Biggest Security Risk – “Data Breach Fatigue”
November 5, 2014
A seemingly endless series of headlines about data breaches has drawn greater attention to all the deficiencies and problems surrounding digital security.
Earlier this year, OpenSSL, the protocol that protects much of the Internet, was hit by the Heartbleed bug and exposed most of the online community. Then there was news that Russian hackers got 1 billion sign-in credentials this summer. The iCloud hack and leak out of sensitive personal photos created a shiver down the spine of many celebrities. Hackers broke into the world’s biggest bank, JPMorgan Chase. And not even Home Depot may be safe. Holes in the hardware giant’s data security may have exposed millions of American credit card numbers. In the process of getting hammered by frequent new vulnerabilities, many organizations are becoming desensitized to data loss, and it takes increasingly larger breaches to capture their attention. A staggering percentage of data breaches are never discovered, and when discovered are kept out of the news.
Just to highlight the possible negative outcomes of the reported data breaches, we’ll like to share the findings of ‘YouGov’. YouGov is a research company in the UK that measures ‘buzz score’ as a brand evaluation tactic. It asks online respondents if they have heard positive or negative things about a brand. Then it subtracts bad responses from the good ones, so a negative score means that overall consumer sentiment is in the red (and the best and worst score would be 100 and -100, respectively). Target saw its consumer perception plummet the most after 40 million shoppers had their data stolen late last year, according to YouGov. Target dropped from a “buzz score” of 20 to -29 in eight days. Home Depot’s 56 million-card breach caused its buzz score to drop from 22 to 6 in the 10 days following its statement in September.
There have been reports of 579 data breaches this year, a 27.5 percent increase over the same period last year, and it is only expected to become more common as consumers become more dependent on Internet-connected devices.
The breaches at major retailers and banks remind us of the hacks Microsoft’s operating system suffered 10 years ago. Microsoft was getting hacked every day and it created a combination of fatigue and anger to all stakeholders of Microsoft. Consumers were becoming numb to the numerous anti-virus alerts popping up on their computers, but they were also annoyed. Ultimately, over the course of years, Microsoft had to figure out how to fix security, not just patch it or issue updates and it got better, but only after Microsoft spent years approaching security differently as a company. It was not about doing a little bit better and hoping for different results; it was about taking an entirely new approach.
Similarly, banks, retailers and all organizations need to redress the way they handle security, and that isn’t going to happen overnight, which means we’ll likely see more and possibly bigger attacks in the coming months. But if they focus on changing security protocols rather than making quick fixes, they can mitigate the damage to consumers and their brands.
Measures to be taken against Data Breach
- Considering the threats you plan to protect this data from (e.g., insider attack, external user), make sure you encrypt all sensitive data at rest and in transit in a manner that defends against these threats.
- Don’t store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t have can’t be stolen.
- Ensure strong standard algorithms and strong keys are used, and proper key management is in place.
- Ensure passwords are stored with an algorithm specifically designed for password protection,
- Disable autocomplete on forms collecting sensitive data and disable caching for pages that contain sensitive data.
- Consult Information Security Experts for detailed and thorough checks of all sensitive web applications.
- Consider investing in DLP solutions or for Web Applications a WAF with custom rules (mask credit card numbers, SIN numbers) with targeted policies to prevent sensitive data exposure to clients.
