It is easy to become numb to news of a massive data breach involving a well-established company. Yahoo, Equifax, Target, Marriot, British Airways. You name it! It seems that most large companies will or have been victims of a disastrous breach at some point. Vast amounts of data such as email addresses and passwords are stolen or exposed regularly throughout the year. Breach fatigue seems to have set in among businesses and consumers, perhaps due to the sheer number of stories being pumped out by the press. Or perhaps our indifference is because of the disconnect with seeing things that happen online as distant and impersonal. It could also be the fact that large companies are seen to be performing ‘security theatre’, a term used to refer to security measures that make people feel more secure without doing anything to actually improve their security. Whatever the reason for this apathy, it’s essential to take for both businesses and individuals the significance of a data breach seriously.
How They Happen
Weak Common Passwords – The most common factor is the one that everybody knows about. The number of passwords we are required to use for all manner of accounts and websites means that we end up using one or two familiar ones. This repetitive use of simple passwords can provide opportunities for brute force attacks, where hackers use a small list of commonly used passwords to guess credentials and enter the system. When Gawker’s database was dumped, the password 123456 was used over two and a half thousand times by its users. We all know that keeping track of passwords is a pain, but there are some great websites and apps that can help with this.
The World Economic Forum released a report stating that 80% of breaches “are perpetuated from weak or stolen passwords”. Not too long ago Donald Trump had his twitter account hacked because someone easily guessed his password. We have definitely been guilty in the past of using repetitive and simple passwords, but a trip to https://haveibeenpwned.com/Passwords is a good way to encourage oneself to set things straight.
Lack or Misuse of Access Controls – Access controls are vital in making sure who can and cannot access a company’s data. Without authentication and authorization controls, there is no data security. For people who work out of the office and require access to company services, access control is particularly important.
Outdated Software – Software that is not maintained and can’t function with new applications and devices presents an easy opportunity for hackers to access a system. The Equifax data breach was a result of the company failing to download a patch.
All this might seem painfully basic. Well, it is! The truth is that most breaches happen because people fail to implement basic security measures.
Why They Matter
Data breaches can completely destroy the trust between a business and its customers. The monetary damage can be enormous, but the reputational damage is potentially irreparable. In professions which revolve around extremely sensitive information like therapy, data breaches can ruin years of relationship building.
A company’s reaction to a data breach can help repair the damage. Transparency and quick responses will always help, but preparation for a data breach is needed for this to happen. While large companies like British Airways can get away with a data breach, they can shatter small businesses altogether.
State-sponsored activism and interference between world powers is becoming a central theme in democratic elections around the world, and data breaches are used to disrupt them. A data breach during the 2016 Philippine general election left about 55 million registered voters at risk. Information obtained in this way can be used to target voters. These types of breaches could cause mistrust in the voting system and process. Romain Robert, a data protection lawyer at https://noyb.eu/en sums up the potential future for irresponsible practices concerning voter data:
“In a democracy, we cannot accept the processing of political data spiraling out of control. Political parties in particular should not be using voters’ information for purposes other than what the law permits them to do. Could you imagine your political preferences being used to deny you access to a public service or an employment opportunity?”
Organized crime, mainly in the form of identity theft, will continue to grow if data breaches aren’t tackled from the inside of corporations, or punished on the outside by regulators. Most cyberattacks are financially motivated. According to Verizon’s 2020 report, organized criminal groups were behind 55% of data breaches.
The Future of Data Breaches
Growing regulation is pressuring businesses to tighten up their security defenses. Denmark has made it mandatory for companies to encrypt emails containing sensitive personal information. The California Consumer Privacy Act allows a private right of action for a security breach, with potential for $100-750 fines per incident per consumer. This accountability and transparency should place stopping breaches high on the list of a company’s priorities.
The increased use of connected devices (the internet of things) has and will cause significant problems with data breaches. This creates new avenues of attack for hackers to exploit, and the fact that many of us are working remotely and using these devices is only going to increase opportunities. The more we stuff our homes with smart devices, the more the risk of us being hacked.
As we said, the majority of data breaches result from human negligence. When you consider all the social pressures in our everyday jobs and lives, this carelessness is easy to understand. But developing a culture around protecting ourselves and others online is a necessary part of preventing data breaches. Future technologies such as password-less authentication may play a role in curbing breaches and combating IoT loopholes, but they will never stop the problem of humans making mistakes.