Don’t fall into Breach Fatigue
Category : Uncategorized
Stu Sjouwerman from Know Be 4 wrote this blog post. I think that it is entirely accurate. Every day, I meet with clients that say “So what? My login is compromised somewhere on the dark web. So, does that mean I am going to be hacked tonight? Does that put me in danger?”. I even had one prospect yell at me and call me an “alarmist”. However, the fact is, yes. You are in danger and with all of the breaches happening, you put yourself and your company’s network (s) in jeopardy. There are plenty of ways to protect yourself – but first, you have to understand the danger. With so many news reports of breaches- we have become complacent.
People shouldn’t let news of data breaches dissuade them from trying to protect their information, according to security researcher Ray [REDACTED]. On the CyberWire’s Hacking Human podcast, Ray referenced an earlier episode of the CyberWire in which Carole Theriault said she often encounters an attitude in which people are resigned to the fact that all their data have potentially already been stolen, and that therefore it’s not worth going to the trouble of trying to prevent future breaches.
“I actually call that the fallacy of futility,” Ray said. “And what it is, is it’s the idea that if we take the fact that online privacy doesn’t exist anymore…if we say, well, there’s no such thing as online privacy…the problem is, is, that’s not a binary statement, right? It doesn’t either exist or it doesn’t. There are varying degrees of privacy.”
Ray explained that even data that’s already been breached is not always easily discoverable or publicly accessible. For example, the OPM breach, which is believed to have been conducted by Chinese hackers, probably resulted in the data falling into the hands of Chinese intelligence services. While that’s not a good thing, it means the data probably aren’t available to petty criminals who could use it for identity theft and other crimes.
“It’s very important to keep in mind that just because your data has been breached before…that doesn’t mean that you’d necessarily want to be involved in others,” Ray said. “And ultimately, some of that data may be different, especially if you’re using unique email addresses. But it is in everyone’s best interest to try to protect themselves, you know, through OPSEC and practicing good security hygiene.”
Ray said much of the problem stems from the sheer number of breaches we hear about on a weekly basis. These breaches involve our data being stolen from companies we interact with, and we usually have no control over what happens to those data.
“I think it really is driven by the fact that, just like in cybersecurity, we have something called alert fatigue,” Ray explained. “We have something called outrage fatigue, and we have something called breach fatigue, which is when you see a big announcement about DoorDash and, you know, millions and millions of people’s information being leaked – or even Words with Friends…we’re so numb to these massive breaches that it feels like they’re almost inevitable, right? And to a certain degree, when humans feel like something is basically inevitable, there is a tendency to just assume that it’s going to happen at all times and that there’s nothing that can be done to mitigate the impact of it.”
There are measures you can take to mitigate the risk and effects of having your data breached. New-school security awareness training can help your employees take steps to secure their data while staying safe from threat actors who may have already compromised it. The CyberWire has the story: https://thecyberwire.com/podcasts/cw-podcasts-hh-2019-10-17.html
If you want to know more- we can do a dark web scan for your organizations domain – and see how phish prone your users are.