Wake up and avoid a ‘breach fatigue’ nightmare

Security professionals need to stay alert and make data protection a priority

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

With data breach inci­dents dom­i­nat­ing head­lines these days, many con­sumers have become numb to the news. But IT and secu­ri­ty pro­fes­sion­als are fac­ing sim­i­lar “breach fatigue” and tun­ing out reports about cyber attacks, accord­ing to a recent report by Lookout.

Look­out, a mobile-secu­ri­ty com­pa­ny, found that knowl­edge of secu­ri­ty inci­dents has declined over the past few years.

It also found that the major­i­ty of the 781 sur­veyed prac­ti­tion­ers were aware of breach­es of major brands such as Tar­get or Sony, but a much small­er num­ber were aware of oth­er sig­nif­i­cant breach­es if the enti­ties weren’t house­hold names. Only 56 per­cent, for exam­ple, were aware of the Office of Per­son­nel Man­age­ment inci­dent, which impact­ed about 21.5 mil­lion individuals.

Relat­ed: Cyber­se­cu­ri­ty prac­tices your com­pa­ny should begin pur­su­ing – today

Secu­ri­ty pro­fes­sion­als are human, so it’s under­stand­able that they can get desen­si­tized to hear­ing the same head­lines over and over,” says Look­out Chief Prod­uct Offi­cer San­tosh Krish­nan. “The dan­ger is that by only pay­ing atten­tion to the breach­es that have the most brand recog­ni­tion, they’re poten­tial­ly ignor­ing oth­er breach­es that may pro­vide impor­tant cau­tion­ary tales.”

At the end of the day, pri­or­i­tiz­ing secu­ri­ty has to go beyond just the peo­ple who do it for a liv­ing,” Krish­nan says. “The big-brand names are what make the most head­lines and catch the atten­tion of oth­er key stake­hold­ers and deci­sion-mak­ers at com­pa­nies, who ulti­mate­ly impact things like whether or not to pri­or­i­tize increas­ing invest­ment in security.”

Krish­nan believes that the sur­vey results would have been dif­fer­ent for C-suite exec­u­tives or board direc­tors. He notes that the sur­vey found that respon­dents with exec­u­tive or vice pres­i­dent titles were more attuned to head­lines than man­agers or IT/security directors.

This means the day-to-day oper­a­tions employ­ees are not as engaged with the real-life attacks that could impact them,” he says. “It’s cru­cial for enter­pris­es and their employ­ees to know that every­one is at risk.”

Since employ­ees are the biggest vul­ner­a­bil­i­ty, a top invest­ment area for orga­ni­za­tions is employ­ee train­ing. Krish­nan says that even sim­ple steps can go a long way in ensur­ing bet­ter security.

Fatigue also is present in anoth­er area—incident alerts. Secu­ri­ty teams are so inun­dat­ed by alerts from their var­i­ous sys­tems and appli­ances that they often ignore them. Tar­get was a good exam­ple, as it acknowl­edged that the mali­cious activ­i­ty that led to the breach was detect­ed by secu­ri­ty tech­nol­o­gy but not act­ed upon.

Impact big­ger on small companies

Per­haps some­what sur­pris­ing, Look­out found that small­er enter­pris­es (with 1,000 to 5,000 employ­ees) are more like­ly to pay atten­tion to the breach­es in the news. They’re also more like­ly to take action toward review­ing and improv­ing security.

Krish­nan, how­ev­er, wasn’t sur­prised, not­ing that although data breach­es are expen­sive, “pre­ven­tion doesn’t have to be.” But giv­en the high price tag of a data breach, a major inci­dent could eas­i­ly put a small com­pa­ny out of business.

Small com­pa­nies have a lot to lose from insuf­fi­cient secu­ri­ty,” he says.

Mobile a ris­ing threat

One of the top areas where orga­ni­za­tions invest mon­ey after a secu­ri­ty review is mobile, accord­ing to the Look­out sur­vey. But mobile is still new ter­ri­to­ry, Krish­nan points out.

Mobile is also a high­ly dynam­ic indus­try, and threats and use cas­es are evolv­ing rapid­ly,” he says.

And, Krish­nan notes, major mobile breach­es already are hap­pen­ing with­out the public’s knowl­edge. In a sep­a­rate sur­vey, Look­out found that 5 per­cent of devices asso­ci­at­ed with the glob­al net­works of 25 U.S. and U.K. For­tune 500 com­pa­nies had encoun­tered seri­ous threats such as Tro­jans, spy­ware and oth­er types of malware.

This year, we’ve seen every­thing from data exfil­trat­ing Tro­jans and sur­veil­lance­ware to aggres­sive adware that col­lects con­tact data to launch phish­ing attacks and root enablers that com­pro­mise OS integri­ty,” Krish­nan says.

He offers the fol­low­ing basic tips for mobile security:

• Set a strong PIN or pass­code. If an employee’s phone is stolen, a pass­code is the first line of defense to pro­tect the data on the device.

• Be smart on pub­lic Wi-Fi. Pub­lic Wi-Fi net­works are unpro­tect­ed, which makes it easy for hack­ers to snoop on inter­net activ­i­ty. If your employ­ee is work­ing on pub­lic Wi-Fi, hack­ers have a straight view into the work being done at your company.

• Don’t down­load apps from third-par­ty mar­ket­places, and always pay atten­tion to app rat­ings and reviews before down­load­ing. Employ­ees should know to avoid down­load­ing apps from third-par­ty mar­ket­places or links online and should stick to offi­cial mar­ket­places such as the Apple App Store and Google Play.

• Don’t jail­break or root a device. Because jail­bro­ken devices are inher­ent­ly less pro­tect­ed, they are more vul­ner­a­ble to an attack when secu­ri­ty pro­tec­tion mea­sures aren’t prop­er­ly enabled.

More sto­ries relat­ed to data exposure:
Don’t let chron­ic (breach) fatigue syn­drome get you down
When it comes to secu­ri­ty, don’t give employ­ee edu­ca­tion short shrift
When it comes to cyber­se­cu­ri­ty, gap between IT, board­room must be bridged