First, it was the Ticketfly hack in May. My email was among the 27 million accounts stolen from the events company.
According to the website Have i been pwned?, which monitors data breaches, my personal email has also been found in records stolen from sites like Tumblr and LinkedIn.
By the time the Ticketmaster and PageUp data breach notification emails landed in my inbox weeks later, my attitude had devolved from concern to extreme digital nihilism.
Am I suffering from data-breach fatigue?
Peter Singer, a strategist and senior fellow at New America who writes about cybersecurity, is worried that after all the hacks, data dumps and servers left unprotected, we may be tuning out.
Data breach fatigue
Troy Hunt, who runs Have i been pwned?, has seen the rate and size of data breaches grow since he founded the site in late 2013.
Rather than becoming fatigued, he suggested people simply accept such incidents are now “a normal part of online life”.
“I’m actually finding … that people are judging companies less on the fact they’ve had [a data breach], and more on how they’ve dealt with it,” Mr. Hunt said.
What should I do after a data breach?
Change your account password and get a password manager
Report financial losses to the Australian Cybercrime Online Reporting Network
Check your bank account for unusual charges
If your credit card details have been lost, contact your bank
We don’t yet know much about “data breach fatigue” as ameasurable phenomenon, agreed Cassandra Cross, an online fraud researcher at the Queensland University of Technology.
“I don’t really think we know … whether people are making choices to do things differently, [or] whether they’re just ignoring it,” she said, suggesting more work needs to be done.
Rui Chen, an information systems academic at Iowa State University, investigated consumer attitudes after online security incidents.
In 2015, the US Office of Personnel Management (OPM) lost more than 4.2 million personnel files, among other sensitive documents.
Dr. Chen and his team used sentiment-analysis tools to track the emotional content of 18,764 tweets containing the hashtag #OPMHack.
After events associated with the hack — from the initial breach announcement to the OPM director’s resignation — they saw a large drop-off in reaction.
In other words, Dr. Chen said, “we can see that the public is gradually losing interest in reacting to this news”.
The effects of ‘fatigue’
If people don’t take breaches seriously, they may not follow instructions to protect themselves, such as changing passwords or using credit-monitoring services.
But our understanding of how people do respond is limited.
“One thing could be there are just so many incidents of data breach happening … people consider it typical,” Dr. Chen speculated.
“It’s the norm of this digital world.”
These incidents can also feel quite abstract, Dr. Cross added.
Consider the compromising of more than 359 million MySpace accounts or more than 164 million LinkedIn accounts — these are almost unimaginable numbers.
For victims, there’s also a difference of perception between your details being lost or stolen and actual misuse of that information — in the form of identity theft, for example, which is estimated to cost Australia $2.2 billion each year.
“They’re just one small individual within an entire group, and they don’t feel that they are particularly valuable in terms of a target,” she said.
Real-world effects
New America’s Peter Singer suggested we won’t see decisive action from the government on these issues until breaches begin to have a dramatic impact in the physical world.
Connected devices, from fridges that can be accessed online to driverless cars, will make this more dangerous — and likely.
You might start caring more when a hacker uses stolen credentials to turn your lights on and off remotely.
“I think … what will inevitably happen is some type of bad outcome,” Mr. Singer added.
A badly handled data breach can also dent a company’s reputation.
Take Uber, which initially tried to cover up the exfiltration of the names, email addresses and mobile phone numbers of 57 million users.
Mr. Hunt also sees companies being judged harshly if a breach exposes their poor security posture, such as storing passwords in plain text without cryptographic protection.
On the flip side, he cited the Red Cross Blood Service’s reaction as “the gold standard” after it lost donor information in 2016.
The group was swift to act and tell the public — and was apologetic throughout.
As data breaches continue, Mr. Hunt hopes people will avoid fatigue and take control: get a password manager, make all passwords unique and turn on two-factor authentication.
“These are really basic things that we can all do, and they fundamentally change the impact of a data breach,” he said.
In college, I had a short-lived and hilarious dream that I could learn to play lacrosse. I suppose I was attracted to the glamour of running wind sprints for two hours while being hit with titanium poles.
Alas, the dream was not to be. When I showed up to my first pick-up game, I had no idea what a “slide” was, didn’t realize “clamping” had anything to do with face-offs and had no idea where “the box” was.
