The Dangers of the Desensitization to Cybersecurity Breaches
It seems that hardly a week goes by without there being another report in the news about a data breach. So much so that it seems unless a breach touches the entire population of the United States, it does not even get reported in the mainstream media.
Some are small(ish) such as T-Mobile’s 2018 data breach which affected two million people. Some not so small, such as Marriot’s 2018 breach that affected 500 million people. While some breaches are, in the grand scheme of things, not that big a deal, others are quite serious – looking at you Equifax.
At first, we are shocked and outraged and say that these breaches are unacceptable, and we demand change. Then another one hits, then another and another and another. An interesting thing starts to happen as the number and severity of the breaches climbs ever higher; we become less outraged and more cynical. We breathe a sigh of relief when a breach only affects three million people and give a derisive “of course they got hacked” snort when the numbers are in the hundreds of millions.
The Equifax breach represents an extremely dangerous precedent. Not only from the sensitivity of the data that was stolen – that alone is a potential national security nightmare – but also because this very large and very wealthy institution failed to follow standard industry practices – like patching systems. To add some sulfuric acid to the wound, Equifax was shortly thereafter chosen to play a critical role in the Federal government. A role centered around identity management.
The corporate world is not alone in its malfeasance. Local and state governments have also been hit in 2018. Atlanta was on the receiving end of a ransomware attack that was entirely preventable. In fact, it has been preventable since 2015. The aftermath of the attack was devastating. Almost all aspects of government were affected. Even dashcam footage - i.e., evidence - going back years was lost. We won’t even touch the subject of backups. Now, before you laugh at Atlanta’s situation, you might want to take care not to hit the glass walls that surround your city or town with that stone in your hand.
It’s 2019, and we have to contend with biometrics, autonomous cars, buses and trucks and ever larger drones. As yet, there is no federal standard for securing these services and the way in which software developers connect to them.
As more and more of our lives move online – whether it be social media or paying your property tax bill – we literally cannot afford for these systems to be compromised. This is a problem that demands a strong local and national solution. The good news is that we can get there. We have to start with our local politicians to demand that companies be held accountable, including custodial sentences for senior management for the most egregious lapses, and local governments be given the resources needed to update and secure their systems. The federal government will take longer, but as local and state governments implement more comprehensive legislation, they will eventually catchup.
We can’t continue to allow ourselves to be desensitized with the constant flow of negative news regarding cybersecurity breaches. We need to demand that our corporate citizens and our government do better.