By Daniel J. Solove
It seems as though every week brings news of another batch of data breaches . . . and they’re getting bigger. Target. Home Depot. Sony. Anthem. The list goes on and on.
The costs of many of these breaches are devastatingly large. And yet most data breaches are readily preventable. After reviewing more than 1,000 data breaches from 2014, the Online Trust Alliance (OTA) found that more than 90% of them could have been avoided.
Some organizations will take this news and beef up their security efforts. But many organizations won’t do anything differently. Even in light of the mounting frequency and costs of data breaches, many organizations will just keep humming along. They will get breached — or already have been and just don’t know it. Eventually, they’ll get burned. Then they’ll learn and finally step up their efforts.
I see this story again and again. An organization doesn’t take security (or privacy) risks seriously enough. The organization gets burned, and that is the wake up call. The organization then gets serious.
I’ve noticed two general attitudes toward risk: (1) those who must burn before they learn and (2) those who learn rather than burn. For some, despite all warnings, they just won’t step it up until after they get burned. It’s akin to how teenagers won’t heed warnings and have to learn the hard way.
There are many things that can readily be done to reduce the risk of data breaches. There may never be a way to get to 0% risk, but any significant reduction in risk is a huge benefit and will have a great return on investment.
For example, most problems in security are due to human mistakes. These are preventable with effective training. Hackers often don’t get in because of their technical savvy. They get in because they are good con artists and trick people. In movies and on TV, hackers are often able to break into any network just by typing a few keystrokes — reinforcing the mistaken view that hacking is preventable by merely fortifying technical controls. You can encrypt data and create requirements for strong passwords, but a hacker can get in by tricking people into divulging their passwords. That’s why training the workforce is essential.
Most data breaches are avoidable — if only organizations chose to learn rather than burn. But unfortunately, far too often, organizations must burn before they learn.
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 890,000 followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.