If you want your employees to use the $3,000-per-license business intelligence software you bought, they need to be data literate first. Otherwise, that BI tool will be as useless as a lacrosse stick was in my hands.
Fortunately, Gartner research can help you and your team get data literate. They’ve come up with multiple strategic suggestions that you can implement at your business.
What Is Data Literacy?
Data literacy means you “speak” data the way you might speak any other foreign language.
“Gartner defines data literacy as the ability to read, write, and communicate data in context, including an understanding of data sources and constructs, analytical methods and techniques applied, and the ability to describe the use case application and resulting value.”
(Full research available to Gartner clients.)
In plain English, data literacy means you know what data you’re tracking, why you’re tracking it, how to read that data, and how to use that data to save or make money.
Data Literacy Is the Gateway to Business Intelligence
At its heart, business intelligence software is a data-wrangling program.
BI software programs organize all your data sources (website data, CRM data, email data, financial and POS data) and let you see how those data sources interact (for example, did sales increase when you changed the colors on your website?).
So, until your employees are literate with the data your business intelligence tool wrangles, they won’t know how to wrangle their business intelligence tool.
The data literate person knows what data they’re tracking, where it’s stored, and how it fits together. That’s not all they know, though.
Data literacy is also a way of thinking in terms of data. The data literate person doesn’t just think in generic terms—such as did sales increase? They think in terms of data—did Q1 website conversions among women ages 18 to 34 increase as a result of that email campaign?
It’s like learning a foreign language: You haven’t really learned that new language until you start thinking in it, as well as speaking it.
How To Teach Your Employees Data Literacy
Most employees, however, probably don’t think in terms of data, which presents you with another challenge: How do you get your employees to start thinking in terms of data?
1. Employees need to know what data literacy is
Becoming literate in any new lingo is challenging … especially when people don’t know that lingo even exists.
Chances are, most of your employees aren’t even aware that data literacy is a concept. So if you want your employees to use your BI software, you’ll have to introduce data literacy first and explain why it matters.
And don’t just introduce the concept of data literacy once. Introduce it repeatedly.
No, “introduce repeatedly” is not an oxymoron. Since learning how to speak (and think) data is a major change, a single introduction probably won’t stick. They may forget at first, and that’s natural.
Case in point: As a one-time substitute teacher, I got several classes to make a major change by introducing that change gradually.
The English teacher I subbed for allowed cell phone use in her classes. Predictably, the students were learning next to nothing, though their Candy Crush scores were amazing, and they Snapchatted all their paper cuts. About a month into the gig, I decided to ban cell phones.
The change only worked because I introduced it gradually—I announced I would start the policy on a set date, explained why I was doing it, and reminded students to leave phones in their lockers.
If students brought their phones with them, they could put it in a plastic box at the front of the room when class started. If their phone rang while in the box, I’d leave it alone. If it rang while on them, I’d answer it in a loud and public fashion, and they’d go to the principal’s office.
Though the notion of spending even 45 minutes without their phones was horrifying for most of them, the policy worked well because I gradually introduced the concept of class without phones.
How to put this into practice:
There are multiple ways to introduce data literacy to your employees over a period of time.
At Capterra, our employees volunteer to lead “lunch and learn” sessions: brief, hourlong intros to topics that interest them. You could encourage data-savvy employees at your company to do the same.
You could also spend time at all-company or department meetings translating basic activities, or concepts, into data. Anything that breaks the data-ice is a good idea.
2. Employees need to speak data
Once employees know what data literacy is, they need to learn to “speak” data.
Gartner analyst Valerie Logan suggests you approach learning to speak data the same way you would any foreign language and even refers to the process as ISL or information as a second language. (Full Gartner research is available to clients.)
How to put this into practice:
Figure out which employees already speak data, and also who can translate data into plain English. These “data translators” can help employees who struggle to speak data.
Figure out what the language barriers are to speaking data: If business and IT folks don’t speak the same language, that’s a language barrier (or “interpretation gap,” as it’s also called).
There are multiple ways to break language barriers:
Keep a glossary of common terms.
Make sure C-level executives speak data so they can set an example.
Make sure your business goals are expressed in actionable language.
3. Employees need to speak data to each other
Practice makes perfect, so speak data regularly until it becomes a habit.
