Let’s see, the SEC wasn’t forthcoming about its breach. Verizon was just hacked with lots of data going out the back door. Of course, Equifax is the latest mother of all breaches. As someone recently noted, something like 9 billion records have been breached in the last 10 years. That’s a staggering number, considering there are only 7 billion people in this world, many of whom don’t even have an electronic fingerprint.
With all of these breaches, though, has security become the industry that cried wolf? Have we (meaning the general population, not the security industry) become security desensitized to breaches?
I will admit the Equifax breach had laypeople asking me what they should do to protect themselves. It was hard to resist telling them nothing they could do would help in the long term. So I gave them assignments so they had a sense they were doing something. Freezing your credit, if only temporarily, couldn’t hurt, but navigating all three major credit agencies’ requirements to do so is a chore. And really, if a determined cybercriminal has your info, other than being vigilant, what can most people do? Vigilance is probably your best option at this time.
Beyond Equifax, what about the daily barrage of breach disclosures? Back in the day, I will admit, I loved a good breach story. Nothing got salespeople humming like a good breach to put a little FUD in a potential customer’s mind and heart. You could literally see our revenue numbers rise with every worm, trojan and breach incident. Lesson learned from that, though, is that those gains are short-lived. Eventually the FUD dies down, the budget money is reallocated and headcount is cut.
I might also add that the company that was breached suffered no long-term harm as a result. Its stock price would perk back up, and its losses from the breach were usually rounding errors in the big picture. Yes, things would go back to SOP.
Today, however, I think the problem is worse—not just for those of us in the security industry or even IT in general who are bombarded with the constant barrage of breach disclosures, but also for the general public, which also is being bombarded. Frankly, they don’t give a rat’s ass whether the breach was due to a vulnerability in struts, a phish or the lack of the latest shiny new security gizmo that the CISO has been pining for. It’s just another number to them.
This breach hit 140 million records this time, 70 million records that time, a couple of million again. To most people, they’re just big numbers, sort of like trying to compare 10 light years to 100 light years. I am reminded of a joke my corny science teacher used to tell about a student in class who became very upset because he thought the teacher said the sun would burn out in 8 million years. He was very relieved when the teacher told him it was 8 billion years. For many people, these are just big numbers, and the sheer number and frequency of breaches has made them meaningless.
Like the editor says, if you bold everything, then nothing is bold.
After a while, the shock factor wears off. Everyone has had to get a new card at one time or another. Not many people are going to actually change their social security numbers (yeah, good luck with that) or their driver’s license numbers. The amount of people who suffer actual loss as a result (as defined by real dollars out of their pockets) is also relatively small compared to the amount of records breached. So what is the real impact of all these breaches to the average Joe? Frankly, the more breaches there are, the less they care.
Some will argue that this is a good thing. Others will argue it is not a good thing. I can see both sides. What does it mean, though, for the security industry in the long term? I think it means we need to find a new dog to beat. We have already beat to death the dog that is compliance. Now let’s beat the breach dog down, too. We need to find the next bling that will sell security.
My pick is real financial loss. And not just some pie in the sky number on what a breach cost per record. With all of this security desensitization, I really believe the only way people will continue to take security seriously is when it hits them in the pocketbook and wallet. Not what it cost Target or Sony or whoever is the next zebra in the herd that the lions attack. When it hits John and Jane Q. Public in the pocket, they will rise up and demand something gets done about security.
So maybe the security media and the mainstream media should take the pedal off the metal of constant breach bombardment. Let’s bring it home to main street, instead of the SOC. Obviously, what we have done to date hasn’t worked. So, maybe it’s time to try something new?