In .66 seconds, the term ‘data breach’ returns more than 144 million results on Google. As professionals in the industry, we hear about it every day, but I want to dig into what this really means for the world at large, together.
A data breach as defined by the Information Commissioner’s Office is ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.’
There are two words we’re focusing on here, and they are destruction and loss. From there, we’ll get to the happy part… I promise!
Destruction from a data breach
Traced back to a Chinese intelligence group seeking to learn more about U.S. citizens, Marriott’s infamous breach was not uncovered until 2018, four long years after their network was first compromised. During that time, including through their acquisition of Starwood hotel brands, one of the most notorious crimes in cybersecurity history was being committed.
The credentials, passport numbers, credit card numbers, and personal information was stolen and exploited from approximately 500 million unsuspecting Marriott customers. The destruction this breach caused has rippled into U.S. and foreign politics via the Trade War and is ultimately resulting in potentially one of the biggest trade deals ever made.
Meanwhile, Michael Kovrig–who is a Senior Advisor of the International Crisis Group, former Canadian diplomat, and a loving husband and son–has been detained in China for over 500 days on politically motivated charges tied to the unraveling of this very messy and complex data breach. He’s been allowed one phone call to speak with his father, whose health is in severe decline.
Circling back to this word destruction — where, and how do we begin to count the losses and tally damages? Is it in dollars and cents, the psychological impact and loss of trust, rebranding efforts, or the actual lives and families deeply impacted by this event?
It seems nearly impossible to quantify the cascading effect this breach will continue to have, but one single fact remains the same: it could’ve been prevented.
We know this because, in early 2020, Marriott quietly disclosed the entry point was a result of two of their employee’s login credentials being compromised, allowing the malicious actors to ultimately gain access to back-end systems. This was the second security breach Marriott had disclosed in the past 18 months prior to this event.
Aside from the financial loss, loss in business, and the loss of trust and a solid reputation when a data breach occurs, there is a much bigger and all-encompassing loss that involves everybody, even those unaffected by certain breaches like the one we just talked about.
The International Data Corporation (IDC) predicts that by the end of this year, a quarter of the world’s population will have been affected by a data breach. I did the math (so you don’t have to) that is almost two billion people who may lose money, financial autonomy and security, and general peace of mind. Not to mention, 60% of SMBs close within six months of a data breach, with the average cost of a breach in the U.S. climbing to nearly $8 million as reported by the 2018 Cost of Data Breach Study.
Entire businesses are being lost and brands tarnished due to cyber attacks, but what are these companies doing wrong?
In the first half of that same year, social media breaches alone accounted for about 56% of the more than four billion data records compromised. It’s now 2020, and more often than not, you sign up for an app that’s meant to connect you with friends or improve your life in some way, and it somehow results in the non-consensual loss of your privacy and personal information.
Now let’s move on from the destruction to discuss losses in a data breach
Aside from facilitating the loss of your personal information, they’re not working with law enforcement when they discover the crime. While it’s become instinctual to dial 911 if someone physically breaks into your home or car, behavior trends in the opposite direction when it comes to cyber crime, which is unfortunate because when businesses act quickly, the Bureau’s Recovery Asset Team (RAT) reports a high recovery rate.
So, in many cases people don’t report breaches unless they are forced to. What I mean by that is compliance regulations, contracts, and other policies force reporting, but it’s not enough. So much slips through the cracks unnoticed to anyone but the victim. Because of this, law enforcement agencies across the planet are generally unsure of how many cyber crimes are being committed, which leaves everyone at stake on an individual level.
IC3, or Internet Crime Complaint Center, is another branch of the FBI that accepts internet crime complaints online from either the actual victim or from a third party to the complainant, giving everyone the opportunity to come forward and get help if they believe they’ve been victimized. While 350,000+ crimes were reported in 2018, the Bureau estimates only 15% of victims actually report crimes.
Circling Back to Losses in a Data Breach
Here, alongside all the money, data, and trust, we also suffer a massive loss of opportunity for cybersecurity companies and law enforcement agencies of all kinds to make a difference and create a safer internet landscape for everyone.
On both the individual and corporate level, why is this the case?
In my opinion, it stems from a lack of awareness. A lack of awareness around personal and professional security best practices, and general ignorance towards the very real threats that exist online. If you’re in cyber, then you know. And, if you’re not, chances are, you’re blissfully ignorant until your credit card has been maxed out by someone across the globe burning through penthouse suites or pairs of shoes
The Silver Lining
Curricula’s security awareness training episodes are an engaging and eye-opening animated mini-masterpieces that brings to light powerful concepts while busting myths like, “nobody would want to hack me” and “my company is too small.” Most importantly, they brilliantly teach core concepts, like how to spot a phishing email, how to create a strong password, and why you should use multi-factor authentication in a digestible and memorable way. Employees deserve this quality of training as a basic right.
To put it all together — defending against these cyber threats is not optional, it’s a requirement of everyone. And there’s a lot of potential destruction and loss at stake without this kind of information readily available.
I believe that Curricula has the unique opportunity to become best known for our integrity and commitment to being helpful for security awareness training. As one of our customers said: “It’s nice to see good people doing good work in the cyber space.” Instead of hacking people live on stage at DEFCON, we can just be helpful. We can educate everyone by working together.
As colleagues, we’ve officially navigated through a monumental global crisis. I believe that we as a unit can make a positive difference for people across the globe.
The cyber security community at large, working together, can create a positive ripple effect that, similar to data breaches, would be too vast and impactful to measure.
To learn more about Curricula, sign up for a free episode to see how you can better defend yourself and your organization from a data breach.