You are here

The dangers of breach fatigue—and how to take action

public://pictures/jadee_hanson.png
Jadee Hanson, CISO and VP of Information Systems , Code42

A stream of near-constant data breaches has left many consumers numb to security risks. Remember when the first major retail data breaches occurred? Everyone rushed to change their passwords and credit card information. But after so many major breaches, a sense of complacency has taken hold.

It's no wonder: According to the Privacy Rights Clearinghouse, 9,033 data breaches have been made public since 2005, or about 1.77 breaches a day, on average.

The idea of breach fatigue among consumers has been widely discussed, but it exists within organizations as well, and it presents a significant problem. Employees and leaders who experience breach fatigue can leave an organization open to insider threats, ineffective security strategies, and other vulnerabilities.

At a time when data security needs to be taken more seriously, people are turning their heads away from the issue instead of working to stop the problem. It's essential that your organization recognize breach fatigue in its own security strategies and in its employees, and work to reverse this complacency to protect the business.

Here's what your team needs to know and how to get started.

[ Understand what's driving the next-generation SOC with TechBeacon's guide. Plus: Download ESG's report on the state of cloud-based security analytics and operations ]

The consequences of complacency

There's an obvious disconnect here. We read every day about how vital security is, the damage done by major breaches, and how advanced your adversaries have become. So why are people becoming fatigued? The answer is a human one: People and organizations are overwhelmed. Or they've come to think of breaches as inevitable and beyond their control.

One of the major dangers of breach fatigue is complacency, both in individual employees and within organizations as a whole. Organizations may implicitly adopt the mindset that breaches are always going to happen, so why try to stop them?

Whether consciously or not, leadership may become less motivated to protect the company or to invest in the correct tools and services. Other consequences could include making fewer investments in security team members or increasing risk-taking behaviors.

Meanwhile, employees can become frustrated and overwhelmed by constant security nagging at work. Rules about how often to update passwords and how complex to make them, guidance about which programs and devices may or may not be used at work, and requirements for regular security training are all a part of today's modern workplace.

While important, these things may leave employees feeling as though their efforts to comply is never done. Fatigue sets in. Overwhelmed or complacent employees can put your whole organization at risk.

So how can business and technology leaders combat the dangers of breach fatigue within their employees and larger processes? The key is to know the symptoms and be able to react with the correct risk-mitigation techniques.

[ Also see: How to deal with the rising rate of vulnerabilities ]

Identify the symptoms and take action

Like many bad habits, breach fatigue can be difficult to recognize in oneself. Most organizations may think breach fatigue won't happen to them and that they know better. But it's more prevalent than you might think.

To identify it, companies must be able to identify how employees feel about security in their organizations. Are they getting frustrated with security reminders? How often do they update their passwords? How soon do they take new security training? These are the questions companies must answer and track, although that can be difficult.

Some organizations are beginning to measure security sentiment within employees at the individual level. New tools allow the use of hard data and metrics to measure security engagement, attitudes, and knowledge over time and compare them to industry benchmarks. Informal surveys are also being used to track this sentiment.

On an organizational level, it can be effective to look at your leadership. Are investments in security tools flat or down? This will help leaders to diagnose and address breach fatigue.

[ Explore TechBeacon's guide to SecOps challenges and opportunities. Plus: Download the 2019 State of Security Operations report. ]

The cure? Remember the risks

One factor aiding breach fatigue is that it's easy for individuals to forget the consequences of a breach, not just for them but for their organizations. Employees must understand how they can inadvertently put their organizations and colleagues at risk, while leadership needs to be reminded of the major ramifications of taking protection for granted.

According to the 2018 Cost of a Data Breach Study by Ponemon, the average cost of a data breach was up 6.4% over the previous year, to $3.86 million, with an average cost for each lost or stolen record of $148.

Equally detrimental is the immeasurable cost of lost reputation and brand value that can come from a major breach, which often leads to the loss of customers or potential partners. This loss of trust is very difficult to account for, and has serious financial consequences.

No one wants to be the bringer of doom and gloom, but it's essential to keep these consequences in mind. Regular reminders of the true aftermath of a breach can help to combat breach fatigue.

[ Also see: How to boost your breach defense: A three-part plan ]

When in doubt, stay honest

There's been a shift in how organizations are scrutinized during and after a breach. Accountability and transparency are increasingly used as benchmarks for how companies are judged in these situations.

By maintaining a positive security culture and staying alert for the signs of breach fatigue, you'll be prepared to respond effectively if a breach does occur. Organizations that suffer the least after a breach are those that handle it with transparency and an increased desire to do better in the future.

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]