Think for a moment about how you would react if you suddenly discovered your wallet or purse was missing. You frantically check your pockets, under the seat of the car, and you mentally retrace your steps. Where did you go today? Where might you have left it? Your panicked mind alternates between the desire for action, “let me go back out there and look for it,” to reaction, “I have to call my bank and cancel my credit cards,” and maybe some regret, “why didn’t I make a list of all the cards in my wallet?”
Think about how many different personal and valuable items that wallet/purse contained: your credit cards, your driver’s license with home address and birthdate, your medical or health card, your social insurance number, your insurance details…pretty much everything in there has lasting personal value to you in terms of your data and your existence on this planet.
A lost wallet results in a flurry of panic. But strangely, this does not happen when we hear about a data breach.
Data breaches continue to happen. They have become an almost daily occurrence. According to Breach Level Index, an organization that collects breach statistics, nearly 13.5 billion data records have been lost or stolen between 2013 and January 2019. That averages out to six million every day, or 4,278 every minute.
The 2014-2016 Yahoo breach saw three billion accounts compromised, one of the largest known to date.
The 2017 Equifax breach alone means that every North American has a 1 in 2 chance of having had their data compromised. Anthony Vance, associate professor and director of the Center for Cybersecurity at the Fox School of Business at Temple University, is quoted in the New York Times as saying the Equifax breach was a “game changer since the information gleaned could be used to fraudulently open new credit accounts.”1
Data breaches do not only affect peoples’ personal data. They also put at risk vital information dealing with military records, utilities, and logistics and supply chain, to name just a few. Even personal medical devices such as insulin pumps can be hot-wired and vandalized through access to the right types of data.
Yet still no panic.
What Allows These Breaches to Occur?
There is always more than one way for determined people to get where they want to go but according to Lysa Myers, a senior security researcher at ESET, between 60 and 80 percent of data breaches can be attributed to login credential loss. Either the account was hacked or was phished, allowing the username and password to be stolen.
Login credentials are a simple place to get in, and people tend to forget that logging in does not simply mean having access to the account of the person whose credentials were stolen. It goes much further than that. Myers uses the recent Target breach as an example:
“In the case of Target, an HVAC vendor got access to the Target database. The way the networks were set up allowed access to the point-of-sale devices,” Myers recalls. “People have this expectation that it’s hard to get from one point to another within a network, but the way many organizations set their networks up, it really isn’t that hard for them to go from point A, being a password, to point Z being the place where everyone stores their credit cards.”
Much like a virus invading a living person, once it gets under the skin, it can travel virtually anywhere.
The People Problem
People (the unwitting victims) continue to do their thing with minimal progress in their approaches to improving their password habits. The same humans who would never knowingly get up from a restaurant table and leave their wallet, purse, or phone behind, have seemingly adopted a fatalistic, shoulder-shrugging approach to personal data security. Their home WiFi router has the same password it came with, and they still use “your mother’s maiden name” as a challenge question.
Some experts call this breach fatigue. This is typified by numbness and complacency toward data security, with no marked increase in the use of password managers. It is also worth mentioning that younger generations of consumers and employees have grown up in an age where universal internet-enabled access to data has always existed, and as such, they have never known real security of personal information.
The Company Problem
Companies have a great deal of complicity in the data breach problem. Most organizations still lack any sort of cohesive cybersecurity policy. It is left to IT managers to track and prevent breaches. Very few companies have responded by establishing adequate and permanent employee cybersecurity training programs. The dots between IT and other people have still not fully connected in the minds of senior decision makers.
There is, however, a more sinister reason for corporate inaction on cyber-threat: it’s not worth it. It’s just the cost of doing business. The most recent Ponemon/IBM Cost of a Data Breach study pegs “average costs per data breach globally at $3.86 million, including IT expenses, insurance, notification, and lost customers and business. In the US, the average is $7.91 million.”2
Although that might sound like a lot of money to the average person, it is a very small number to companies that have between 1,000 and 100,000 employees and see annual revenues between $100 million to over $25 billion. Larry Ponemon, chairman of the Ponemon research firm, explained to Motherboard in a phone interview, “the company spends more money buying coffee for its office workers…To these companies, the cost of a breach is a rounding error.”3 From this perspective, breach and protection costs are so small that they get little attention.
