- Special Report
How Data-Breach Hype Undermines Your Security
Some media outlets called last month's data breach at health-insurance company Anthem, which resulted in the theft of highly sensitive personal information pertaining to up to 80 million people, a "sophisticated attack." However, later reports showed that weak authentication had let hackers into the database, and that a lack of proper encryption had allowed the personal information to be shared.
In a similar breach in 2014 at Community Health Systems, the company said the attackers "used highly sophisticated malware and technology." It turned out the hackers had actually exploited the simple, very fixable Heartbleed bug, which had been widely known for months.
Many high-profile data breaches are reported as "complicated" or "sophisticated," when in reality, most result when low-level, very basic security practices are overlooked. Are the news media going overboard in their data-breach reporting, and, as a result, scaring people away from improving their own personal security habits?
Pattern of misunderstanding
The reporting on the Anthem and Community Health breaches followed a typical pattern: A high-profile cyberattack is announced by TV-news taglines such as "Worst breach ever!" or "You could be a victim!" A CEO or another top official cites the sophistication of the attack and the complicated hacking tactics that led to the breach, which the media breathlessly repeat without question.
The end result is a story that gets people talking. I don't know about your social-media contacts, but as soon as a high-profile breach is announced, my Facebook and Twitter feeds are filled with panicked friends wondering what, if anything, they can do.
Yet, in the end, the "sophisticated" breach is often the result of sloppy security practices. The company's software wasn't patched, a weak password was required to log in to the corporate network or an executive's laptop was lost. Such undramatic facts are seldom widely reported, because by the time they become known, the breach story itself has faded from the news cycle.
While this fact doesn't lessen the risks that a data breach can cause — and affected individuals have every right to be concerned — it does raise the question of whether the media purposely use scare tactics when reporting high-profile breaches.
Most important, such overemphasis on the inevitability of data breaches and the unstoppable skills of evil hackers may be keeping ordinary people from taking charge of securing their own devices and personal information.
A lack of technology knowledge among reporters can lead to misinformation or sensationalism about cybersecurity events, said Danny Levinson, CEO of Hong Kong-based Kovurt Limited, which provides security and privacy services.
"More reporters covering technology should have a firm grasp of the gravity of events, and also the jargon to use, so that all events are not deemed doomsday events," Levinson said.
Levinson added that although he doesn't believe news outlets are purposely using scare tactics, he does claim that by hyping events and creating "click-bait material," the media aim to get more visibility and viewers.
As a result, there are times when the reporting on a data breach or cyberattack turns out to be misleading at best — and incorrect at worst.
Levinson pointed out the recent "outage" involving virtual private networks (VPNs) in China. Journalists from some of the most famous media outlets in the world conflated an article in the state-run People's Daily newspaper with problems some VPN providers were having in China — and spun the two into a story about a total shutdown of secure VPN services in China.
In reality, Levinson said, there was no shutdown, there was no ban and there was no blocking. Rather, those VPN providers that had problems suffered only as a result of their own configuration issues.
"Had journalists understood the technology better, they would have been able to dissect the problems and relay the correct information to consumers," Levinson said.
The less you know, the less you'll do
The way stories about cyberattacks and data breaches are reported can make a difference in how the average Internet user views security, said Renee Bradshaw, senior solutions manager with NetIQ, an identity and access-management provider based in Houston.
"If the media reporting is complacent — echoing the carefully crafted, self-preserving statements from victim-organization spokespersons — consumers will likely see the typical data breach as impossible to prevent and may throw up their hands wondering how an individual person can protect themselves," Bradshaw said.
"On the other hand," Bradshaw added, "there are plenty of media outlets that do go the extra mile to investigate and report on what actually occurred in a data breach, and will even present tips on what you, as a consumer, can do to protect your personal information given the specific type of breach."
"The key to protection of your personal assets," Bradshaw said, "is to arm yourself with a wide spectrum of reading and opinion on the latest security threats and security tools for your personal devices, assets or systems."
The media tend to focus on data breaches at large corporations — Target, Sony, Anthem — and ignore the more numerous incidents happening at smaller businesses. This does a disservice to consumers and to security.
Because smaller breaches are not adequately covered by news outlets, the average person doesn't have a clear picture of how serious the cybercrime threat really is, said Marc Maiffret, chief technology officer with BeyondTrust, a cybersecurity firm based in Phoenix.
Couple that lack of understanding with the lack of control consumers have over their information once it is given to an organization, and the average person may not truly grasp how important it is to apply security controls on his or her own devices.
How to take charge of your own information
Rather than be told that cybersecurity incidents are complicated and that ordinary people are helpless, more emphasis on the simple security steps anyone can take could actually encourage users to do more to protect their personal information.
By reporting that a breach was caused by a failure to patch software or through the use of weak passwords, it would show how vital the following simple steps are in creating viable security layers:
— Make sure that patches and updates for software and operating systems patches are installed immediately on home computers and mobile devices.
— Generate and use a strong, unique password for every highly sensitive online account, such as for financial, webmail and social-networking sites.
— Use the two-factor authentication options offered by a growing number of applications, such as Gmail, Dropbox, Facebook and others.
— Don't let online retailers store your credit-card information. Instead, type in the card number every time. It's inconvenient, but if the retailer suffers a data breach, your card likely won't be affected.
— Minimize the information about you and your family that's available online. Don't let anyone, not even your "friends," see your birthday on Facebook, don't disclose your home address and don't identify your children by name, especially in public photos.
— Learn how to avoid phishing attacks, such as by verifying links and not opening attachments without first making sure they're legitimate. Think twice before clicking on shortened URLs, since they can lead to fake websites.
— Don't store sensitive information, such as a credit-card number or a Social Security number, on a mobile device, and don't post it online.
— Password-protect all mobile devices, and then log out of your apps when you're not using them. This will help protect information if the device is lost or stolen.
Levinson pointed out that thanks to media overreactions, the average netizen has a distorted view of what proper security practices, as outlined above, should be. Many people may adopt a "damned if you do, damned if you don't" attitude — why should they care about stronger passwords when it seems hackers will just take the data anyway?
"Consumers are confused," Levinson said, "which means only hackers and the media have anything to ultimately gain."