Data breaches come at such a fast pace that the public doesn’t seem to pay attention to the latest incidents, or they’re practically forgotten in a week — just in time for the next breach to make headlines. Instead of cries for better personal data protection, however, consumers seem less concerned even as more companies send them alerts saying their name, phone number or social security number was taken in yet another database attack. This dangerous attitude does nothing to protect the people whose data was exposed — or the businesses who employ them.
T-Mobile was in the spotlight in August after attackers stole personal details such as names, driver’s license numbers and social security numbers for more than 54 million customers. Before that, ParkMobile was targeted in an attack where 21 million personal records were taken, ClearVoiceResearch was hit for 15.7 million records, and 3.3 million records were taken in an attack on Volkswagen. Those, and many others, are already distant memories for most consumers. Even the 533 million personal records stolen from Facebook — an attack the social media company says was actually data scraping — seems forgotten.
These pervasive data breaches could be desensitizing consumers and creating a “why should I care” attitude. Since their personal information is already in the wild, they might reason, there isn’t any point in worrying about who has it. What they should be paying attention to are the targeted scams, phishing schemes and fraud that follows personal data theft. Complacency from breach fatigue makes them easier targets, and that poses a big data security risk for companies.
The Importance of Data Security Education
The Ponemon Institute and IBM annual Cost of a Data Breach Report for 2021 pins compromised user credentials as the most common attack vector for data breaches. The study found this accounted for 20% of incidents, and the worldwide average cost of a data breach was $4.24 million. In the US, that number jumps to $9.05 million.
In some cases, compromised credentials may have come from personal data stolen in data breaches or password brute force attacks. Other times, users fell victim to phishing scams where they were tricked into giving up their company login credentials or other personal information. For companies with thousands of employees, that amounts to thousands of opportunities for data security to be compromised.
Addressing users’ lack of concern isn’t, however, a lost cause. Education is key and requires teaching them about in-office security hygiene, as well as how to protect their computers and mobile devices outside of work. This is especially important with so much of the workforce working remotely.
How to Bring Security Hygiene Home
While company-owned computers, smartphones and laptops are managed by in-house policies, personal devices that may access or store company data often aren’t. Employees need to be aware of the importance of installing system and application updates for patching security flaws, and that opening documents or links from unknown sources could expose them to malware or data theft.
Many users aren’t aware of the importance of good password practices such as using unique and strong passwords for every account login, relying on a quality password manager and using multifactor authentication or tokens wherever possible. Some aren’t even aware that passwords to unlock their computer or mobile devices are critical for data security. Company policies dictating how and where personal devices can access company resources help reduce the risk, but can’t replace routine vulnerability assessments and training to find weak points — or even violations — in security policies.
Helping employees better understand phishing attacks designed to trick them into sharing company login credentials is important, too. For example, they may know what to look for in a suspicious email message but might not realize they can also be tricked into sharing their personal information in a phone call or text message. Employees need to know it’s important to report suspected phishing attempts just like any other suspicious activity they see.
Buying into Data Protection
Educating employees is an ongoing process that should start when they’re hired. Ongoing training helps keep awareness up and informs everyone of new and changing threats. Empowering people in each department to act as security liaisons essentially extends the information and security team’s access for employees, too. A coworker who “gets security” is often more accessible because they’re always around, and may also see potential data security issues before they become bigger — and more expensive — problems.
Balancing education and vigilance isn’t easy, and can lead to security fatigue and a fear of getting in trouble. If that happens, your data protection efforts are likely to fail. Open and transparent communication is key to keeping everyone on board. Understanding why data security policies are in place, and how proactively working to protect company and private data impacts employees are important, too. People rarely follow policies that seem arbitrary.
How to Know if You’re a Data Breach Victim
Knowing if your personal data may have been taken in a data breach is important, too. Unfortunately, many consumers and employees don’t know how to find out if they’ve fallen victim to personal data theft. Luckily, there are reputable websites ready to tell you which data breaches may affect you. Have I Been Pwned and F-Secure’s Identity Theft Checker, for example, can check to see if your email address is included in known data breaches or databases that were unintentionally left unprotected on the internet. Have I Been Pwned also checks phone numbers against known breaches, which is another vector consumers often don’t think about.
Services like Have I Been Pwned and F-Secure are handy for more than identifying which data breaches impact you. These services also note what information was taken in each incident, and can remind users of accounts they forgot about long ago. Those forgotten accounts might hold information attackers could use to gain access to a company’s data, making it important for users to understand that forgotten accounts can be data breach threats, too.
The battle to protect your company’s data from malicious attackers is ongoing, as is the effort to educate consumers and employees on better security practices. While the former relies primarily on the CISO and their team, the latter relies on everyone. Helping users understand how protecting their personal data, and maintaining strong security practices at home and at work, benefits them as well as the company is a win for everyone.
Technology Blogger, Podcaster, Author
Jeff Gamet is a technology blogger, podcaster, author and public speaker. Previously, he was The Mac Observer's Managing Editor, and the TextExpander Evangel...