It’s nearly impossible to listen to the news these days without coming across another story about a company getting breached and sensitive data leaking out. While the headlines might have you believe that breaches are limited to large enterprises (like BMO, British Airways, Facebook, Google, Marriott, Reddit, Equifax), small and medium-sized organizations are breached more and more. In fact, it is these smaller organizations across any vertical from municipalities, to local hospitals/clinics, to financials, that stand to lose the most in terms of brand equity, reputation, client trust, or loss of IP. This post is not a condemnation of organizations that are breached. In fact, as a cybersecurity company, we at ActZero understand that nearly any organization of any size can be breached at any time. This post is a caution that we, as a society, should continue to take breaches seriously, and not get desensitized to news of incidents… otherwise known as breach fatigue. Read on for how you can help.
At ActZero, we’ve been at the forefront of securing our clients and their brands for over a decade. We still remember the days where a major (or even minor) cyber breach meant a news cycle measured in weeks or months. What stands out are the numerous calls from organizations of all sizes asking for help to improve security and stay out of the headlines. With the plethora of cyber breaches dominating the news recently (including investigations of political election meddling), it is easy to become numb to the idea that your organization will be breached; complacency is the obvious result.
Only the attackers can benefit from such societal blasé. They know, and are counting on, organizations to believe (falsely) that because getting attacked is inevitable, they should allocate fewer resources (i.e money, people) to protect themselves. This, by the way, is easily refuted with MDR; sure, being attacked is inevitable – but by detecting and responding to it, business impact is not. Moreover, there is an idea (again, plain wrong) that purchasing cyber-insurance will protect you in the event a breach. First off, cyber-insurance only covers certain types of impact to your business – try submitting a claim for the damage to your reputation, your clients’ trust in you, or to your brand. Second, successfully claiming against a cyber-insurance policy is not easy. An organization needs to prove to the underwriter that they had taken steps to protect themselves (and documented them), and that they met (often complex) compliance requirements. This is playing into hackers’ hands; compliance does not equal security.
There are multiple facets contributing to breach fatigue. It’s not just about the never-ending news cycles. On the consumer side, mob mentality is a contributor; when a retailer gets breached, and my data is among the millions of records exposed, I feel less impacted with millions of others in the same boat. Accountability (or, lack thereof) is another one, where penalties remain rare, and organizations attempt to shift blame (sometimes rightly so) to their vendors or partners.
The fastest rising target of attacks are small to medium-sized enterprises. It’s not the big banks and governments with advanced capabilities to defend themselves (although they are still regularly targeted) but rather the 300-person law firm that is hit with malware; 500-employee municipality that has personally identifiable information (PII) exfiltrated; a 200-person hospital whose billing system is encrypted in a ransomware attack, facing demands for payment to decrypt it (pro tip: don’t pay. Backup frequently instead and restore. See our post on how paying ransoms leads to persistent threats).
It is exactly organizations like these that can’t afford the expensive monitoring software, next generation endpoint protection, and the myriad of other cybersecurity tools, let alone the people to manage them, operate them, and develop the processes necessary to make them effective. And yet, it is these organizations who need protection the most.
Preventing cyber-attacks is further complicated because an organization needs to examine its entire ecosystem to ensure that a minimum cybersecurity threshold is achieved. This is no longer just a function of the IT department. Other groups, from finance to operations, from HR to sales, need to be involved, and trained on cybersecurity hygiene and best practices. The partners, vendors, and even customers of such organizations also need to play their part. We need to help each other improve cybersecurity. By having everybody engaged and involved in security, you can help to limit breach fatigue.
Breach fatigue might be a new term, but it’s not a new phenomenon. It’s already here! Combatting it means that we, as a society, need to do our part and contribute. It means that organizations (especially those small and medium-sized ones most susceptible to cyber-attacks) must look at new ways to improve their cybersecurity. Shameless plug: learn about Managed Detection and Response here.
It’s time to make cyber breaches the exceptions, and not the norm. It’s time for society to take ownership and combat the problem; not bury its head in the sand. Breach fatigue can be stopped – and it’s not the media nor cybersecurity companies who will achieve it; it’s people like you, at organizations like yours. Take action!