By Lloyd Marino
The numbers really are mind blowing. From Target Corp’s massive 2013 data breach, which compromised 110 million customer records and cost the retail giant an estimated $67 million in payback to financial institutions,( not to mention tens of millions more in lost sales and tarnished reputation), to Princeton, New Jersey-based Heartland Payment Systems 2009 ignominious announcement that it had been victimized by the largest data breach ever to affect an American company (130 million records and still counting), issues involving cyber security continue to dominate the news. These attacks are only just two in an ongoing drama of super-sized data breaches to have taken place in the last decade. In 2015 alone, major breaches walloped healthcare, financial, higher education and federal markets. Even the security industry itself fell prey.
While the Target and Heartland breaches made news for their sheer size, there are thousands of other breaches that didn’t garner popcorn headlines, haven’t gone public, or are still undiscovered. The 2015 Verizon Data Breach Investigative report compiled by the communication giant’s Research, Investigations, Solutions, and Knowledge (RISK) Team, one of the world’s leading data forensics groups, chronicled 80,000 security incidents and more than 2,000 data compromises from 61 countries. The public sector alone was hit with 50,000 security incidents and 300 confirmed breaches; the Information industry was affected with nearly 1,500 security incidents and about 100 confirmed data breaches. Meanwhile, financial services firms suffered about 650 security incidents and close to 300 compromises. By comparison, the 2013 version of the same report confirmed 621 confirmed data breaches and at least 44 million compromised records, bringing the RISK’s studies 9-year total to more than 2,500 breaches and more than a billion records compromised. Bottom line: No industry is immune, and the numbers are insane enough to make anyone feel helpless.
What follows in the wake of such overwhelming numbers is sort of future shock, with both industry and individuals quickly turning nihilistic. There are even whispers about “acceptable losses.” I don’t know about you, but in my book there’s never a case where hundreds of millions of records lost to largely preventable digital breaches is acceptable—ever.
Understanding something about ourselves
But all of this begs the question: Just why do data breaches happen so regularly and on such a grand scale? Theories abound, of course. Certainly, cyber pirates are a crafty, resourceful lot, adept at scaling even the highest firewalls and decoding the most cryptic passwords. But an even greater problem is that most folks don’t go out of their way to do anything about these relentless rogues. In fact, the biggest impediment to safeguarding our data has less to do with existing technology, and more to do with us, and how we’re programmed. As a rule, human beings are reactive, not proactive. Just look at how we treat our health and how difficult it is to preach the prevention message to the masses. We spring into action after the wheels fall off the wagon. We close barn doors after the horses escape. I’m sure you get the picture. This essential truth about human nature, which directly impacts our ability to properly assess and act on threats, may be the biggest obstacle to keeping our data safe and secure.
And once a breach takes place, months—if not longer—pass before someone detects the intrusion. So overwhelming are these breaches, that the extent of the damage is never clearly understood. It’s similar to culling through the aftermath of a Sandy-scale hurricane. Even years after the event, we keep finding wreckage. According to one estimate, only 15% of reported data breaches provide a complete and accurate account of compromised records.
There is a solution, not perfect mind you, but it’s a start. Indeed, there are a range of things that can we can easily implement to dramatically reduce the risk of incidents.
The Fix Is In
Once again, however, the solution in outwitting cyber criminals can’t be found technology. In fact, the solution rests with us, and starts first with acknowledging something fundamental about ourselves. We’re inherently flawed when it comes to evaluating threats. The subjective nature of the way our species perceives risk is hardwired into our DNA. It’s a part of our evolutionary biology spanning back millions of years. That’s It’s not changing, at least not anytime soon. If we’ve learned anything from the field of behavioral economics, seldom do we make rational choices, especially when comes to important, real-life decisions. Risk assessment and management are two of those things. We’re always going to underestimate the clear and present danger. Just look at all of human history. It’s littered with examples. Truth is that we probably couldn’t survive otherwise. No society could function inhabited by a bunch of Chicken Littles perpetually declaring, “the sky is falling.”
Still, present circumstances can’t be sustained. Below are three solutions that just might help.
- Secure your passwords and follow procedure
Particularly at the consumer level, I’d suggest stricter password-security requirements, which may seem ridiculous, but it’s surprisingly easy to join a program or register for something with a less than secure password. Some companies will give an indication of “password strength” from weak to strong with every gradation in between, but these aren’t always mandatory. Consider implementing systems that reject only accept sufficiently complicated passwords. Though I should add that even a complicated password wouldn’t ensure safety.
Along these same lines, regular vulnerability scans should be run, and you should read what the reports tell you, which people seldom do. Most will highlight existing problems.
- Get better at spotting intruders, especially in your own home
Companies, in particular, should launch a major offensive, and get better and looking at the goings-on in their own homes. Since cyber hoods themselves typically plan the crimes, and manually plant the majority of malware, you should realize that they’ve made it to the secret garden where the data bounty is hidden. This could, and often does, signify an inside job. Thus, the problem is one of detection, not technology. The guy slipped into your home unnoticed and now he’s making off with all your worldly goods. Don’t wait for the alarm to go off before springing into action (chances are he tricked out the system anyway). “Prevention” is the key word here. Do everything possible to keep the house safe from intruders in the first place.
- Remember your nature
Remote threats just don’t register on the collective radar, sad to say. Seriously, how many of us get up in the morning and worry about a threat from ISIS? But damn sure that we spring into action once that threat comes to fruition. Immediate, adrenaline-generating, cortisol-spiking dangers like racing to shore while being pursued by a man eating shark register far more than the thought of a lone terrorist in some God-forsaken country plotting an attack that could devastate the world for years to come. Encouraging a new set of behaviors that limit vulnerability is perhaps the biggest hurdle to overcoming the future data security breaches.
Since human nature isn’t going to change anytime soon, we have to remain vigilant, make sure we check the fences, patrol the borders, and look for mines. I tell clients to expect outside intrusions, use the most secure technology available, and never let your guard down. It may seem like a hard way to live, but what’s the alternative? There really isn’t one.
Image from – PDPics.com – Public Domain Pictures