Data breaches and climate change are a lot alike. Preventing either requires enough people to care about mistakes made one, two, or ten years ago and to change their daily habits to help prevent a growing, if hard to define, problem.
“Information security is a race between peak indifference to surveillance and the point of no return for data-collection and retention,” Cory Doctorow wrote in a recent article on BoingBoing. “The unprecedented leaks in 2016 were not (merely) the result of data gathered last year; much of that data was gathered in the decades [before] this one, inadequately secured and treated as so inconsequential that Yahoo allowed the NSA to backdoor a billions-strong silo filled with data its customers had not even realized they were filling.”
Can you convince someone that the pollution of yesterday is their problem, even if climate change wasn’t a “thing” back then? Can you convince someone to care about the theft of a decade-old batch of sensitive personal data? What if it’s been a few months or longer since the theft occurred?
And in some cases, the US justice system isn’t exactly making a case for caring about data security and preventing breaches. Take the recent incident at Neiman Marcus, for example. Long story short, NM announced that it had been breached in January 2014, although it had known about the theft for over a month. Over 1 million customer records were compromised. Recently, the retailer settled the ensuing class-action lawsuit for $1.4 million, but only $400,000 of that was slated to be distributed to the actual victims of the company’s negligence. The rest went to pay attorneys. And NM finagled a deal where it got to pocket any portion of the $400k that wasn’t claimed by a victim (via an arduous application process).
As Evan Schuman at ComputerWorld puts it: “There is a security ROI dance in retail today. Executives know that they can skimp on security and have a statistically decent chance the company won't get caught by a cyberthief before someone else has their job.”
Why even have data security measures in place? Because unlike climate change where regulations on high-polluting industries were recently loosened in the US, government data security regulations seem to be trending in favor of punishing enterprises more severely after a leak.
This is especially true if you’re in a field like medicine/healthcare. Fines for a failure to prevent breaches or leaks are steep and may get steeper.
HIPAA fines after leak or breach in the healthcare industry are regularly north of $750k, and this doesn’t begin to cover damages to victims or settlements and legal feels. Not to mention the loss of reputation and clients following a breach. Net losses in almost every industry for a single, average leak easily add up to millions.
While promoting a culture of safe data practices may seem as difficult as instilling eco-friendly behavior and beliefs from average Joes to Congress, it’s likely that increased regulations and heftier fines—an inevitability as data leaks gain notoriety in the press—will provide the impetus some business leaders might need.
Data breaches 566 percent last year (!)
IBM’s recent report on data breaches in 2016 comes with a hefty helping of shock and awe. According to Big Blue, the number of data security incidents in 2016 was up 566 percent from the year prior.
“With Internet-shattering distributed-denial-of-service (DDoS) attacks, troves of records leaked through data breaches, and a renewed focus by organized cybercrime on business targets, 2016 was a defining year for security,” the authors of the report wrote. “Indeed, in 2016 more than 4 billion records were leaked, more than the combined total from the two previous years, redefining the meaning of the term “mega breach.” In one case, a single source leaked more than 1.5 billion records.”
The report also drills down into specific verticals. It seems the source of data breaches varies significantly by industry service type. Outside threats led the charge in some, while impervious or malevolent insiders kept things spicy in others. Take note if you’re in the financial services or healthcare spheres: your coworkers are the main cause of compromised information.
Graphic by IBM
Vulnerabilities in web applications also did their fair share to compromise sensitive information. And yes, these web applications include the Dropboxes of the world. The takeaway: if you’re using a cloud-based consumer-grade product to send and store sensitive business materials, don’t.
Pizza by the Tweets
Now for something completely unrelated but interesting: “I want pizza” tweets by the hour in 2016.
What’s most alarming to me is the number of Twitter users who want pizza before noon. Call me a traditionalist, but that’s a food for after 12 p.m.
Please feel free to share your feedback or send us your questions. You can reach us by replying to this email or via the information on our website.
Vaultize is an innovative data security company that allows customers to track and control their documents from creation to deletion on any device, anywhere. From CYA to compliance, Vaultize provides data protection without restricting use. Vaultize’s platform utilizes DRM and encryption to secure any and every file, protects those files no matter where they travel, and provides visibility into who is accessing them and how they are being used. The Vaultize platform is transparent to users, scalable and flexible to deploy. For more information, visit www.vaultize.com.