For the victims of a data breach, feeling whole again is no small order. There’s no 9-1-1 or insurance for consumers that can remediate the irreplaceable – your identity. Scary as it may seem, companies fail to disclose breaches out of fear of penalties, U.S. notification laws are insufficient and there is still a “blame-the-victim” mentality, leaving the everyday victim feeling helpless.
Recently, 4iQ gathered insights from more than 2,300 Americans to gain a better understanding of their experience(s) with data breaches and protecting personally identifiable information (PII). The bottom line is that U.S. adults don’t feel prepared to face the threats presented by exposed PII.
For instance, when asked about their own effectiveness at protecting their PII, survey respondents rated themselves lower than their employers, with only 15 percent calling themselves “very effective,” versus 23 percent for their employers. Respondents also perceived their employers as more effective at protecting PII than the government. Similarly, respondents anticipated higher levels of response from employers than government following a breach; over 83 percent said they would expect security upgrades and proactive communications from employers, but this number dropped down to 74 percent for government breaches.
Consider this with the fact that globally, the public sector has experienced a large number of breaches – 4iQ saw a 291 percent increase in government sector breaches circulating in the underground last year – and it comes as no surprise that there is a growing lack of trust in government institutions.
Americans also feel pressure to avoid mistakes with online security – 77 percent said they felt any mistakes they made with online security that also compromised their employers’ systems would impact their employment status. Furthermore, more than half of respondents believe there’s a “blame-the-victim” problem with cybercrime.
So, how do we begin to address this problem? On an individual level, it’s critical to secure devices, use password managers and sign up for identity theft protection services. For enterprises, companies must take greater responsibility for safeguarding personal information belonging to not just their employees, but also customers. Offering cybersecurity training can leave employees feeling less stressed knowing they have the tools to practice good cyber hygiene.
Alongside two-factor authentication, a variety of account takeover prevention technologies can protect data that is exposed in breaches of other companies. Then, if a company suffers a breach, aside from routine remediation and identity theft protection services, companies should also try to get as much context as possible about the adversary and provide this information to law enforcement, so they can investigate, prosecute and prevent future attacks.