Introduction
The Aesop fable of the boy who repeatedly raised false alarms about a big bad wolf teaches us that people may become inured to repeated warnings, even if they are eventually proven true. This resonates with how people are currently responding to data breaches – they are becoming more accepting of them rather than taking steps to increase their security.
In short, they are experiencing what is now being termed ‘breach fatigue’.
What is it?
Breach fatigue is the psychological response of individuals to regularly reported or experienced data breach attacks. The year 2021 witnessed an unprecedented wave of cyber-attacks which seriously impacted public life and triggered widespread panic. The Colonial Pipeline incident triggered panic buying of gasoline. The cyberattack on the Greater Baltimore Medical Center in Maryland USA caused serious disruptions to hospital care services. The JBS ransomware attack resulted in fears of meat shortages. Against this backdrop, it is reasonable to say that people have now come to realize that cyberattacks are here to say.
ThriveDX (1) calls it ‘a vicious and self-perpetuating cycle.’ It says that data breaches have become so common that we are witnessing a numbness and growing sense of complacency in consumers to these repeated breaches.
Alarming to say the least
Ponemon Institute’s report (2) compiled for RSA, the cryptography company, says that a mixed response is seen in consumers. While on the one hand, they do pay attention to online security measures like authentication, they are doing little to alter their shopping behavior. The report provides some alarming facts.
Out of 1,000 consumers involved in the Ponemon and RSA study where 50% of them had been victims of a security breach, only 14% said they would alter their shopping behavior, if one of the places they do business with experienced a data breach. The majority polled said they care about their privacy to some degree – but not enough to change their online behavior.
Software Advice, a subsidiary of Gartner, in a survey of some 4,000 consumers, found that with the proliferation of breaches, consumers were exhibiting what they termed ‘peak breach (fatigue)’ – a tendency to shut themselves out to news pertaining to data breaches. A whopping 77% of the respondents were unaware of the mega hack of eBay.
An endemic reaction
ThriveDX (1) says that the increasingly high volume of data breaches is saturating the consumer’s mind with pessimistic news, resulting in lowered confidence and less motivation to act. Instead of stepped-up vigilance and a greater sense of alertness, consumers are responding with ‘acceptance, apathy, and lowered engagement.’
With the 2022 Verizon Data Breach Investigations Report (3) putting the human element involvement at 82% of all breaches, it is a major concern that many persons don’t even change their passwords after being notified of a data leak. Studies show that cybersecurity practices have slackened, and as many as 58% of organizations report that their employees ignore cybersecurity guidelines.
Countering the menace
The CyberEdge Group’s 2022 report found that poor employee security awareness and insufficient cyber skills are the two main reasons contributing to breach fatigue. The pandemic period witnessed an unprecedented upsurge in remote working and cyber-attacks but regrettably was not matched by cybersecurity training. The result was a workforce that was uninformed and not updated.
Organizations can no longer take this lightly as it represents a major threat to their data, fortunes, functioning, reputation, and consumer confidence.
Organizations would do well to take the following steps to counter this alarming trend:
- Recognize signs of complacency and breach fatigue in employees
- Organize and conduct sustained communication campaigns to create a cultural change in the collective mindset towards cybersecurity awareness
- Make exercises and cybersecurity programs mandatory for employees
- Review and enforce dialogue about cybersecurity protocols, responsibilities, and good practices
- Organize training for cybersecurity awareness on an ongoing basis at a more exhaustive level throughout the career of an employee
- Familiarize employees on an ongoing basis with new trends in cyberattacks
- Practice incident response plans that have been set up
Conclusion
Research (4) on the data breach at the 2015 US Office of Personnel Management which impacted an estimated 21.5 million users provided interesting facts on the responses evoked in both those affected by the hack as well as others who learned about it. The overall sentiment was one of anger and anxiety, but those impacted displayed a high level of dismay and grief. In a short time, however, interest in the subject had waned considerably and social media chatter was reduced to nothing. Two months later it was as if the incident had never occurred, with a sense of apathy and acceptance creeping in, sure signs of breach fatigue.
It is obvious that human attention lies at the epicenter of the situation. Given that attention spans are not what they used to be, and the misplaced sense of belief that crises will not impact us, an uphill battle exists when it comes to stemming its onset.
Perhaps revisiting the Aesop fable of the boy who repeatedly cried wolf in jest, until finally, the wolf did come calling, could serve as a reminder of the grave consequences of breach fatigue.
Aurora provides comprehensive security consulting services for mid-market and enterprise-level customers. Reach out to us for our suite of cyber solutions including knowledge transfer and training that will be of use for your breach fatigue requirements.
Visit www.aurorait.com or call +(1) (888) 282-0696