Is Breach Fatigue the New Norm?
Blog Article Published: 02/21/2023
Originally published by CXO REvolutionaries.
Written by Erik Hart, Global CISO, Cushman & Wakefield.
How numb is the public to security failures?
One of the trickiest security topics involves the shifting relationship between security and privacy.
Twenty years ago, people saw these areas as fundamentally different; security was mainly about protecting property (including digital property), and privacy was largely about keeping personal details of your life to yourself. But over time, that line has blurred as our lives have gone increasingly online. In some contexts, it’s completely gone.
That’s especially true for companies that routinely deal with the general public. Working with a mass market today usually involves mass data collection, which risks mass exposure in the event of a security breach.
But do people care about breaches these days? Or have we become so numb to the consequences of such events that we assume they don’t amount to anything worth taking action over and simply look the other way?
“Breach fatigue,” as it’s called, is a little like COVID-19 fatigue. It’s a problem with the potential to create others. Consider that polls suggest only 15% of eligible Americans have taken advantage of the latest government-provided booster shots; why is that?
It’s not that COVID-19 is a minor problem — nearly 1.1 million Americans have died from it since early 2020 — but it’s gradually become a familiar problem. And familiarity has bred cynicism. The pressing sense that it’s crucial to follow best practices has waned, and so has the demand for vaccination.
For a closer look at how this concept applies to security and privacy, consider the notorious Equifax breach. The 2017 incident led to the exposure of private information for roughly one hundred and fifty million Americans, including their names, birthdates, and Social Security numbers.
Five years later, the class-action lawsuits have led to a $425 million settlement that’s finally being paid out, but collateral damage remains. As long as the stolen data remains on the dark web, cybercriminals can use it. And yet the Equifax breach has, aside from recently-mailed settlement letters, faded from the public’s consciousness.
Over time we see the public, and even the stock markets, forget about these breaches as we return to these brands. Just look at the likes of TJX, Home Depot, and Target, all of which have bounced back from large, widely publicized breaches.
Don’t be fooled – privacy is more important to consumers than ever – and so is the security that ensures it
I think a better case can be made for the opposite idea.
If our lives are increasingly digital, it follows that we are increasingly sophisticated consumers of digital services, too. Doesn’t that imply users have increasingly high standards regarding digital security and privacy — and increasingly little tolerance for subpar organizations?
A December 2022 survey by accounting firm KPMG suggests exactly these conclusions. Among other findings:
- A stunning 92% of Americans polled expressed concern about how organizations were handling their personal data (up from 2021)
- Concerns about the possible security issues of public WiFi are also up
- So are worries about rewards programs (up four points)
- Almost 90% want organizations to be clear about what’s happening to their personal data (and to provide the power to opt out)
These numbers suggest that breach fatigue is what’s getting weaker — not the public interest in digital security and privacy.
We can see a similar shift in the way web cookies, and related policies, have become an increasingly public matter. Once upon a time, no site advertised that it was using cookies, or asked explicitly for user permission before storing and using cookies. Today this is commonplace, and the reason for it is simple: it’s what people like to see, and companies know that.
Similarly, there was a time when organizations like DuckDuckGo, which emphasize user privacy, were seen as fringe services for those wearing tinfoil hats — people who somehow didn’t understand that privacy was finished as a concept and that we all just needed to get used to that. But in early 2023, DuckDuckGo hasn’t failed; it’s grown, and its offerings include new privacy-protecting services far beyond its initial search engine. (Former Twitter CEO Jack Dorsey even tweeted that DuckDuckGo was his preferred search engine.)
Legislation has undoubtedly played its part in these shifts. When GDPR was enacted in 2018, there was much hand-wringing about its punitive potential. Those concerns have proven justified. While the governance structure in the U.S. means these decisions are left to the states, clauses like the one in California’s consumer privacy act mean any company doing business with residents of the state is bound by the statute. This, in effect, makes it binding for most major corporations.
We live in a world with an increasingly tech-savvy consumer base that is increasingly invested in privacy and security. That means it’s also a world that grants a competitive advantage to organizations that take security and privacy seriously — and that act effectively to protect them both.
So it follows that any organization with a large stockpile of consumer information — for instance, a social media company or a credit reporting bureau — is not only acting ethically to invest in the best security it possibly can. It’s also working wisely from a business standpoint.
Top-tier security, backed by proven best practices, means such a company is much less likely to be breached, to suffer all the damaging PR and legal ramifications that come with a breach, and to have to struggle to win back the public trust it has probably lost in the process.
We can take that reasoning yet another step. What applies to social media and credit bureaus applies more generally to any organization with sensitive information of any sort, whether it’s consumer data or not — and almost all do, in one form or another. Indeed it follows that every organization should leverage the best security tech to the best effect it can.
Not all will, but those that do will probably get a better business outcome in the long run than those that don’t.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.