About Adam K Levin | Contact | Videos

What Equifax Teaches Us About the Dangers of ‘Breach Fatigue.’Data SecurityIdentity Theft


Share

From mid-May to July, 143 million U.S. consumers were more vulnerable to hackers than usual. Or rather, they were actively vulnerable.

Equifax, one of the three major consumer credit reporting agencies, reported that the company had suffered a massive data compromise that exposed their customers’ Social Security numbers, drivers license numbers and other sensitive personally identifiable information.

In a statement, they noted that the compromise was not limited to U.S. consumers. There were some customers in Canada and the U.K. who were also affected.

Make no mistake: This is a watershed event.

While Equifax is not the record-holder for largest breach–that distinction goes to Yahoo, which leaked more than a billion records–this latest compromise certainly looms large. The reason has to do with the kind of information compromised–granular data that otherwise would only be warehoused at the Internal Revenue Service.

As the parade of breaches and compromises wombles past the grandstand of newsworthiness, breach fatigue has become our greatest enemy.

Breach Fatigue

With insurers increasingly finding ways to manage cyber-insecurity, the threat sometimes can seem diminished.

The cost of a breach last year was down 10 percent from the previous year to an estimated $3.62 million, according to the 2017 Ponemon Cost of Data Breach Study. Ponemon found that the “average cost for each lost or stolen record containing sensitive and confidential information also significantly decreased from $158 in 2016 to $141” in their latest report.

While the cost of breaches is going down–in no small part due to more economic and efficient responses to the everyday assault of data compromise–the number and prevalence of them does not seem to be diminished at all. We’re still seeing mega-breaches. And if anything, they’re getting worse.

Breach fatigue is the enemy. And here’s the thing about it–the fatigue increases the threat, because fatalism sets in. If there is nothing you can do, why do anything?

The recent hurricanes provide an accurate illustration of the situation: in a Category 5 storm, the onslaught of wind and water is constant, and when they find a new void (an open or even a cracked window, an unsecured door, or anything below the rising waters) they will infiltrate.

There’s an app for that, right? Sort of.

Consumers can freeze their credit, get automatic transaction alerts, subscribe to all stripes of identity theft monitoring services, corporations and other organizations can get cyber liability insurance, but at the end of the day that may serve to create a permanent problem.

There is no app for creating a culture of best practices in the realm of cybersecurity.

The Always-Already Threat

The first thing we all need to remember is that there is no silver bullet, no miracle cure, and no way to stop someone from using information that is already out there.

In the future, we will probably find solutions to the quagmire of self-authentication and identity-related fraud.

It is likely Social Security numbers will no longer be used to authenticate a person applying for credit. It may be part of the process, but not the whole thing. What other innovations may evolve during this data-breach epidemic are still unknown, but they are being worked on every day.

Science fiction writers may dream otherwise, but there is no way to control the weather. Similarly, the possibility of fending off every attack is a pipe dream. A healthy mantra might be: I can only control what I do in various kinds of weather.

The onslaught is constant. Equifax may or may not have had adequate cyber defenses until the moment it went live with an update or a new feature, and at that moment, the wind or water (take your pick) rushed in.

Security lapses do not have to last long to be exploited.

In the meantime, consumers and companies alike are not without agency.

For many years now I have been advocating a system called the Three M’s, which are the centerpiece of a book I wrote called, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves.

Practicing the Three M’s continues to be the best way to keep your personally identifiable information from being used in identity-related crimes.

They are simple:

1. Minimize your exposure. Don’t authenticate yourself to anyone unless you are in control of the interaction, don’t over-share on social media, be a good steward of your passwords, safeguard any documents that can be used to hijack your identity, and consider freezing your credit.

2. Monitor your accounts. Check your credit report religiously, keep track of your credit score, review major accounts daily if possible. (You can check two of your credit scores for free every month on Credit.com.) If you prefer a more laid back approach, sign up for free transaction alerts from financial services institutions and credit card companies, or purchase a sophisticated credit and identity monitoring program,

3. Manage the damage. Make sure you get on top of any incursion into your identity quickly and/or enroll in a program where professionals help you navigate and resolve identity compromises–oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions and HR departments.

Humans are incredible, and will never cease to accomplish the most amazing things. We innovate, which is why the threat of data breaches and cyber compromises will never go away. The first order of business is accepting this reality, and the second is learning how to live in it. We are all, each of us, our only hope.