Battling 'Breach Fatigue'

Tips to Keep Employees and Customers Engaged in Cyber Fight

By , May 10, 2011.
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
Battling 'Breach Fatigue'

H

See Also: CEO Bob Carr on EMV & Payments Security

ow much is too much? At what point do people simply tune out news and warnings of data breaches?

Over the past several weeks, we've seen a slew of online attacks and successful hacks against:

In the wake of all this breach news, some industry experts fear that consumers and employees alike will start exhibiting signs of "breach fatigue" and treat such incidents apathetically - especially if they believe there's nothing they can do to prevent future breaches.

"The thing about fatigue is, it's contagious," says Neal O'Farrell, founder of the Identity Theft Council, a national grassroots network that provides support for victims of identity theft. "I don't think there's any easy answer. There are so many breaches; it's just so easy for one breach to disappear in the cloud when a new one emerges. And I think companies are kind of viewing it the same way."

Breach Overload

Part of the problem, O'Farrell says, is lack of accountability following an incident. When a retailer is breached, for instance, consumers don't stop shopping there. "The businesses don't see any long-term damage, so they don't think it will hurt customer trust," he says. "There are so many data breaches, it's easy for these companies to dodge the bullet of customer anger," fueling the sense of apathy.

But for banks and credit unions, the story is much different. "Financial institutions are the exception," O'Farrell says. "They have the most to lose. Customers look to them to be secure, and they put a lot of trust in their financial institutions, because they hold the money."

Reed Taussig, CEO of ThreatMetrix , provider of fact-based fraud detection solutions, says when businesses and consumers see their bank accounts drained, the fraud alone serves as a strong motivator to fight off fatigue. "I think that if you start losing significant amounts of money on a monthly basis to Internet fraud, the breach fatigue is probably energized by the losses," Taussig says.

ACH attacks, which in some cases have led to losses of between $100,000 and $200,000, can shutter a small business, Taussig says. Those businesses do take the losses seriously. "The problem is finding a cost-effective solution," he adds. "Many credit unions and community banks outsource their solutions to a core processor or a third party. They don't have the expertise when it comes to setting up anti-fraud measures."

Taussig says that's where vendors need to step in, to work with smaller organizations that may not be quite so aware of all of their security options.

But Marcus Ranum, CSO of Tenable Network Security, says the fatigue relates not so much to the size of the organization or institution, but the way the industry, in general, has responded to breaches. "A tipping point for breaches? We won't hit one because we're already there," Ranum says. "We've already had so many breaches; we will just keep suffering from breaches, and no one is really doing anything to stop it."

Fighting Fatigue

So, how do financial institutions address the fatigue phenomenon, and encourage their own staff and employees to continue to make strides to ensure online security?

Though options may be limited, O'Farrell and Ranum say organizations can diminish apathy if they are willing to be completely honest with their customers about fraud risks. Here are Ranum's and O'Farrell's recommendations for fighting breach fatigue:

  1. Categorize Breaches - Like hurricanes, breaches should fall into categories ranked, for instance, from 1 to 5, O'Farrell says. "Like the Sony breach, where a lot of personal information was compromised, that would be a Level 5," he says. "And if we look at breach categorization, we could set different requirements for different levels."

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Industry News: Verizon Expands Managed Security

Leading this week's industry news roundup, Verizon enhances its managed security services...

Latest Tweets and Mentions

ARTICLE Industry News: Verizon Expands Managed Security

Leading this week's industry news roundup, Verizon enhances its managed security services...

The ISMG Network