Wake up and avoid a ‘breach fatigue’ nightmare
Security professionals need to stay alert and make data protection a priority
By Rodika Tollefson, ThirdCertainty
With data breach incidents dominating headlines these days, many consumers have become numb to the news. But IT and security professionals are facing similar “breach fatigue” and tuning out reports about cyber attacks, according to a recent report by Lookout.
Lookout, a mobile-security company, found that knowledge of security incidents has declined over the past few years.
It also found that the majority of the 781 surveyed practitioners were aware of breaches of major brands such as Target or Sony, but a much smaller number were aware of other significant breaches if the entities weren’t household names. Only 56 percent, for example, were aware of the Office of Personnel Management incident, which impacted about 21.5 million individuals.
“Security professionals are human, so it’s understandable that they can get desensitized to hearing the same headlines over and over,” says Lookout Chief Product Officer Santosh Krishnan. “The danger is that by only paying attention to the breaches that have the most brand recognition, they’re potentially ignoring other breaches that may provide important cautionary tales.”
“At the end of the day, prioritizing security has to go beyond just the people who do it for a living,” Krishnan says. “The big-brand names are what make the most headlines and catch the attention of other key stakeholders and decision-makers at companies, who ultimately impact things like whether or not to prioritize increasing investment in security.”
Krishnan believes that the survey results would have been different for C-suite executives or board directors. He notes that the survey found that respondents with executive or vice president titles were more attuned to headlines than managers or IT/security directors.
“This means the day-to-day operations employees are not as engaged with the real-life attacks that could impact them,” he says. “It’s crucial for enterprises and their employees to know that everyone is at risk.”
Since employees are the biggest vulnerability, a top investment area for organizations is employee training. Krishnan says that even simple steps can go a long way in ensuring better security.
Fatigue also is present in another area—incident alerts. Security teams are so inundated by alerts from their various systems and appliances that they often ignore them. Target was a good example, as it acknowledged that the malicious activity that led to the breach was detected by security technology but not acted upon.
Impact bigger on small companies
Perhaps somewhat surprising, Lookout found that smaller enterprises (with 1,000 to 5,000 employees) are more likely to pay attention to the breaches in the news. They’re also more likely to take action toward reviewing and improving security.
Krishnan, however, wasn’t surprised, noting that although data breaches are expensive, “prevention doesn’t have to be.” But given the high price tag of a data breach, a major incident could easily put a small company out of business.
“Small companies have a lot to lose from insufficient security,” he says.
Mobile a rising threat
One of the top areas where organizations invest money after a security review is mobile, according to the Lookout survey. But mobile is still new territory, Krishnan points out.
“Mobile is also a highly dynamic industry, and threats and use cases are evolving rapidly,” he says.
And, Krishnan notes, major mobile breaches already are happening without the public’s knowledge. In a separate survey, Lookout found that 5 percent of devices associated with the global networks of 25 U.S. and U.K. Fortune 500 companies had encountered serious threats such as Trojans, spyware and other types of malware.
“This year, we’ve seen everything from data exfiltrating Trojans and surveillanceware to aggressive adware that collects contact data to launch phishing attacks and root enablers that compromise OS integrity,” Krishnan says.
He offers the following basic tips for mobile security:
• Set a strong PIN or passcode. If an employee’s phone is stolen, a passcode is the first line of defense to protect the data on the device.
• Be smart on public Wi-Fi. Public Wi-Fi networks are unprotected, which makes it easy for hackers to snoop on internet activity. If your employee is working on public Wi-Fi, hackers have a straight view into the work being done at your company.
• Don’t download apps from third-party marketplaces, and always pay attention to app ratings and reviews before downloading. Employees should know to avoid downloading apps from third-party marketplaces or links online and should stick to official marketplaces such as the Apple App Store and Google Play.
• Don’t jailbreak or root a device. Because jailbroken devices are inherently less protected, they are more vulnerable to an attack when security protection measures aren’t properly enabled.
More stories related to data exposure:
Don’t let chronic (breach) fatigue syndrome get you down
When it comes to security, don’t give employee education short shrift
When it comes to cybersecurity, gap between IT, boardroom must be bridged