Significant and media worthy data breaches seem to be increasing, along with the lesser breaches that only us InfoSec peeps see on security forums and newsletters, but does anyone really care?
I would hazard a guess most people don’t, unless it directly affects them most people won’t even read a mainstream data breach article, I hate to say this, but security can be dull, obviously we (the InfoSec community) care, and we even use these breaches as mechanisms of fear (YOU COULD BE NEXT!!) or education (Be Aware).
I like to think we lean towards the latter.
Breaches seem to be the norm now and as such maybe people are becoming desensitised to them. If we look back at some of the mainstream breaches how many have resulted in a company going under, I am not aware of any. I remember tracking the eBay breach and let’s be honest it was probably a great example of how not to manage a data breach, the breach hit the media before eBay had notified anyone, I received the eBay notification of the breach about 2 weeks after I had already changed my password, but how did it effect the company? We hope internally a more dedicated approach to good data security practices were implemented, externally a dip in price share but within 2 weeks it was right back where it was before the breach.
Can a company be “too big to fail”? eBay own the auction market; I use the term “I am going to eBay it” regardless of whether I use their platform or not. 145 million passwords were taken along with other PII that could be used in attacks against the individuals, but the biggest risk will be credential stuffing where people have used the same credentials across multiple systems, and you can be confident some of those will be company systems like VPNs.
Even more recent data breaches like Facebook and Cambridge Analytica that affected 50 million users have had no real impact in userbase, anyone stopped using Facebook since that breach?
I know I haven’t. I am sure the $5 billion fine sounds a lot but for a company with a $16-17 billion quarterly turnover it really isn’t!
When a company owns a market like Facebook, Amazon and eBay do, a data breach is a small blot
on its reputation maybe 1% of people will leave but the other 99% will just continue, hopefully improving their passwords and enabling MFA as part of the process.
We have no idea how many breaches occur, because unless a breach contains PII then there is no requirement to notify, so companies affected by Spear Phishing CEO/CFO fraud aren’t going to announce they have been taken for £100,000 by cyber criminals, the only people who know are the Board, the cyber insurance company and security consultant they call for advice.
Well, I am sure we will continue to post and try to educate some will use FUD but I really think teaching cyber and privacy for life will beat Security Awareness at work as employees that don’t respect their own data wont respect yours.
Comments