Data breaches come at such a fast pace that the public doesn’t seem to pay attention to the latest incidents, or they’re practically forgotten in a week — just in time for the next breach to make headlines. Instead of cries for better personal data protection, however, consumers seem less concerned even as more companies send them alerts saying their name, phone number or social security number was taken in yet another database attack. This dangerous attitude does nothing to protect the people whose data was exposed — or the businesses who employ them.

T-Mobile was in the spotlight in August after attackers stole personal details such as names, driver’s license numbers and social security numbers for more than 54 million customers. Before that, ParkMobile was targeted in an attack where 21 million personal records were taken, ClearVoiceResearch was hit for 15.7 million records, and 3.3 million records were taken in an attack on Volkswagen. Those, and many others, are already distant memories for most consumers. Even the 533 million personal records stolen from Facebook — an attack the social media company says was actually data scraping — seems forgotten.

These pervasive data breaches could be desensitizing consumers and creating a “why should I care” attitude. Since their personal information is already in the wild, they might reason, there isn’t any point in worrying about who has it. What they should be paying attention to are the targeted scams, phishing schemes and fraud that follows personal data theft. Complacency from breach fatigue makes them easier targets, and that poses a big data security risk for companies.

The Importance of Data Security Education

The Ponemon Institute and IBM annual Cost of a Data Breach Report for 2021 pins compromised user credentials as the most common attack vector for data breaches. The study found this accounted for 20% of incidents, and the worldwide average cost of a data breach was $4.24 million. In the US, that number jumps to $9.05 million.

In some cases, compromised credentials may have come from personal data stolen in data breaches or password brute force attacks. Other times, users fell victim to phishing scams where they were tricked into giving up their company login credentials or other personal information. For companies with thousands of employees, that amounts to thousands of opportunities for data security to be compromised.

Addressing users’ lack of concern isn’t, however, a lost cause. Education is key and requires teaching them about in-office security hygiene, as well as how to protect their computers and mobile devices outside of work. This is especially important with so much of the workforce working remotely.

How to Bring Security Hygiene Home

While company-owned computers, smartphones and laptops are managed by in-house policies, personal devices that may access or store company data often aren’t. Employees need to be aware of the importance of installing system and application updates for patching security flaws, and that opening documents or links from unknown sources could expose them to malware or data theft.

Many users aren’t aware of the importance of good password practices such as using unique and strong passwords for every account login, relying on a quality password manager and using multifactor authentication or tokens wherever possible. Some aren’t even aware that passwords to unlock their computer or mobile devices are critical for data security. Company policies dictating how and where personal devices can access company resources help reduce the risk, but can’t replace routine vulnerability assessments and training to find weak points — or even violations — in security policies.

Helping employees better understand phishing attacks designed to trick them into sharing company login credentials is important, too. For example, they may know what to look for in a suspicious email message but might not realize they can also be tricked into sharing their personal information in a phone call or text message. Employees need to know it’s important to report suspected phishing attempts just like any other suspicious activity they see.

Buying into Data Protection

Educating employees is an ongoing process that should start when they’re hired. Ongoing training helps keep awareness up and informs everyone of new and changing threats. Empowering people in each department to act as security liaisons essentially extends the information and security team’s access for employees, too. A coworker who “gets security” is often more accessible because they’re always around, and may also see potential data security issues before they become bigger — and more expensive — problems.

Balancing education and vigilance isn’t easy, and can lead to security fatigue and a fear of getting in trouble. If that happens, your data protection efforts are likely to fail. Open and transparent communication is key to keeping everyone on board. Understanding why data security policies are in place, and how proactively working to protect company and private data impacts employees are important, too. People rarely follow policies that seem arbitrary.

How to Know if You’re a Data Breach Victim 

Knowing if your personal data may have been taken in a data breach is important, too. Unfortunately, many consumers and employees don’t know how to find out if they’ve fallen victim to personal data theft. Luckily, there are reputable websites ready to tell you which data breaches may affect you. Have I Been Pwned and F-Secure’s Identity Theft Checker, for example, can check to see if your email address is included in known data breaches or databases that were unintentionally left unprotected on the internet. Have I Been Pwned also checks phone numbers against known breaches, which is another vector consumers often don’t think about.

Services like Have I Been Pwned and F-Secure are handy for more than identifying which data breaches impact you. These services also note what information was taken in each incident, and can remind users of accounts they forgot about long ago. Those forgotten accounts might hold information attackers could use to gain access to a company’s data, making it important for users to understand that forgotten accounts can be data breach threats, too.

The battle to protect your company’s data from malicious attackers is ongoing, as is the effort to educate consumers and employees on better security practices. While the former relies primarily on the CISO and their team, the latter relies on everyone. Helping users understand how protecting their personal data, and maintaining strong security practices at home and at work, benefits them as well as the company is a win for everyone.

More from Data Protection

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today