We’ve recently closed the book on
2011 2012 2013 2014, all named the Year of the Breach. Last year saw more, and more severe, breaches reported in the news than ever before—huge names like Target, Home Depot, JP Morgan, and Sony were among the victims. However, the increased media interest in the attacks and the constant revelations of new threats have spawned one unintended consequence: breach fatigue.
What is breach fatigue? According to Neal O’Farrell at HuffPost, it’s the idea that “[t]he more breaches consumers go through without experiencing any direct and tangible financial consequences, the less likely they are to care or worry about the next breach[…].”
Tom Hash, director of security engineering at OpenDNS, acknowledged that the phenomenon was real. “It’s true that people think it won’t happen to them, and they’re surprised when it does. Most people don’t realize how sophisticated attack tools have become—tools that make it easy to exploit security vulnerabilities.”
A study from Software Advice, surveying over 4,000 US adults on their awareness of recent breaches, had similarly disheartening results. Only two of 2014’s major breaches managed to crack 25% awareness among respondents, and of those, Target—the first large breach announced last year—was the leader by far, overshadowing the more recent Home Depot attack.
It’s not just a consumer problem, either. Those same consumers take this apathetic attitude with them when they log onto corporate networks and devices, valuable assets security practitioners are already struggling to protect. Enterprise security strategies (or any security strategy for that matter) are only as strong as their weakest link, which usually ends up being the users—and when they just don’t care about security, they can easily make avoidable mistakes.
Businesses themselves also suffer from the occasional laissez-faire approach. Dima Kumets, senior product manager at OpenDNS, adds, “there’s an issue of businesses thinking breaches won’t happen to them because only the biggest consumer-facing companies make the news. This media focus on huge retailers reinforces the myth that attackers only go after the biggest companies when the reality is that attackers are increasingly focusing on SMBs and mid-market organizations.”
So what can you do to fight back as a practitioner when faced with this situation? Bankinfosecurity.com offers three steps to fight breach fatigue, the first one being to recognize apathy as a potential security threat. Other tips include being careful with notice volume, and looking to close vulnerabilities in industry systems.
Hash also commented, “showing your employees how simple it can be to fall victim to a breach is essential—you can do this by using tools like PhishMe. Consumers, employees…everyone needs to know that when their data is stolen, criminals don’t stop at one site. They will use the information over and over again, as many times as they can, and try to break into other accounts, too. It is literally only a matter of time before it happens to them—not if, but when.”