Data breaches come at such a fast pace that the public doesn’t seem to pay attention to the latest incidents, or they’re practically forgotten in a week — just in time for the next breach to make headlines. Instead of cries for better personal data protection, however, consumers seem less concerned even as more companies send them alerts saying their name, phone number or social security number was taken in yet another database attack. This dangerous attitude does nothing to protect the people whose data was exposed — or the businesses who employ them.

T-Mobile was in the spotlight in August after attackers stole personal details such as names, driver’s license numbers and social security numbers for more than 54 million customers. Before that, ParkMobile was targeted in an attack where 21 million personal records were taken, ClearVoiceResearch was hit for 15.7 million records, and 3.3 million records were taken in an attack on Volkswagen. Those, and many others, are already distant memories for most consumers. Even the 533 million personal records stolen from Facebook — an attack the social media company says was actually data scraping — seems forgotten.

These pervasive data breaches could be desensitizing consumers and creating a “why should I care” attitude. Since their personal information is already in the wild, they might reason, there isn’t any point in worrying about who has it. What they should be paying attention to are the targeted scams, phishing schemes and fraud that follows personal data theft. Complacency from breach fatigue makes them easier targets, and that poses a big data security risk for companies.

The Importance of Data Security Education

The Ponemon Institute and IBM annual Cost of a Data Breach Report for 2021 pins compromised user credentials as the most common attack vector for data breaches. The study found this accounted for 20% of incidents, and the worldwide average cost of a data breach was $4.24 million. In the US, that number jumps to $9.05 million.

In some cases, compromised credentials may have come from personal data stolen in data breaches or password brute force attacks. Other times, users fell victim to phishing scams where they were tricked into giving up their company login credentials or other personal information. For companies with thousands of employees, that amounts to thousands of opportunities for data security to be compromised.

Addressing users’ lack of concern isn’t, however, a lost cause. Education is key and requires teaching them about in-office security hygiene, as well as how to protect their computers and mobile devices outside of work. This is especially important with so much of the workforce working remotely.

How to Bring Security Hygiene Home

While company-owned computers, smartphones and laptops are managed by in-house policies, personal devices that may access or store company data often aren’t. Employees need to be aware of the importance of installing system and application updates for patching security flaws, and that opening documents or links from unknown sources could expose them to malware or data theft.

Many users aren’t aware of the importance of good password practices such as using unique and strong passwords for every account login, relying on a quality password manager and using multifactor authentication or tokens wherever possible. Some aren’t even aware that passwords to unlock their computer or mobile devices are critical for data security. Company policies dictating how and where personal devices can access company resources help reduce the risk, but can’t replace routine vulnerability assessments and training to find weak points — or even violations — in security policies.

Helping employees better understand phishing attacks designed to trick them into sharing company login credentials is important, too. For example, they may know what to look for in a suspicious email message but might not realize they can also be tricked into sharing their personal information in a phone call or text message. Employees need to know it’s important to report suspected phishing attempts just like any other suspicious activity they see.

Buying into Data Protection

Educating employees is an ongoing process that should start when they’re hired. Ongoing training helps keep awareness up and informs everyone of new and changing threats. Empowering people in each department to act as security liaisons essentially extends the information and security team’s access for employees, too. A coworker who “gets security” is often more accessible because they’re always around, and may also see potential data security issues before they become bigger — and more expensive — problems.

Balancing education and vigilance isn’t easy, and can lead to security fatigue and a fear of getting in trouble. If that happens, your data protection efforts are likely to fail. Open and transparent communication is key to keeping everyone on board. Understanding why data security policies are in place, and how proactively working to protect company and private data impacts employees are important, too. People rarely follow policies that seem arbitrary.

How to Know if You’re a Data Breach Victim 

Knowing if your personal data may have been taken in a data breach is important, too. Unfortunately, many consumers and employees don’t know how to find out if they’ve fallen victim to personal data theft. Luckily, there are reputable websites ready to tell you which data breaches may affect you. Have I Been Pwned and F-Secure’s Identity Theft Checker, for example, can check to see if your email address is included in known data breaches or databases that were unintentionally left unprotected on the internet. Have I Been Pwned also checks phone numbers against known breaches, which is another vector consumers often don’t think about.

Services like Have I Been Pwned and F-Secure are handy for more than identifying which data breaches impact you. These services also note what information was taken in each incident, and can remind users of accounts they forgot about long ago. Those forgotten accounts might hold information attackers could use to gain access to a company’s data, making it important for users to understand that forgotten accounts can be data breach threats, too.

The battle to protect your company’s data from malicious attackers is ongoing, as is the effort to educate consumers and employees on better security practices. While the former relies primarily on the CISO and their team, the latter relies on everyone. Helping users understand how protecting their personal data, and maintaining strong security practices at home and at work, benefits them as well as the company is a win for everyone.

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…