Data breach burnout – the biggest threat of all?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://siliconangle.com/blog/2014/05/30/data-breach-burnout-the-biggest-threat-of-all/

As our digital lives move increasingly online, security breaches are
exploding in number and scale.  Is it possible the public is becoming numb,
or at least accustomed to massive losses of personal data?  A succession of
major high profile data breach incidents have dominated the headlines,
affecting the personal information of millions of ordinary Americans.  In
the last year alone, the hits have come one after another.

Any time a discussion like this comes up, we can start the conversation
with Target, a retail giant where millions of Americans shop.  That breach
affected 110 million credit and debit accounts.  A recent attack at Adobe,
a software company saw 33 million user credentials stolen plus another 3.2
million stolen credit cards.  Michaels, another retail giant itself saw 3
million cards affected in a breach last year. The latest news was eBay
which reportedly lost the account information of every single account in
its database.  The list goes on and at the current pace will continue,
leaving some to wonder who will be next.  In a nation of 317 million, at
these rates it won’t be long before we stop talking about who is affected
by these breaches and start talking about who isn’t affected.

The problem isn’t just about how much of our personal and financial lives
have gone digital, gone social and gone mobile.  After all, these are
natural targets for cyber criminals. The other side of the problem is a
range of increasingly sophisticated attacks that have helped create this
climate. Cyber criminals have gotten very adept at strategically targeting
people, attacking the security structure where it is weakest, the human
element.  They have added the art of clandestine intrusion, sowing seeds
for infiltration into an environment and lingering inside of that
environment for months ahead of the ultimate act of hacking.  The tools of
hacking are cheap and easy, and thus entire criminal groups have stepped up
to take advantage of this dark cyber economy.

This is the year for security



Right now, more than ever, we may be at a tipping point.  The breach
numbers are hard to ignore and the frequency of major breaches seems to be
more regular. The security industry is stepping up with solutions designed
to deal with these issues.  Delivering some insight Neal Ball, a
high-profile SSL certificate industry veteran touched on the state of
security:

“I’ve never seen a threat climate quite like this.  While security is
getting better, a lot of this emerging technology is still reactive.
There’s a front line that we frequently see get broken in these hacks, at
the moment you connect.  How do you know who you’re transacting with?
 Before anything else, if you can’t truly validate a digital transaction,
then you’ve got some real issues. Just look to the Heartbleed issue to see
how critical the trust component is.”

Security technologies that are emerging today are multi-layered, integrated
throughout the modern environments, from mobile to apps to cloud.  Identity
and authentication are indeed initial boundaries on possibly the most
important front in security.  Among the other various technologies that are
leading the way, some address the veracity of app code, some search for
anomalies in the data environment, others further integrate breaking
intelligence on shared platforms.   Out of these various technologies and
improving security constructs, consumer and businesses stand to benefit
from an elevated security posture.  If there was ever a time that security
was critical, it would seem that in the wake of these continued mass
breaches, this may be it.

Cyber crime effects



The effects of cyber crime on consumer and business are comprehensive and
far reaching.  Businesses may face fines, restitution costs, audits,
investigation, and other legal costs.  They may also lose reputation and
transactions due to a breach.

Consumers in the meantime face the loss of personal information, including
names, dates of birth, email and credit information.  The financial costs
can be quite tangible, but the impact of identity theft can linger for
years.  Recovery is difficult, and many people such as children and young
adults may not be aware their identity has been stolen until it is too late.

LibertyID.com is an identity protection and restoration service that offers
help for consumers dealing with the aftermath of cyber crime.  LibertyID
Founder & Chief Strategy Officer Travis D. Mills describes the difficulty
for the consumer:

“It takes an average of 200 hours and $6,000 for an American to restore
their stolen ID; while it’s possible to resolve it on their own, forget
about working a full-time job or being present for your family.  The
restoration and recovery process is a full-time job.”

Stopping the madness

Perhaps the biggest threat may be that the public could become unresponsive
to the news of big breaches.  Throwaway apologies and replacement credit
cards only go so far.  I believe there are some things that companies can
do to better answer these challenges.

- Do security better, meet the cutting-edge security threats with cutting
edge technologies, improved security policies and personnel
- Sometimes that means outsourcing help, so look to services
- Embrace transparency in the wake of breach incidents
- Find great talent with leading thoughts and vision to fill security
leadership positions
- Seek and maintain the trust of the public
- Let your commitment to security ring

CEO’s and other execs have been coming under fire in some cases, as
accountability is on the way up, alongside the concerns of the public and
shareholders.  It’s also about time some cyber criminals actually get
caught, prosecuted and put into the spotlight.   Consumers should demand
better assurances that their information is well-protected and take
additional action to secure their information.  It’s time for both consumer
and industry to step up and start asking questions on how security can be
done better.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!