KnowBe4 Security Awareness Training Blog

Don’t Fall Victim to Breach Fatigue

Written by Stu Sjouwerman | Oct 18, 2019 11:04:45 AM

People shouldn’t let news of data breaches dissuade them from trying to protect their information, according to security researcher Ray [REDACTED]. On the CyberWire’s Hacking Human podcast, Ray referenced an earlier episode of the CyberWire in which Carole Theriault said she often encounters an attitude in which people are resigned to the fact that all their data have potentially already been stolen, and that therefore it’s not worth going to the trouble of trying to prevent future breaches.

“I actually call that the fallacy of futility,” Ray said. “And what it is, is it's the idea that if we take the fact that online privacy doesn't exist anymore…if we say, well, there's no such thing as online privacy…the problem is, is, that's not a binary statement, right? It doesn't either exist or it doesn't. There are varying degrees of privacy.”

Ray explained that even data that’s already been breached is not always easily discoverable or publicly accessible. For example, the OPM breach, which is believed to have been conducted by Chinese hackers, probably resulted in the data falling into the hands of Chinese intelligence services. While that’s not a good thing, it means the data probably aren’t available to petty criminals who could use it for identity theft and other crimes.

“It's very important to keep in mind that just because your data has been breached before…that doesn't mean that you'd necessarily want to be involved in others,” Ray said. “And ultimately, some of that data may be different, especially if you're using unique email addresses. But it is in everyone's best interest to try to protect themselves, you know, through OPSEC and practicing good security hygiene.”

Ray said much of the problem stems from the sheer number of breaches we hear about on a weekly basis. These breaches involve our data being stolen from companies we interact with, and we usually have no control over what happens to those data.

“I think it really is driven by the fact that, just like in cybersecurity, we have something called alert fatigue,” Ray explained. “We have something called outrage fatigue, and we have something called breach fatigue, which is when you see a big announcement about DoorDash and, you know, millions and millions of people's information being leaked – or even Words with Friends…we're so numb to these massive breaches that it feels like they're almost inevitable, right? And to a certain degree, when humans feel like something is basically inevitable, there is a tendency to just assume that it's going to happen at all times and that there's nothing that can be done to mitigate the impact of it.”

There are measures you can take to mitigate the risk and effects of having your data breached. New-school security awareness training can help your employees take steps to secure their data while staying safe from threat actors who may have already compromised it. The CyberWire has the story: https://thecyberwire.com/podcasts/cw-podcasts-hh-2019-10-17.html