Furthermore, in most cases, a high-profile data breach does little permanent damage to a company’s stock price. They suffer a temporary dip but recover soon afterward.
Insurers are Biting Back
But that is not sitting well with insurers. Insurance companies are discovering the massive costs involved in dealing with widespread damage caused by data breaches. The Target breach alone forced banks to replace millions of credit cards and accounts. The real and potential damage caused by breaches is becoming incalculable. This is forcing insurers to turn to smaller, seemingly lower-risk companies as well as placing the onus upon companies to prove that they are protecting themselves adequately.
What Does that Mean for Individuals?
Although corporations might be able to fold breaches into their cost of doing business, the same cannot be said for individuals. Even when a breach moves its way through the news cycle and disappears, the stolen data does not vanish. It remains permanently available either on the dark web or in a package openly for sale. The only way any stolen data can be made useless is if the end user takes steps to nullify it, such as canceling a credit card. Unfortunately, though, it is not as practical or even possible to cancel a social insurance or social security number, which means new credit cards, loans and even pharmaceuticals can easily be generated by bad actors with access to the data. Social security numbers and other lifelong identifiers are quickly becoming one of the most valued commodities in the data theft world.
What Can People Do?
Companies and their management must take steps to ensure that people remain aware that vigilance is a permanent requirement. Lysa Myers has a few suggestions:
On an IT level:
- The first – and arguably the easiest – solution is multi-factor authentication (MFA). MFA provides another level of protection especially against phishing and malware-related attacks on login credentials by sending a confirmation code through a separate channel like a phone or email.
- The IT department should perform permanent ongoing risk assessments and establish Acceptable Use Policies. Every time a new machine or database is added to a network or another change is made, a new risk assessment must be launched.
- Network segmentation is a must. Like bulkheads on a ship or a tanker trailer, there should be places to segment the network to make transfer of data impossible. This could have prevented the Target breach.
Legislation can be the carrot and stick on a corporate level, as evidenced by the new GDPR rules in the European Union, which hands out substantial fines – up to 4% of a company’s annual revenue – to those who have allowed data to be stolen.
Blockchain, too, offers new opportunities for data protection through its complex interlacing of stored information. Blockchain makes fraud and hacking prohibitively expensive due to the energy required to un-weave and re-weave saved blocks. Although theoretically not impossible, blockchain technology makes it not worth the effort for even the wealthiest criminal enterprises.
On a personal level
Myers says it is vital that people become more reactive:
- Requesting credit freezes if they suspect or see fraudulent charges on their cards
- Using different email addresses for shopping than they do for banking
- Checking medical reports, drug purchase reports, credit scores, and bank statements more frequently and more closely.
- Taking advantage of fraud alert messages available through your bank but being careful to distinguish these from phishing scams.
Cybersecurity will remain an ongoing battle, requiring vigilance and up-to-date awareness on the part of every person and company. In case you want to know more, ESET offers free cybersecurity awareness training for companies and individuals.
Steve Prentice specializes in the place where human and technology meet. With a background in organizational psychology and project management, he works with IT industry leaders like SAP, CA Technologies and Cisco, as well as with their customers. He consults, manages projects, delivers keynotes, and teaches at a Toronto-area university (UOIT).
- Mele, Christopher, “Data Breaches Keep Happening. So Why Don’t You Do Something?” The New York Times (August 1, 2018). Retrieved from https://www.nytimes.com/2018/08/01/technology/data-breaches.html
- Ponemon Institute. Cost of a Data Breach Study, 2018. Summary retrieved from: https://www.ibm.com/security/data-breach
- Sherman, Erik. Massive Data Leaks Keep Happening Because Big Companies Can Afford to Lose Your Data. Motherboard (November 15, 2108). Retrieved from: https://motherboard.vice.com/en_us/article/bje8na/massive-data-leaks-keep-happening-because-big-companies-can-afford-to-lose-your-data