How Data Breach Fatigue Presents New Dangers
It seems like there's a new major data breach every couple of weeks. According to Privacy Rights, there have been more than 9,000 data breaches over the past 15 years — or about two data breaches per day — and those are just the ones reported in the U.S. The actual number of data breaches is likely to be much higher when considering unreported and global data breaches.
Let's take a look at how these data breaches may be causing data breach fatigue among consumers — and how companies can combat these trends and maintain their security.
What is Data Breach Fatigue?
Data breaches have become so common that many consumers don't react to news of a breach and aren't motivated to protect themselves.
According to the RAND Corporation, only half of survey respondents changed their password or PIN following a data breach and one in five didn't take any action at all. Many of the compromised accounts could still be vulnerable to attack to this day! Only a quarter of the respondents thought they were 'more diligent' following the breach.
The Ponemon Institute came to similar conclusions in a 2014 report that they prepared for Experian. According to that survey, 32 percent of respondents ignored data breach notifications and/or took no action and 55 percent of respondents did nothing to protect themselves from identity theft, such as changing account passwords.
The reality is that many people feel powerless following a data breach because they may not have control over their data and/or the affected products and services may not be easily replaceable. For example, the Equifax data breach exposed the personal information of more than 140 million Americans, but deleting credit history isn’t an option for most people.
The Impact on Businesses
Consumers may not always react to data breaches by changing their behaviors, but there are consequences for companies that suffer data breaches.
Data breach fatigue means that many customers no longer trust businesses with their data. In fact, the Ponemon Institute survey found that nearly a third of respondents stopped doing business with companies that experienced a data breach, which increases customer churn, reduces revenue and could impact valuation (e.g. stock prices or sale values).
The cost of a data breach can also be prohibitive for many small businesses. For instance, healthcare data breaches may involve regulatory penalties and high profile incidents could involve class action lawsuits. According to IBM, the average cost of each stolen record adds up to about $148 — a high figure when multiplied in the millions.
Small businesses are especially vulnerable to these consequences given their small size and geographic footprint. While large companies are quickly forgiven, small businesses are less equipped to handle the high costs and reputation damage. Only six percent of small businesses survive two years following a major data loss.
How Companies Can Improve
The challenge for consumers is remaining vigilant despite the frequency and magnitude of data breaches. At the same time, companies must both ensure that employees don't succumb to the same problems and respond to data breaches of their own. The frequency of cyberattacks and data breaches shouldn't deter employees from being vigilant.
Download our free checklist for creating a cybersecurity incident response plan to ensure that you're prepared for the worst-case scenario.
There are several steps that companies should take:
Review cybersecurity policies and ensure that they are sufficient to prevent data breaches. If a new data breach identifies a vulnerability, these policies should be addressed to prevent the same problem from occurring again.
Train and engage employees on an ongoing basis to ensure they're following cybersecurity best practices. In addition to training during onboarding, you may want to consider random compliance testing or quarterly trainings on cyber topics.
Ensure that networks are locked down with up-to-date malware and virus protection. You should also make sure that any network firmware and all company laptops and smartphones are kept up to date with the latest drivers and software.
Encrypt and back up all data to secure cloud storage to ensure that it's safe from prying eyes. If a laptop is stolen or an account is hacked, the data is useless if it’s encrypted — it might not even be considered a data breach by regulators.
If a data breach does occur, it's important to have an incident response plan in place to reassure customers and limit the collateral damage. The IT department should be prepared to interact with PR and customer support departments to effectively communicate with customers and show them what actions they should take to protect themselves.
These plans should involve several key actions:
Notify customers of the data breach in a timely manner and include the specific risk and impact. It’s usually best to give customers all of the facts upfront in an understandble manner rather than trying to downplay the incident.
List the steps that customers can take to protect themselves from identity theft and fraud. For instance, if credit cards are compromised, you may advise customers to cancel the credit card and add a new payment method.
Explain the steps that you're taking to remedy the situation and avoid future data breaches. While avoiding technical details, you should do your best to reassure customers that their data is safe moving forward.
The Bottom Line
Data breaches have become alarmingly common in today's connected world. While consumers becoming apathetic with cybersecurity, they come with a significant cost to businesses — especially small businesses with fewer resources.
Don't forget to download our free checklist for creating a cybersecurity incident response plan to ensure that you're prepared for the worst-case scenario.
Jungle Disk provides a comprehensive cybersecurity suite designed for small businesses with two to 250 employees. With active network protection, password management and secure cloud storage, the end-to-end solution makes it easy to implement best practices for a fixed monthly per-employee fee, making cybersecurity effective and affordable.