As Gartner analysts Alan Duncan and Lydia Clougherty Jones suggest, the best data-driven companies focus consciously on this goal. They don’t just speak data, they interact in terms of data. They use data as a way to build inter-team trust, presenting evidence and keeping an eye open for problems such as confirmation bias. (Full Gartner research is available to clients.)
At the same time, you’re learning terms such as “confirmation bias” and “cognitive filtering,” you can think about examples of this in your own work, and be on guard against these bad habits.
How to put this into practice:
Follow the example of foreign language conversation clubs. In the same way those clubs meet once a week to practice German or Amharic, get a group together for weekly or monthly coffee meet-ups where you talk data: what data you’re working with, how it interacts with other departments’ data, and what data you wish you had.
For instance, how does your website’s load time impact visitors and conversions? If sales and tech aren’t discussing how those data sets interact, you could be missing out on a possibly lucrative correlation. (Hint: shorter load time almost always means more visitors and conversions).
Discussion groups like this also help with another important goal: becoming data-driven. This is where business intelligence as a way of thinking comes into play. As you’re learning to speak data, treat it as an opportunity to learn how to think differently.
4. Employees need to speak data frequently
Ideally, brown bags and discussion groups will be your first step on the way to data literacy immersion.
Immersion’s the best way to learn to speak a foreign language, and speaking data is no different.
How to put this into practice:
Gartner analyst Valerie Logan recommends you speak data in everyday conversations, “from board meetings to team meetings.” If speaking data becomes a regular behavior, it’s more likely to stick. And when it sticks, you’ll be on your way to being data-driven.
As Gartner analyst Alan Duncan notes, becoming data-driven has more to do with behavior than technical know-how. That’s why HR should also be involved in your attempts to become data literate.
Duncan recommends having the HR department be a core stakeholder in business intelligence change management. Primarily, they can “adjust hiring practices to emphasize analytic literacy.” (Full Gartner research available to clients.)
The hacking of medical clinic employee’s email account during travels overseas demonstrates the risks posed to data when workers travel – and the need to mitigate those risks.
Billings Clinic in Montana – which includes a multispecialty group practice with a 304-bed hospital and a Level II trauma center – says in a breach notification statement it became aware on May 14 of “unusual activity” within one of its employee’s email accounts.
The employee was traveling overseas on a medical mission at the time of the hacking incident, according to the statement.
What Happened?
Billing Clinic says it took immediate action to disable access to the email account, launched an investigation to determine what happened and took action to further secure its email system.
“As a result of the forensic investigation, we learned that an unauthorized individual had access to emails and attachments within that one account, some of which included patient information.”
The types of information on 8,400 individuals included in the affected email account include patient name, date of birth, contact information, the medical record number, internal financial control number, diagnosis and limited information about medical services received, the clinic reports.
“Each patient had different types of information, included in the emails, and no one email contained all of these types of information,” the notification statement says.
Earlier Incident
As of July 16, the hacking incident was not the Department of Health and Human Services’ HIPAA Breach Reporting Tool website – commonly called the “wall of shame” – that lists breaches affecting 500 or more individuals.
That breach tally, however, lists a different hacking/IT incident reported in April by Billings Clinic that impacted 949 individuals.
In a notification statement posted on Billings Clinic’s website about the earlier incident, the clinic says that on February 26, it also became aware of unusual activity within its email system, and immediately took action to disable the account.
A Billings Clinic spokesman tells Information Security Media Group that the two breaches were separate incidents, but declined to discuss further details, including the steps the clinic is taking to bolster security in the wake of the breaches.
The spokesman also declined to discuss whether the traveling employee in the latest breach was traveling with a Billings Clinic laptop or other mobile computing devices, or whether the employee had been accessing Billings Clinic’s email system while using a personally owned computing device or smartphone.
Overlooked Risk?
Data breaches occurring during employee travel are a common but often overlooked problem, says Rebecca Herold, president of Simbus, a privacy, and cloud security services firm, and CEO of The Privacy Professor consultancy.
“It is very common for data and devices to be hacked while traveling and for those who were hacked to not even realize it.”
—Consultant Rebecca Herold
“It is very common for data and devices to be hacked while traveling and for those who were hacked to not even realize it,” she says. “People are often unaware of what is going on around them when they are traveling. They are using any charger station they can find, they speak loudly and they use free Wi-Fi,” she says.
Cybercriminals routinely scan free Wi-Fi networks and copy unsecured transmissions, including emails, she says.
