Data breach fatigue and NIH fuel ineffective cyber security


This is another part of our ongoing series on outsourcing services, again focusing on security  Large companies rely on the work of outsourcing providers for developing security solutions and containing breaches. By Lou CoveyNew Tech Press

News reports about data breaches are almost a daily occurrence. Companies spend millions on identity protection services for affected customers while the same type of breaches continue with no end in sight. The sheer volume of data stolen is astronomical begging the question, why isn’t anything being done?

“There is no financial reason for companies and governments to do anything about the problem because we have not seen any significant economic damage done to the companies or their customers,” said Anne Saunders of Eurocal Group, a U.S. software development company.

target_security_breachShe has a point. There have been relatively few people who have actually experienced  personal financial loss. For example, just last week, Target announced a settlement of $10 million for the breach that compromised the data of more than 100 million people -- 10 cents for each victim, not counting legal fees.

While the amount of data stolen has been massive and growing with each attack, the money spent on identity theft protection for and by those customers after any given attack is extremely low. The entire ID theft industry is currently only $3 billion annually with a projected growth rate of 0.5 percent and no measurable profit. The number of companies in the market make each slice of that pie very thin, so it’s not a business for the weak-hearted. The good news for that industry is corporations are adding budget for those purchases because, well, it’s relatively cheap.

Eurocal Group is one of many companies providing outsourcing services for companies around the world and they are finding a growing demand for the services with deep experience in cybersecurity. “If security isn’t a significant part of your development, whether it is embedded systems or web design, you’re just asking for trouble. Lucky for us, lots of companies have not been thinking about security,” Saunders said.

A battle weary market

Then there is the problem of breach fatigue.  The number of people affected by breaches is impossible to measure because of the interconnectedness of the data. One person might be affected by the Target, Anthem and Michael’s breaches and another might not be affected by any.  A recent report from Experian stated that 62 percent of consumers received at least two notifications of breaches in the past year.

Correlating to the Experian survey, market research firm Ipsos reported in December that 62 percent of consumers in the US are now concerned about the security of their data, which is an increase from 53 percent the previous year. However, 85 percent reported that they knew of no one whose data had been compromised and only 6 percent reported being the victim of a breach. So while there is growing concern, there is hardly a demand from the market to actually do something about it.

StoryWhich may be why some leading figures in the industry tell consumers they are pretty much on their own.  Herjavec Group Founder & CEO, Robert Herjavec discussed the recent and massive breach of Anthem in a recent interview with Fortune magazine. He stated that the integrated nature of health care systems requires consumers take responsibility for security. ”They must diligently check credit card records, and monitor their personal records with insurance and medical providers to mitigate the risks of credit card fraud and identify theft in the fall out of this breach.”

Don’t just do something, stand there

The U.S. government is also concerned about cybersecurity and is convening panels and study groups from Federal all the way to municipal levels. They have produced reams of legislation designed to deal with the issue, but there are two problems: 1. The legislation is designed more for show rather than actually deal with the real problems; 2. The legislation is designed to improve and control  government surveillance, rather than the security of voter data.

Better progress is being made in the European Union, especially in smaller countries in Central Europe. according to Jack Wolosewicz, CTO of cybersecurity tech startup, Certus Technology Systems. He said Europeans seem more open to security innovation than the US government and large corporations. "They tend to outsource to known companies, like RSA and Verisign, not because those are the best solutions but because, if there is a breach, they can say they went with the best known solutions. So no new ideas are considered.

Wolosewicz said the "CYA mindset" is the biggest barrier to adoption of effective security in large companies and enterprises which means smaller enterprises are more likely to be willing to look outside of the box.

“Financial services and internal corporate security is taken more seriously with big bucks being spent on 2nd factor authentication like RSA tokens,” he stated. "Expensive and outdated as they are, there is a market for that because relying on passwords alone is not a security strategy that anyone trusts any more. For mass markets, single-sign on is everywhere and browsers remember your passwords because it's easy for users, but it’s still passwords and that only increases risk."

Wolosewicz pointed out that Microsoft and Yahoo have launched initiatives to move away from passwords, so there is some movement in the right direction. "Mass markets are happy to pay for a better user experience to attract new users, but till now, better security meant worse user experience."

In the end, the major players that control what happens to the consumer data are not financially incentivized to change how things are done. Since their customers have pretty much accepted the status quo, any substantial change will have to come from non-traditional sources.

“We’ll take that business,” Saunders concluded.