Wake up! What are you doing to battle breach fatigue?
Ian Trump, security consultant, LogicNow
In 1984, Wes Craven made sure movie-goers understood that bad things happen when you fall asleep. In that respect, Craven's horror film hit “A Nightmare on Elm Street” was actually an eye-opener: Even on the silver screen, you can only stay awake – and therefore alert – for so long.
Freddy Krueger and his razor-blade glove is the stuff of fiction, of course. But here's a reality: Routine reminders about a constant threat typically have a shelf life of effectiveness. Eventually, those well-intentioned warnings become white noise.
Have users reached that point with data security breaches? The fact a term exists for it – “breach fatigue” – certainly suggests that's the case.
“It's been more than three years since I first used the term breach fatigue …” consumer security expert Neal O'Farrell wrote on the Credit Sesame blog. “Since that (time), I've watched the term [breach fatigue] used with increasing frequency. And despondency. So much so that it now looks like it's actually a thing, a phenomenon, and a real worry about the future of data security and privacy.”
That's a rather frightening assessment, no?
Your answer should be obvious. (It's “yes” – and with good reason.) How you respond to this next question may be more difficult to answer: What can you do to ensure users don't become an apathetic audience?
That's a tough one to resolve – especially if you understand the fight you are facing.
2014 alone was a non-stop nightmare of data hacks on corporations, small businesses and seemingly every kind of company in between. The Ponemon Institute reports that 43 percent of companies experienced a data breach last year, as compared to 33 percent in 2013.
Retail was rocked, compromising consumer credit card data. Health care was hit hard, exposing confidential medical records. Sending and receiving breach notifications became commonplace, to say nothing of the speed at which state-sponsored cyber attacks grew.
Avivah Litan, a Gartner security analyst, says we're functioning in a “trough of disillusionment.”
On the surface, there is a silver lining to the fatigue phenomenon: Since the public has been hammered with nonstop news about breaches, it isn't necessarily perceived to be as severe. This can translate to a quicker recovery for a business whose reputation takes a breach-related hit.
Ultimately, however, this silver lining acts as a false sense of security. A cyber threat that isn't considered severe is unlikely to be treated as a priority issue.
So we're back where we started. What can you do?
Apply the three Es:
Creating rules and best practices for the workforce is a solid start. But they do no good if not carried out. In other words, don't just create policies. Apply them.
Remember: You are your customers' IT expert. Continue treating security breach awareness as a priority by keeping it top of mind in face-to-face conversations and internal emails. Schedule periodic meetings with users and take the opportunity to present your version of an IT security “State of the Union.”
What solutions do you have in place to protect the machines and devices under your management? A cloud-based platform that automates anti-virus, patch management and web protection complements the education and enforcement you can provide.
It's time to wake up. And you – for your customers' sake – best beware: Breach fatigue isn't just an issue of consumer complacency.Yawning in the face of this fight can have nightmarish consequences.