Battling 'Breach Fatigue'
Tips to Keep Employees and Customers Engaged in Cyber FightOver the past several weeks, we've seen a slew of online attacks and successful hacks against:
- RSA's SecurID multifactor authentication products;
- e-mail marketer Epsilon;
- Gaming giant Sony;
- Online password protector LastPass;
- And numerous U.S. commercial bank accounts hit by the wave of wire fraud incidents originating in China.
In the wake of all this breach news, some industry experts fear that consumers and employees alike will start exhibiting signs of "breach fatigue" and treat such incidents apathetically - especially if they believe there's nothing they can do to prevent future breaches.
"The thing about fatigue is, it's contagious," says Neal O'Farrell, founder of the Identity Theft Council, a national grassroots network that provides support for victims of identity theft. "I don't think there's any easy answer. There are so many breaches; it's just so easy for one breach to disappear in the cloud when a new one emerges. And I think companies are kind of viewing it the same way."
Breach Overload
Part of the problem, O'Farrell says, is lack of accountability following an incident. When a retailer is breached, for instance, consumers don't stop shopping there. "The businesses don't see any long-term damage, so they don't think it will hurt customer trust," he says. "There are so many data breaches, it's easy for these companies to dodge the bullet of customer anger," fueling the sense of apathy.
But for banks and credit unions, the story is much different. "Financial institutions are the exception," O'Farrell says. "They have the most to lose. Customers look to them to be secure, and they put a lot of trust in their financial institutions, because they hold the money."
Reed Taussig, CEO of ThreatMetrix , provider of fact-based fraud detection solutions, says when businesses and consumers see their bank accounts drained, the fraud alone serves as a strong motivator to fight off fatigue. "I think that if you start losing significant amounts of money on a monthly basis to Internet fraud, the breach fatigue is probably energized by the losses," Taussig says.
ACH attacks, which in some cases have led to losses of between $100,000 and $200,000, can shutter a small business, Taussig says. Those businesses do take the losses seriously. "The problem is finding a cost-effective solution," he adds. "Many credit unions and community banks outsource their solutions to a core processor or a third party. They don't have the expertise when it comes to setting up anti-fraud measures."
Taussig says that's where vendors need to step in, to work with smaller organizations that may not be quite so aware of all of their security options.
But Marcus Ranum, CSO of Tenable Network Security, says the fatigue relates not so much to the size of the organization or institution, but the way the industry, in general, has responded to breaches. "A tipping point for breaches? We won't hit one because we're already there," Ranum says. "We've already had so many breaches; we will just keep suffering from breaches, and no one is really doing anything to stop it."
Fighting Fatigue
So, how do financial institutions address the fatigue phenomenon, and encourage their own staff and employees to continue to make strides to ensure online security?Though options may be limited, O'Farrell and Ranum say organizations can diminish apathy if they are willing to be completely honest with their customers about fraud risks. Here are Ranum's and O'Farrell's recommendations for fighting breach fatigue:
- Categorize Breaches - Like hurricanes, breaches should fall into categories ranked, for instance, from 1 to 5, O'Farrell says. "Like the Sony breach, where a lot of personal information was compromised, that would be a Level 5," he says. "And if we look at breach categorization, we could set different requirements for different levels."
So, a Level 3 breach might require that the breached company undergo an internal audit conducted by a third-party, and a Level 5 breach might require an audit, a fine and a mandated national breach notification alert. "I think that if consumers had a category to look to, it would make a difference," O'Farrell says. "They would know which breaches to pay attention to, and their anger would be shifted to those that fall into a higher category."
- Increase Liability for Breached Entities - Zero liability for financial losses, O'Farrell says, has ultimately hurt consumers. "They've felt too confident that they are protected, so they have not done much to protect themselves."
Besides, zero liability is falsehood anyway, since consumers pay a price, in the long run, if their identities are stolen as the result of a breach, Ranum says. "What's happened is that the regulators have made a tradeoff in favor of the banking industries' interests," he says. "[The bank or business] can tell you they lost all of your personal information and then just say, 'Good luck. It's your problem now.'"
- Raise Awareness of Security Options - Banking institutions should make no assumptions about their clients' security knowledge, Ranum says. "Businesses and consumers could actually have an Internet fraud-block setting placed on their account, something that says, 'I don't want anyone to do wire transfers out, and I don't want anyone other than myself allowed access to this account.'"
As part of this awareness, Ranum says banking institutions should encourage customers to maintain separate accounts for online transactions, and then enable fraud alerts for these accounts. "If you have fraud alerts and separate bank accounts, then most people who are trying to hack your account will go somewhere else," Ranum says. "They'll go to another account, that's easier to hack."
- Raise Awareness of Threats - While institutions can do much to raise their employees' and customers' awareness to information security threats, they also can benefit by supporting grassroots efforts. "Some of these grassroots organizations are in the best position to get the word out to consumers," Ranum says. Banks can help by supporting these organizations, which have a better chance of reaching consumers and commercial customers with educational messages.
Groups such as O'Farrell's Identity Theft Council offer the best hope for worth-while consumer and business education, Ranum says. "They can be a true consumer advocate," he says. Even the Consumer Financial Protection Bureau "is going to hinder our ability to address breach fatigue."
"It's another government agency, so it's going to be more for government and lobbyists than for consumers," Ranum says.
O'Farrell agrees grassroots efforts offer a strong alternative, at least for now. "Victims have been abandoned by ID theft, and they have been abandoned by law enforcement and financial institutions," O'Farrell says. "We see a huge demand for what we are doing."