“Shoulder surfing is also still very common; it’s a decades-old tactic that still works effectively today. And the skimmers on charging stations are increasing in use. Don’t think that if you are in a frequent flyer lounge that these things do not happen there; they happen in those exclusive lounge areas possibly more than in other places,” she warns.
Cybercriminals often target travelers, Herold says, because “it is easy for them to commit their crimes without getting caught because there is usually no digital evidence created.”
Mac McMillan, CEO of security consultancy CynergisTek, offers a similar assessment: “Any time you travel overseas you may be at greater risk as local cybercriminals will have access to your mobile devices, the locations where you are staying or the ISPs their networks and your traffic is traversing.”
Healthcare entities and other organizations – and their traveling staff members – should review information from the Federal Communications Commission, Department of Homeland Security, and other agencies for tips on securing their computing devices while overseas, McMillan stresses.
“The problem is that most private businesses don’t educate their employees on these risks,” he says. Government agencies “routinely brief employees on foreign travel risks and are always aware that overseas we are potential targets.”
Steps to Take
McMillan advises workers on vacation to “leave the work computer at home. Temporarily suspend access to sensitive apps and work email, and do not permit mail forwarding.”
But if remote access is absolutely required, he says, “employ two-factor authentication on both apps and email, and strong encryption on all devices. Use different passwords or pins when you travel. Do not make online purchases or go to your online banking site. Clear your cache regularly. Turn off auto-join on your Wi-Fi. If traveling for more than a few days, reset your settings. Above all keep your devices with you at all times and shielded from view.”
Keith Fricke, a consultant at tw-Security, notes that some companies issue a laptop specifically for overseas travel that is locked down more than normal and has fewer applications on it.
There have been reports of some private airplane flights having “hidden cameras” in them recording information on the screens of laptops passengers used laptops during the flight, he says. “Stories also exist of hidden cameras in hotels of certain foreign countries or people entering hotel rooms when the occupant left the room for meetings or a meal. The intruder looked for ways to obtain unauthorized access to information,” he notes.
Herold advises organizations to take a number of precautions to reduce the risk of breaches while individuals are traveling.
“Implement policies for employees to not use public Wi-Fi,” she stresses. “Provide secured virtual private network or similar types of solutions for remote access. I carry my own device that I use to establish a private VPN connection. I never use public Wi-Fi, or the Wi-Fi in the hotels or restaurants either.”
Organizations should also require that data be encrypted in transit and in storage, she says. “That way, if someone gets access through a network, the data is not accessible. If they get access to the device, the data is not accessible.”
Herold also advises employers to “provide information security and privacy reminders and awareness communications of other types prior to employee travel so that they have the need to practice safe mobile computing at top of mind.”
Employers have learned (the hard way) that one of the biggest security threats in the organization is their own staff.
A report published by Ipswitch looks at data breach causes to find out how rogue employees rank. An interesting find is that up to 75% of data breaches result from insider threats, while a separate report by Veriato suggests that 90% of cybersecurity experts feel that their company is vulnerable to insider attacks. In fact, about 50% of the 472 professionals surveyed said they had suffered these attacks in the previous 12 months.
Deliberate or not, these threats are very real and as heavily as companies might invest in data security software, they are always going to be vulnerable because they continually ignore a large component of realizing fewer cybersecurity threats.
Since employees (insiders) have access to company information, they are technically a bigger danger to data security than the third party cyber-criminals who use all manner of innovative ways to gain access to personal data.
A curious business owner wants to know: Why must I involve employees in implementing data security when they have been shown to be a weak point in the same strategy?
1. Social engineering transcends security tools
Human error is often the weakest link in an otherwise ideal chain. From technology to literature, social engineering is the big boss you have to beat after meeting all the other mini-bosses.
By definition, social engineering involves the use of psychological tricks to manipulate people into revealing sensitive information about themselves. For an organization, once the hacker has your employee at this point, they can gain access to all the areas the employee can typically access. Through social engineering security awareness you can help your employees avoid the three commonest security scams thereby protecting your company as well: identity theft; vishing; and baiting.
Without adequate education on social engineering and covering that loophole, security tools are almost useless.
2. It’s part of their responsibility
Apart from preventing the catastrophic aftermath of social engineering, data security is the responsibility of every employee in the organization in this sense: if consumers expect organizations to protect their data, isn’t it the responsibility of employees to make sure the data doesn’t land in the wrong hands?
