The greatest danger from massive cyberattacks like the Equifax hack is “data breach fatigue.”
Data breach fatigue occurs when people simply stop paying attention to news about cyberattacks. This occurs for several reasons including boredom, bad news reporting, over-reporting of cyberattacks, lack of knowledge, and media hype that distorts or overstates the scope of such attacks.
There was strong evidence that the public was becoming desensitized to reports about data breaches two years ago in 2015. The Invincea Endpoint Security blog noted that the public was becoming “Anesthetized by Data Breaches” as early as 26 June 2015.
The situation has gotten far worse with all the news about massive cyberattacks such as the latest one on Equifax, the giant American credit-reporting firm. Consumers “tune out” news reports about such attacks because they are often inaccurate or sensational.
They also learn to ignore constant news reports about such attacks, especially when it does not pertain directly to them. Many Britons will ignore news about the Equifax breach because it occurred in America, for example.
Data breach fatigue helping cybercriminals
A greater problem is that cybercrimes utilizing stolen data rarely occur immediately. Crooks may wait for weeks, months, or even longer to use the data.
Cybercriminals understand that many people and organizations will let down their guard as breaches fade from the news cycle. Some predators might even try to encourage data breach fatigue by deliberately waiting to use their stolen information.
These circumstances make data breach fatigue a major risk that insurers will have to take into account when writing policies dealing with identity theft or data. Data breach fatigue is particularly destructive because it can mitigate many security measures such as employee education, and password protocols.
People most at risk
An early step will be to identify those individuals and organizations most at risk from data breach fatigue.
Smaller firms and organizations, where data management and IT are not a core activity, will have a greater level of risk. A danger at smaller firms can be the lack of dedicated security personnel and regular training.
Manufacturers, shippers, retailers, and other companies that make extensive use of information technology but have no specialty in it have a greater risk. Particularly prone to data breach fatigue will be employees that need to use databases as part of their job but do not specialize in IT.
Such individuals can include salespeople, factory workers, drivers, managers, cashiers, sales clerks, accountants, loan officers, traders, bankers, customer-service personnel, file clerks, and even attorneys. A person with a hectic schedule will be far more likely to ignore security protocols. So will people who need quick access to financial data but have limited computer knowledge.
The risk from data breach fatigue is exploding because of the growing use of smartphones and other mobile devices to access financial data. A busy salesperson’s phone might contain bank account or credit-card numbers for dozens of customers – yet have only standard encryption.
Mitigating the risk
The most effective means of mitigating data breach fatigue will be to accept it as a fact of life.
The most insidious aspect of data breach fatigue is that everyone is susceptible to it. Complacency and arrogance are the greatest threats. Most people overestimate their ability to follow security protocols and underestimate criminals’ ability to penetrate defences.
Compliance with security protocols usually drops off as news about a major breach fades from the public attention. Complacency often grows lax because the massive losses predicted by news articles do not occur, leading many people to falsely assume that cybercrime is nothing but media hype.
No amount of education or oversight will eliminate data breach fatigue because it is rooted in human nature. Most people are simply incapable of a regular focus on data security.
Technological solutions to breaches
Instead, the real solution will be in the reconfiguration of databases, security software, and other applications to cope with data breach fatigues. Programmers and engineers must design systems that automatically compensate for data breach fatigue.
An excellent example of a safeguard against data breach fatigue is a system that automatically requires users to update their passwords on a regular basis. Another good defence is a system that asks a security question on a regular basis. Such protocols have become commonplace on financial-services and insurance websites in America.
Greater layers of security are possible even on websites and systems used by the general public. A popular solution that is being widely used by Amazon and other companies automatically texts a randomly-generated code or password to a users’ phone.
Such technological fixes are the best mitigation for data breach fatigue because they eliminate the human factor. Instead, the system itself forces compliance with security protocols and requires users to update data on a regular basis.