The old anecdote of the frog placed in slowly increasing heated water, unaware of the gradually escalating danger of the situation until it is too late, is a poignant one for reasons other than the gruesome ending. It supposed purpose is to teach us that desensitisation to our sense of danger is possible when change occurs slowly enough not to be noticed.
Off the Grid
I was reminded of this intangible barometer when in September of 2016, I returned to the UK from a holiday I had taken to Tanzania. Whilst in Africa, I stayed in locations of which some were so remote, there was often no permanent source of electricity. My connection with the IT security world was gratefully severed for a short period of time. With my proverbial finger off the pulse, I was unaware of the revelations back home, that Yahoo had failed to disclose a breach two years ago, only learning of it once I had reluctantly dragged myself back to the reality of cyberspace.
To my own surprise my response was muted. The gravity of the breach was not lost on me, some of the most conservative sources estimated over 500 million user accounts had been compromised. We now know this to be just the tip of the iceberg, however even at this early stage it was still earning the crown of the largest recorded account breach ever. Yet still, I found myself curiously lacking in any surprise or shock.
It wasn’t that I didn’t care or didn’t sniff the opportunity to write about it, rather I had developed a numbness from what is sometimes described as data-breach fatigue. Breaches are undoubtedly becoming ever more common, something which can be attributed not just to an obvious increase in attacks, but also to an increased level of public disclosure. In the first half of 2016 alone there were reportedly 522 cases of data breach worldwide, yet the true number is likely to be much higher. Breached organizations are commonly viewed as negligent rather than a victim by their customers and peers.
Roman-Like Diminished Sensitivity
Data breaches have become so normal that our sensitivity to these cases has and continues to be diminished. Like the murderous scenes of the roman coliseums, the more daring the stunt, the more blood spilled, the less entertained the crowd was by less or the same.
Back in November 2015, TalkTalk was the talk (for lack of a better word) of the UK when it was breached and 157,000 records stolen. The mainstream media ran coverage for days, the less-informed yet judgement public wagged its finger disapprovingly and experts scrutinised the details. Yahoo is also getting attention from industry media and national information authorities, but it feels less damning, maybe as a result of being lost in an increasingly populous sea of breaches.
Aside from the obvious danger of our personal information being leaked by those who are in stewardship of it, there is also the challenge of being the anecdotal frog in hot water. When we are surrounded by a constant or gradually changing state, whether it be calm or heighten, it becomes normal. We become desensitised to its true nature and as a result we begin to ignore it. The same theory applies to publicised data breaches.
Gems in the Dirt
Every breach, hack or failure in cyber-security presents those lucky-enough to be spared with an opportunity to learn. It’s a free lesson, which can only benefit those that take heed. According to the Breach Level Index, there are up to five data breaches every day (October 2016), an optimist would say that is five opportunities to improve our defences.
Henry Ford, not always known for saying the best one-liners, once said “Failure is simply the opportunity to begin again, this time more intelligently”.
It is therefore ourselves whom present our own biggest cyber-threat. Not through a lack of skill, but a failure to pick out the gems from the dirt. Will we sit up and learn from the failings of our peers? Absorb the lessons one offers? or stay unwittingly numb to the increasing temperature of the water surrounding us?
Author Bio: This article was written by Chris Payne, an independent IT security consultant, speaker and writer. With 9 years of experience working in IT security, Chris has a wealth of knowledge around information security and holds a GDPR certification under IBITG. In addition to this, Chris has worked with some of the UKs largest organizations and regularly appears as a guest contributor to IT security related blogs, whitepapers and articles.
Chris Payne is a guest blogger, all opinions are his own.