CISO Interview: Does ‘breach normalisation’ have its benefits?

Breaches plague organisations on an almost daily basis. How is the bombardment impacting society and indeed, cyber security itself?

Data breaches continue to be reported on an almost daily basis, with serious, costly and frankly embarrassing consequences for organisations affected.

So regular do breach incidents occur that media publications, save those that specialise in cyber security, simply don’t have the capacity to report on them all.

Midway through 2019, Norton released a breach report demonstrating the astonishing escalation of breaches. The cyber security company revealed there had been 3,800 publicly disclosed breaches in the first six months of the year, a 54 percent increase compared to the first six months of 2018. Try reporting on all of those.

Just like all areas of business, cyber hackers are embracing “digital transformation” and its rich rewards, using readily accessible tools to open the doors left open by unsuspecting digital users. It is a cliche to compare the digitally-evolved present with the past, but who 20 years ago could have predicted that breach trading would one day be the world’s fastest-growing black market?

The new decade has picked up where 2019 left off. At the time of writing, the Iranian state has breached the website of a US government agency, foreign currency exchange Travelex is reckoning with a malware attack that forced the company to take its UK website offline, and Seattle-based smart home company Wyze exposed the data of its 2.4 million users via an unprotected database.

Most discussions around breaches understandably focus on the material effects of individual incidents on companies and their users — whether that’s fines, lasting reputational damage, or increased risk of fraud — and the practical steps organisations can employ to prevent them from becoming tomorrow’s headline.

At Cloud and Cyber Security Expo, at ExCeL London March 11, Becky Pinkard, CISO at Aldermore bank, will present a more macro perspective. In a preview of her talk on the show’s website, Pinkard, a cyber security veteran of two decades, asks “how is this frequency increase impacting society and indeed, security itself?”

“We have gotten to the point where people basically subscribe to the fact that their data will be breached,” she says.

Breach normalisation

The topic of breach normalisation has been examined heavily before, but most of the discussion has centred around its obvious, negative effect – the desensitisation and numbing of society to each passing incident.

Tangible effects are rarely immediately apparent in the aftermath of a breach. News reports consequently lack visceral impact. It’s not immediately clear where data ends up — users are inclined to think there is a high chance that their data, representing one line in a tomb of a database, might never be deployed against them.

“I’ve actually had journalists tell me this in the past. They would actually say it’s difficult for us to talk about because we don’t have a picture or video or something we can frame it against to capture people’s attention.”

But Pinkard also says there are also positive effects to the phenomenon.

One result, she says, akin to the operational resilience regulators encourage financial sector companies to provision, is that companies today are more open to taking the necessary precautions around what they will do when breaches occur. The question is not “When will we be hit?” but “When we are hit, how can we ensure we have resilience and continuity of service?”

Pinkard draws an analogy to car insurance. It took decades for insurance to emerge, as it took time for people to honestly accept that road accidents and deaths were an unfortunate side-effect of massively distributed, high-powered personal transportation.

Similarly, it’s taken society a while to accept that breaches are “the cost of doing business” in the digital arena. But now that the severity of breach activity is widespread knowledge and front-page news, employees and citizens are becoming more cautious and diligent about how they handle their and others’ data.

“We’ve almost gone through this period of time where we’ve seen the repercussions of not taking care of data properly, and of not taking care of our own interactions and our credentials properly,” she says.

“Cambridge Analytica was a great example of a type of population that was immune to data breaches. It is the folks that are utilising social media, utilising those tools, having those interactions, but without necessarily understanding the ramifications of what they’re signing up to, what they’re sharing, how they’re sharing it, and then also simultaneously how they’re setting up and sharing their account information.”

“Now, it’s almost as though we’re starting to come to the other side. More and more people are getting clued into the fact that they need a password manager, that they should not use the same password everywhere, that they need to question now how is their data stored and who has access to it.”

It’s not just culture that is playing catch up. Another potentially positive consequence of increased breached activity could be the introduction of some wider form of cyber security regulation, although it’s too early to speculate what form such regulation might or should take. The private sector now regularly tests employees on cyber diligence — what if this was a requirement for all businesses?

“It’s like the regulations on flying an aeroplane. When it boils down to safety and security, I think most people are willing to absorb the pain of going through a mandated requirement if they feel that there’s a betterment through that process.”

“The problem boils down to the fact it’s not mandated and security awareness courses vary in terms of how good and engaging they are, how often that they’re run, and whether or not they actually deliver positive learning outcomes. It is possible that at some point in the future we might even see some sort of registration for becoming a licensed digital road user, like how if you have a car you must be a registered driver.”

Looking ahead to the show in March, Pinkard concludes:

“We have to consider how are we interacting, if it’s secure, what data is being used, if that data is necessary, and help each other. That’s one of the reasons I enjoy doing these kinds of talks. We have to help encourage each other to continue to talk about this and to continue to bring it to light. I think that’s the only way we’re going to get where we need to be.”