In what is believed to be the largest security breach to date, the Associated Press reported that Russian hackers have stolen 1.2 billion user names and passwords. According to the AP, Milwaukee security firm, Hold Security, learned of the breach, but has yet to provide details about the series of website hackings believed to have affected 420,000 websites. Citing nondisclosure agreements, Hold Security has not named the hacked websites.
A concern raised by some is the “breach fatigue” that may be created by the continuing stream of news reports about breaches large and small, the notification letters that follow, and the repeated warnings and recommendations to individuals and businesses about addressing data security. This “condition” may be real, but it is a condition individuals and business have to overcome as “big data” and the “internet of things” (IoT) becomes more a part of our lives, creating value in data that criminals want to steal.
A frequent refrain from some, including many small businesses, is that incidents like these will not happen to them. But, as the L.A. Times reports, according to the National Small Business Assn., 44% of survey respondents had been victims of at least one cyberattack. For well over a decade, identity theft continues to be the top crime reported to the FTC. For businesses, the risk is more than whether a breach will happen and how to respond, it is the effects the breach can have on its reputation, the enforcement that increasingly follows these incidents at the federal and state level, and increased litigation including class actions. Late last month, for instance, the Massachusetts Attorney General’s office reported a $150,000 settlement with a local hospital based on allegations of failing to properly safeguard patient data and report the incident.
For many businesses, there are a number of “best practices” that are relatively easy to implement and can have a significant impact on reducing the risks of a data breach. Many say, yes, but where do we start. Logically, the starting point is gaining an understanding of the businesses’ data privacy and security risks – doing a risk and vulnerability assessment. There are a number of resources available to assist in designing and carrying out an assessment. For example, the National Institute of Standards and Technology (NIST) recently issued a draft update of its primary guide to assessing security and privacy controls. While the work NIST does, including this guide, is designed for federal information systems and networks, it is an excellent and comprehensive source for businesses to understand steps they too can take to safeguard their systems and data.
The practical starting point, however, is getting management, C-suite support. Data privacy and security is an enterprise-wide risk which requires an enterprise-wide solution. Like many conditions, left untreated, “breach fatigue” can have significant consequences.