For casual observers and security experts alike, the past year or so has seen big-time data breaches become fairly common news. This begs the question: Is it possible for companies and individuals to get jaded about cyber security?
When you think about all the recent, high-profile breaches—against companies such as Target, Home Depot, Sony Pictures Entertainment and Anthem to name a few—these incidents really have become regular, and somewhat mind-numbing, news events.
Whenever something happens on a frequent basis we can become less and less tuned in to what’s actually happening. Or we can give in to an attitude of indifference: “Oh yeah, I heard there was another big hacker attack the other day. But who won that game last night?”
Furthermore, the frequency of the larger hacker attacks has served to push smaller but still significant attacks off the radar screen. Perhaps we’re suffering from a sort of “number fatigue” when it comes to the records breached in these incidents.
The danger with this type of disengagement, whether it’s at the individual user or enterprisewide level, is that it has the potential to increase vulnerabilities even more because people might be inclined to not do things like use strong passwords or follow other policies when it comes to secure log ins. They might be tempted to think there’s no real point to being overly cautious because hackers are smarter anyway and will figure out how to beat the system.
For those people closest to the issue of protecting data and systems within organizations, including CISOs, CSOs, IT executives, risk managers, etc., there is probably very little likelihood of succumbing to indifference toward hacker attacks and other intrusions—no matter how often these incidents occur.
But for the average worker or consumer, hearing again and again about attacks might give these incidents a sense of inevitability. Unless an individual has personally had his records exposed in a data breach, such attacks might seem like things that happen to other people and therefore are not to be of concern.
I’m sure many people shopped at a Home Depot or a Target store shortly after the data breaches against those companies and didn’t even think about the incidents as they were pulling out their credit cards to pay for goods.
And of course that’s not a bad thing. No one wants the economy to grind to a halt because of fears of having consumer information stolen. But we all have to be aware of our surroundings and take necessary steps to protect our personal data.
You have to wonder if the people who work at the companies that have been victimized by attacks are doing anything differently to be more security conscious. Or has it been a matter of “back to business as usual” once the attention on the attack has faded?
It’s up to security and IT executives—perhaps with help from their channel partners—to make sure users and business partners do not become disengaged from security concerns, or assume that attacks are inevitable and that nothing can really be done to stop them.
Of course, a big part of this is education. Teaching—or reminding—people of the importance of good security practices should be a never-ending process at organizations. Employees need to understand what is at stake for their organization and its customers if security practices are shoddy.
This is especially true at a time when mobile technology has become so prevalent in the business world. Countless people travel on business or for personal reasons and bring their devices along, the same devices that they use to access the corporate network or store passwords, customer data and even trade secrets. What if this information is not encrypted and the devices are stolen?
Users also need to be reminded that the security landscape is constantly changing. Organizations today are vulnerable to threats that might not have existed six months ago, and six months from now will be vulnerable to threats that don’t yet exist today.
Someone needs to be responsible for keeping tabs on the latest security threats and vulnerabilities and posting warning signs where employees can see them or taking other preventative measures against threats.
For value-added resellers and managed security services providers, this new information security environment, where data breaches seem to have become a way of life, represents an opportunity to share expertise with customers. And these clients should be eager for help, not just with selecting security tools, but with ensuring that no one in the organization ever takes security for granted.