InfoSec Apathy: Spreading
InfoSec Apathy: SpreaWe live in such a wonderful era. The technology is growing in complexity exponentially. Moore’s Law seems to be expanding rapidly in its application. Social media reports the news within 15 minutes when a generation ago, this may have taken a day or more to publish.
With the good however comes the bad. Although we receive the information so quickly, people have become numb to this at certain levels. One of these areas is InfoSec. There are a mountain of new articles to read hourly. These abound on the various topics with new and updated programs, new mobile apps to make our lives easier, new security breaches with data exfiltrated (credit card numbers, social security numbers, addresses, medical records, biometric information, pictures, etc.), and vulnerabilities for new and older equipment, both. The PII, PHI, EMR, EHR, and other private, confidential data, when successfully exfiltrated, are sold multiple times across the dark web until these are no longer of marketable use.
The affected persons then have the opportunity to monitor their personal credit for at least the next few years. The allegedly negligent corporation that allowed this may provide a 90 day or year of free credit monitoring. This may seem a pleasant apology, however is the totality of the issue, this truly is worth very little.
All of the news agencies continually talking about old exposures, new vulnerabilities and breaches, and other buzz-worthy posts leave people numb. Being constantly wary of everything from the computer age builds fatigue and a level of increasing apathy. People have just given up in certain instances. They just don’t want to deal with this anymore. This callous for the risks from computing has thickened from this. This may lead to the users exhibiting more risky behaviors with their computers, such as visiting unknown websites and not updating their AV as quickly as they should.
This has led to several significant breaches over the last few years. In 2017, we had the Equifax breach with over half of the US population potentially having their sensitive, confidential information for sale and use of unauthorized parties. There were also 150M UK citizens with the same issue due to this. There were also several hospitals affected by ransomware and data being exfiltrated. Several universities in the US and Canada have had multiple compromises, affecting their operations and students. In 2016, JPMorganChase was breached, affecting 76M households and 7M businesses. In 2014, there were a myriad of breaches to choose from. These included Target, Nieman Marcus, Michael’s, PF Chang’s, Albertsons, Home Depot, LinkedIn, Yahoo, and too many others to note.
What to do?
As these continue to build, growing larger in the number of files being compromised, and more companies being attacked, the fatigue will grow. To reduce this detrimental trend, there needs to be a renewed focus on implementing InfoSec best practices, not practices that suit what we want it to. The best practices should mold the InfoSec program, in comparison to the trying, in vain, to make best practices fit within our self-constructed, parameters.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.