We seem to have become numb to the news of a massive data breach involving a well-established company. Yahoo, Equifax, Target, Marriot, British Airways. You name it! It seems that most large companies will or have been victims of a disastrous breach if security practices continue to be an afterthought. Vast amounts of data such as email addresses and passwords are stolen or exposed regularly throughout the year. Breach fatigue seems to have set in among businesses and consumers due to the number of stories being pumped out by the press. Perhaps it’s because of the disconnect with seeing things that happen online as distant and impersonal that causes our indifference. It could be the fact that large companies are seen to be performing ‘security theatre’, a term used to refer to security measures that make people feel more secure without doing anything to actually improve their security. Whatever the reason for this apathy, it’s essential to take the significance of a data breach more seriously as businesses and individuals.
How They Happen
Weak Common Passwords – The most common factor is the one that everybody knows about. The number of passwords required for all manner of accounts and websites means people get used to using 1 or 2 familiar ones. This repetitive use of simple passwords can lead to things such as brute force attacks, where hackers use a small list of commonly used passwords to guess credentials and enter the system. When Gawker’s database was dumped, the password 123456 was used over two and a half thousand times by its users. We all know keeping track of passwords are a pain, but there are some great websites and apps that help with this.
The World Economic Forum released a report stating that 80% of breaches “are perpetuated from weak or stolen passwords”. Just recently, Donald Trump had his twitter account hacked because someone easily guessed his password. I have definitely been guilty in the past of using repetitive and simple passwords, but a trip to https://haveibeenpwned.com/Passwords set me straight.
Lack or Misuse of Access Controls – Access controls are vital in making sure who can and cannot access a company’s data. Without authentication and authorisation controls, there is no data security. For people who work out of the office and require access to company services, access control is particularly important.
Outdated Software – Software that is not maintained and can’t function with new applications and devices presents an easy opportunity for hackers to access a system. The Equifax data breach was a result of the company failing to download a patch. This is like wrapping your data up in a string bow and leaving it under the Christmas tree for your hacker friends.
Why They Matter
Data breaches can completely break down trust between a business and their customers. The monetary and reputational damage can be enormous. Some professions that revolve around extremely sensitive information and have their data breached, like therapy, can ruin years of relationship building.
A company’s reaction to a data breach can help repair the damage. Transparency and quick responses will always help, but preparation for a data breach is needed for this to happen. While large companies like British Airways can get away with a data breach, they can shatter small businesses altogether.
State-sponsored activism and interference between world powers is becoming a central theme in democratic elections around the world, and data breaches are used to disrupt them. A data breach during the 2016 Philippine general election left about 55 million registered voters at risk. Information obtained in this way could be used to target voters. These kind of breaches could cause mistrust in the voting system and process. Romain Robert, a data protection lawyer at https://noyb.eu/en sums up the potential future for irresponsible practices concerning voter data:
“In a democracy, we cannot accept the processing of political data spiralling out of control. Political parties in particular should not be using voters’ information for purposes other than what the law permits them to do. Could you imagine your political preferences being used to deny you access to a public service or an employment opportunity?”
Organised crime, mainly in the form of identity theft, will continue to grow if data breaches aren’t tackled from the inside of corporations, or punished on the outside by regulators. Most cyber-attacks are money motivated. According to Verizon’s 2020 report, organised criminal groups were behind 55% of data breaches.
The Future of Data Breaches
Growing regulation in the digital age is finally pressuring businesses to tighten up their security defences. Denmark has made it mandatory for companies to encrypt emails containing sensitive personal information. The California Consumer Privacy Act allows a private right of action for a security breach, with potential for $100-750 fines per incident per consumer. This accountability and transparency should place stopping breaches high on the list of a company’s priorities.
The IoT infrastructure has and will cause significant problems with data breaches. There are many more avenues of attack that hackers can exploit, and the fact that many of us work remotely with these devices is only going to increase attempts at being hacked. If we stuff our homes with smart devices, then the risk of a data breach will only increase.
What a lot of data breaches comes down to is human negligence in the digital space. This carelessness is easy to understand when considering all the social pressures in our everyday jobs and lives. But developing a culture around protecting ourselves and others online is necessary for fighting data breaches. Future initiatives such as passwordless authentication will play a role in curbing breaches and combatting IoT loopholes are a must, but there is no immediate time frame for this development. Until then, and at this very moment in time, the culture of best practice is the way to go. It is especially important during a pandemic where a large chunk of the world’s workforce sends sensitive data on their laptops at home.