By James A. Martin
Since 2005, 8,983 data breaches have been made public in the U.S, according to the Privacy Rights Clearinghouse. That works out to 1.69 breaches a day, with 11.5 billion records affected.
The large volume of data breaches, at a minimum, can create a sense of resignation, with 84% of North American CISOs saying they believe cybersecurity breaches are inevitable, according to Kaspersky Lab research. Putting a finer point on it, the Harvard Business Review says there are only two types of companies today: “those that have been breached and those that don’t know they have.”
No wonder so many people today have ‘data breach fatigue.’
The term is increasingly used to describe weary consumers who have received too many notifications that their personal data may have been compromised in yet another data breach. Some experts warn that the steady drumbeat of heavily publicized breaches creates a sense that such incidents are “the new normal,” The New York Times reports.
But if consumers are experiencing data breach fatigue, what about those on the front lines of enterprise cybersecurity? And if they’re exhausted by constantly receiving and reacting to cybersecurity alerts, what can enterprise leaders do about it?
Nothing Really Bad Happens After a Breach. Or Does It?
“Data breach fatigue has been out there for a while among cybersecurity and IT people,” says Asher de Metz, Senior Security Manager for Sungard AS. “I see it fairly often. Fatigue and complacency set in when a lot of people see other companies get breached and, after the initial fallout, nothing bad seems to happen to those companies.”
For example, the stock prices of companies such as Target and Home Depot during and following high-profile data breaches decreased only slightly or quickly recovered after the breach was disclosed, Harvard Business Review notes.
While it’s true some companies suffer only short-term from a breach, others can face serious consequences.
At the American Medical Collection Agency (AMCA), a breach went undetected from August 2018 to March 2019, ZDNet reports. The breach affected millions of people who were customers of AMCA clients such as Quest Diagnostics and LabCorp, which stopped doing business with AMCA after the breach was disclosed. Due to such business losses and other post-breach fallout, AMCA’s parent company Retrieval-Masters Creditors Bureau Inc. filed for bankruptcy protection in June 2019, according to Bloomberg.
The Bombs Are Falling — You Just Can’t See Them
Other factors are contributing to data breach fatigue. For example, IT and cybersecurity team members may get complacent when data breaches are always happening to other organizations. “If you’re in a physical war, you see the bombs going off, and it’s real to you,” de Metz explains. By comparison, the battle against criminal hackers, until it directly affects your enterprise, can seem unreal, vague, remote and thus, it can contribute to a sense of complacency.
Frequency = Fatigue
In addition, because of the increasing volume and scope of cybersecurity threats, a sense of burnout can happen. “The frequency of breaches is a big contributor to the fatigue,” says Shawn Burke, Global Chief Security Officer for Sungard AS. “When that happens, it can sometimes take significant consequences to get cybersecurity back to the top of the agenda.”
Burnout and the Talent Shortage Can Lead to Human Error
Cybersecurity aside, the majority (57.16%) of employees at tech companies feel burned out by their jobs, according to a recent study from message board app Blind. So, it’s not difficult to imagine how cybersecurity and IT team members at those companies may feel, especially if they’re also contending with a bare-bones cybersecurity team as a result of the shortage of skilled cybersecurity talent.
Data breach fatigue and overall job burnout coupled with the shortage of skilled talent can lead to human error. And according to Gartner, 95% of cloud security failures by 2022 will be the result of human error.
What You Can Do About Data Breach Fatigue
While data breach fatigue is understandable, perhaps inevitable, it’s also an insidious threat to your enterprise resilience. Here’s how to combat it.
1. Make cybersecurity a priority at the top
In the age of endless cyberattacks and breaches, it’s easy for an organization’s board of directors, CEO, and other top executives to get data breach fatigue, too. Making matters worse, some cybersecurity and IT professionals — themselves fatigued — too often assure top execs that the company is properly protected when, in fact, it isn’t. The executives may take those assurances at face value, thereby putting the organization’s resilience needlessly at risk.
“The people at the top who care about the bottom line must push for proper, relevant, robust cybersecurity — or else it may not happen,” de Metz says.
2. Trust but verify
Top execs and board members should ask informed, specific questions about how the enterprise is secure, says Burke. “Leadership needs to understand who’s responsible for updating and maintaining cybersecurity, exactly what the teams are doing to protect the company, and how the enterprise might be affected if there’s a cybersecurity event.”
“Trust but verify,” de Metz adds. “During every quarterly board meeting, make sure there’s a slide in the deck specifically about cybersecurity that explains in practical, qualitative ways what’s being done to keep the company resilient. You might also have a third-party come in, analyze your cybersecurity initiatives, and verify that the security team is doing everything it should be.”
3. Raise awareness
You can’t train people not to be fatigued or complacent. But you can raise awareness about what’s at stake if there’s a successful data breach or cyberattack, not just for the company but for team members on the front lines of cybersecurity, Burke says.
The stakes for an enterprise are, among other things, its good reputation, which can be seriously damaged after a major breach. (Just ask Equifax.) Thus, your cybersecurity team should be aware of what a damaged reputation can mean for the business — angry customers who flee to a competitor, loss of revenue, even litigation and regulatory fines.
There’s something else for cybersecurity teams to consider, too: If the enterprise that employs them suffers a publicized data breach and damaged reputation, how will that affect their future cybersecurity career prospects? And how might it affect the jobs they currently have? Some organizations fire employees whose lack of vigilance resulted in a physical security or cybersecurity breach, de Metz says.
Corporate boards and C-level executives should also be aware of the competing motivations in cybersecurity, de Metz points out. “Criminal hackers in Eastern Europe and China are motivated by the multi-million-dollar payloads they can achieve in a major enterprise data breach,” he says. “Compare that to the motivations of some cybersecurity people, who just want to get their jobs done and go home at five o’clock.” These two different motivations should inform your organization’s efforts to achieve robust cybersecurity and enterprise resilience, de Metz says.
4. Consider taking cybersecurity out of your employees’ hands
Given that data breach fatigue can lead to complacency, burnout, and human error, some organizations are turning over their cybersecurity to third-party cybersecurity and resilience solution providers.
“Outsourcing to experts removes a lot of stress for enterprises that are trying to control everything, usually without the cybersecurity talent and knowledge they need to get the job done,” Burke explains. “But when you outsource cybersecurity to a third party, your people are free to focus on high-value work instead of reacting to alerts and threats all the time. They can get out of the weeds and work on what’s strategic to business success. And doing that can go a long way toward alleviating the data breach fatigue that’s been holding them — and perhaps your organization — back.”
James A. Martin has written about security and other technology topics for CIO, CSO, Computerworld, PC World, and others.