Dropbox’s 2012 incident, during which hackers reportedly stole data belonging to over 60 million of Dropbox’s clients at the time, was attributed to employee negligence.
As reported, the hackers who used the password of the employee were able to access the company portal by reusing a password from the LinkedIn breach of the same year that exposed the emails and passwords of 117 million LinkedIn users.
Such an example shows that as a company, you can still unwillingly betray your customers. While Dropbox wasn’t entirely to blame, one of their employees reusing passwords was a great insight into the company’s internal security standards and more importantly, a good example for all employees on password don’ts.
3. It is now a common regulatory requirement
Through internet security awareness training, organizations are required to equip their staff with knowledge about data security. Some of the laws, regulations and industry codes include HIPAA, FTC Red Flags Rule and PCI DSSamong others. While many SMEs don’t do any training to remain compliant, many conduct the training to avoid cyber-attacks.
These tips will help you implement a great training program:
Diversify your training methods. Have a mix of training techniques at your disposal including classrooms, videos, team discussions, newsletters, posters, etc.
Educate often. Conduct regular training in monthly, quarterly, or annual cycles.
There’s no one size that fits all. Different members at different levels will start learning at equally different points.
Don’t ignore industry regulations.
Don’t be like the owner who delegates the role of data security to themselves because it’s “too important.” If you really want to be stress-free, train your employees well and promote a culture of information security.
The FBI recently noted a decline in ransomware attacks reported to the agency in 2017, at 1,783 compared to 2,673 the previous year. But don’t necessarily read this as good news. The reality is ransomware, like many other cyber-attack types, goes largely under-reported. A Verizon report, based on its analysis of tens of thousands of real-world security incidents, found that ransomware incidents have doubled over the past year.
Ransomware is a class of malware that locks your system and encrypts vital files. Attackers usually demand a cryptocurrency payment to release the files, but there’s no guarantee they will actually do so after receiving payment.
“We used to hear very often it was mostly consumers – but [for those attacks] you’re looking at $75 as a cyber-criminal,” says Theresa Payton, former Whitehouse CIO who’s now president and CEO of Fortalice Solutions. “Why do that when you can go from a mom and pop shop all the way up to the Fortune 50?
“And that’s what they’re doing. They’re hitting all businesses, targeting Any business connected to the internet – and what business isn’t?”
Significant Impact
In 2017 the WannaCry, NotPetya, and BadRabbit strains didn’t just disrupt business processes; they hobbled infrastructure and hurt international brands like FedEx. This took the ransomware threat vector to a “completely new level,” using worms to propagate through systems and impacting 300-400,000 devices worldwide, says Steven Wilson, head of Europol’s EC3 cyber-crime center.
And the rise of off-the-shelf kits that can be bought online for just dollars puts ransomware tools in the hands of anyone with the will to use them.
The organizational impact can be severe, ranging from downtime to reputational damage. One official British report suggested that the public response to WannaCry had even undermined trust in government.
“Just think: your entire customer records database is gone,” says Wilson. “You don’t know who owes you money, who you owe money to, or who you’re going to sell your product to. That’s the reality if ransomware strikes you. Everything is gone.”
Raising Awareness
If there is a positive outcome, it’s that WannaCry raised awareness that ransomware is here to stay: an unfortunate case of “if” and not “when”.Fortunately, there are basic cyber hygiene steps you can introduce to avert potential disaster.
Often it’s the unpredictable human element that’s the weakest link in cyber defense, so awareness training can go a long way.
On the technical side, it’s making sure your systems are up to date and fully patched so that the latest versions of your operating systems are running with trusted anti-malware solutions and the latest definitions.
And if the worst happens, maintain a recovery plan with a full set of backups.
According to Payton, organizations should also consider network segmentation and be introducing kill switches to prevent malware from moving laterally, as WannaCry did.
“Practice for the worst and hope for the best – making sure you’re thinking ahead, practicing that digital disaster, practicing your comms plan,” suggests Payton, adding that organizations should also perform test runs on full restores.
How can the technology community help?
Public and private bodies must work together with vulnerabilities out in the open, collaborating to prevent or mitigate future disasters. NoMoreRansom, for example, pools resources across organizations to provide decryptors for known threats.
