of reputation, customer trust and business that can occur in the aftermath of a breach, companies must consider the needs and concerns that many of its customers may have, while ignoring publicized theory of data breach fatigue. Because consumers now generally view a data breach as a routine occurrence, it means companies must execute a near flawless incident response (IR) plan. Whereas the breach itself may not attract much attention, your response easily could. Even a few angry customers means a lot of damage control will be required.
So, what can you do to ensure your IR messages don’t stand out from the crowd for all the wrong reasons? The best way to stay under the radar is to make sure the focus stays on the breach, and not on your response. This starts with incorporating a detailed communications process into your IR plan. Companies can do this by establishing communication channels and processes during the pre-breach planning phase that prioritizes the customers’ need for information. The quickest way to snap someone out of DBF is to deviate from your DB script and draw attention to your mistakes. As we’ve seen countless times, once customer indifference is replaced with anger, it’s hard to right the ship.
There are steps companies can take to mitigate customer fall out after a major security incident
The best offense is still a proactive defense – ensure you security suite is up to par. This includes:
- Effective cyber hygiene (vulnerability management, patching, etc.)
- Cyber security training and awareness (anti-phishing courses and frequent exercises)
- An end-to-end email security capability along with URL/ IP/ web site blocking
- Tailored identity and access controls (for example, adopting “MFA everywhere”)
- Enterprise wide encryption complemented by data loss prevention (DLP)
- Ubiquitous security monitoring (e.g., a SIEM and/or a MSSP/MDR)
After ensuring an adequate cyber suite, the concerns and information needs of consumers following a DB should always remain a priority for companies to provide:
- Prioritized Authentic Communication: To avoid possible reputational damage and the loss of customers following a breach, companies must prioritize the concerns of their customers and have plans in place that ensure thoughtful communication and expected protection services.
- Guidance and Remedies: Though laws and industry regulations vary, affected consumers have the expectation that companies, especially those with a great deal of consumer data, will offer credit monitoring and identity theft protection services.
- Protection Services: At its worst, the DB fatigue perception sways businesses to do the minimum required by law versus what is required to maintain trust and credibility with customers. After all, it only takes a few vocal consumers to ignite a major reputational issue.
So what now?
Data insecurity threatens business viability outright. Effectively mitigating the risk requires an effective cyber security suite, periodically stress-testing DB responses that particularly require management-level oversight, and having an effective IR communications process in play. Data security is the Achilles heel for businesses, which also leads to lack of privacy protection. The rest of the corporate security armor is, at best, ineffective without proper data protection and a solid, well-practiced IR plan, especially the communications and immediate actions.
About the Authors
As Chief Information Security Officer (CISO) for alliantgroup, Mike Davis operationalizes Data Security, Privacy, & Risk Management while advising leadership on protecting critical information resources and managing an enterprise cyber security portfolio. As CISO, his mission includes executing a risk based security strategy that supports enabling the company’s success objectives by securing and protecting both sensitive company and client information.
Rick Lazio is a former U.S. Representative from New York, who served four terms in Congress from 1993-2001. As RGC & alliantgroup’s Senior Vice President, Lazio has continued his support of mid-market businesses, brokering his insight and experience in both the public and private sectors to provide strong incentives for job growth and leveraging his extensive knowledge on cybersecurity regulations.