Are we blasé about breaches?
A month ago we ran a story about the early Sony breaches against its PlayStation network, which has spiralled into a campaign of attacks against the technology giant.
This particular article addressed Sony's efforts to get the PlayStation network back online and featured Sony president and CEO Sir Howard Stringer talking about the investigation into the breach and getting the network back online.
However what interested me in the response to the story from commenters was that there was little outrage in the potential loss of users' credentials or credit card data, but that the network was down and users could not play online while it remained down.
This led me to wonder, do people really care more about the lack of a service than their data being exposed, and are we in effect blasé about breaches? Talking to SC Magazine, security consultant Brian Honan asked if users really care about breaches as long as the service comes back online as after all most credit cards will indemnify you of any fraudulent online transactions so credit card info may not be so important.
He said: “The other information most people share via Facebook. On top of that are the recent other large breaches such as Epsilon, so maybe we have reached a stage where consumers accept breaches of this type as the cost of doing business online.
“Other types of breaches may raise other concerns, such as with banks and medical records, as there is potentially more direct damage. Organisations do not care otherwise more would be done to prevent these breaches.”
Asked if people are blasé about breaches, Honan said it was perhaps more appropriate to ask ‘who cares about breaches?'
“The consumer, the breached company, information security professionals, regulators or the media? If we really cared about breaches why are companies still taking a relatively lax approach to information security,” he said.
“I sometimes wonder if we are like the auto industry: 40 years ago cars had no seat belts, ABS or other safety features because they cost more and no consumer demand for safer cars. Only when governments stepped in to reduce the amount of road accidents to society as a whole did car manufacturers pay attention. Maybe we will reach a point when so many breaches happen that government will step in as a cost to an ‘online' economy will be too high.”
I put the question to Jelle Niemantsverdriet, principal consultant forensics and investigative response EMEA at Verizon Business who admitted that looking at the comments on the article, his impression was that people do not see the potential of such a breach.
He said: “So my email and name was stolen, so what? I hand out business cards to everyone but not my credit card details, so it might also be that people are not aware of what could happen and should think of the worst case scenario.
“An email combined with a password or personal details could be used to further an attack on a system and consumers are not so aware and more aware of the functional awareness of the system being down. People may have accepted that and may be worried about that, or perhaps their anger about a breach is fading away.”
I also put the question to Kevin Bocek, director of product marketing at IronKey. He believed that if people are having data breach fatigue, perhaps it started with thoughts that people are unable to control things, so therefore it is the norm.
He said: “All vendors are using the same method and we as an industry have to ask if our methods are really effective. We hear about breaches and ask if they mean something, for the criminals it is yes as there is a better accumulation of information to target the victim.
“Is there fatigue? I don't think so, for one thing there is a tangible notification about targeted attacks and people take notice. No one can shrug it off and say that ‘there is no privacy anymore' and within businesses, someone pays for it and as we have seen time and time again with the likes of TK Maxx, there are payments to be made and we all have fixed consequences. As a business you cannot say no one has privacy and users will not stand for it.”
Also asked was Roel Schouwenberg, senior anti-virus researcher at Kaspersky Lab, who said that there is an issue of disinterest among users, as they will pick a free smartphone application that shares data over a paid app that does not.
He said: “People will say that they are secure with their information, and then they check Facebook and start sharing information on social networking sites. People do not realise or do not care that there is 20 million credit card records breached as they think 'what are the chances of me being a victim'? Websites cannot rely on the consumer to protect themselves.”
So is it the case that consumers are so unaware of the impact of data loss that it does not resonate, and this leads to a blasé nature because the truth passes them by? Quentyn Taylor, director of information security at Canon, agreed with this saying that the people who own the system are the ones who get hacked and affected, not those who use it.
He said: “Data leakage is one of the biggest challenges our industry has ever faced because stuff is being leaked. With Sony there was lots of stuff leaked, but you can send a fax to the wrong person so it is easy. There is some technology there to prevent mistakes, imagine if there was a fax machine that could say ‘did you really mean to send this'.”
So really the answer to the question is not do people care or not, it is are they aware or not. Do announcements really resonate with their attention or if the reality were laid bare would it be too much to deal with?