Despite admirable efforts in the form of introducing mandatory data breach notification laws, Australia continues to struggle with data breaches. The latest OAIC figures suggest that despite the latest quarter only seeing 215 reported breaches – the lowest figure since the laws were introduced – the average number of reported breaches per day hasn’t seen any significant decrease. Businesses still take up to six months to detect and report a breach – and according to Ponemon Institute’s recent Cost of a Data Breach Study, these breaches can cost Australian businesses some US$2 million on average, constituting a significant drain on Australia’s digital economy.
This ongoing frequency and amplification of cyberattacks prompts new questions: are the continuous attacks, and public shaming of businesses that are affected by a data breach, having a diverse affect? Rather than encouraging more concern and tighter security measures, the lack of change indicates that instead this may be causing an indifference, complacency and acceptance of the status quo that puts sensitive data at even greater risks than ever before.
Are breaches becoming a ‘no big deal’?
Many called 2018 the ‘year of the data breach’, and it’s easy to see why. High-profile data breaches of giants like Facebook, Google and Cathay Pacific indicate that even substantial amounts of cybersecurity investment are no guarantee of “total defence”. Whilst in Australia, breaches of Toyota, LandMark White and even the federal government continue to affect both businesses and individuals.
Even though cybersecurity measures continue to improve and regulatory enforcement tightens, we could call this loss of motivation ‘data breach fatigue’. As data thefts become more common, they lose their ability to shock, gradually becoming the norm and not the exception. This desensitises people to the effects of a breach, causing many to counterintuitively lower their defences when they should be raising them up. IT experts become overwhelmed by the flurry of data, while employees become complacent to stringent security measures: already some 46% of employees commit critical but avoidable mistakes that expose their employers to insider attacks. Data breach fatigue can quickly result in a vicious cycle of indifference: compromised businesses become just another statistic, further desensitising others and paving the way to a greater number of attacks in the future.
Whilst on the one hand we have cyber emergencies - a sea of statistics, figures and repercussions on a hack or data breach – on the other end of the scale we have ‘real life’ emergencies – building fires, transport delays, and city crime. Although we are seeing the former continue to dominate headlines, the latter certainly gains more share of voice and attention from businesses and consumers alike. Why? Because it is tangible.
The repercussions of a shock building fire can be visible, relatable and easily empathised by people, whereas the struggle with breach fatigue is that it isn’t tangible. Unless you are involved in some way, close to the industry affected, or know that your data may be compromised, its hard to create the same level of concern – and action – on a cyber attack.
The need for a positive security culture
Australian businesses may slip into assuming data breaches as the status quo, a mindset not helped by the often-quoted line that cybersecurity breaches are a question of “not if but when”. However true that may be, businesses should instil a positive security culture when it comes to their ability to block most cyber threats, and effectively respond to any that get past their defences.
One way can be through maintaining strict monitoring, logging and escalation planning as standard security practices. Businesses can also make cybersecurity more interactive and engaging by simulating regular ‘attacks’ on their systems to test business-wide response times and security protocols. These measures will consistently raise cybersecurity as a clear but also manageable risk, focusing on empowering employees to help protect the business in relatively simple yet meaningful ways.
Beyond these tactical defences, as an industry we need to consider how we instil this positive security culture across the board. Last year I explained that rather than naming and shaming those unfortunate enough to be the victims of attacks, we need to re-think the support and collaboration network, at a sector and industry level. The same supportive and united front is needed when it comes to eliminating breach fatigue.
To gain cut through and help businesses stop and take note, we need to flip the dialogue on how we talk about breaches and attacks. Organisations that suffer the least after a breach will be those that handle it with transparency and an increased desire to do better in the future and help others along the way. Rather than discussing the unrelatable million-dollar figure of loss over and over, it’s time to identify the real cost – making these incidents as human, tangible, and relatable as possible so we can all start to take on a more positive security culture.