Burn Before You Learn or Learn Rather than Burn
Daniel Solove
Professor, GW Law School + CEO, TeachPrivacy + Organizer, Privacy+Security Forum
It seems as though every week brings news of another batch of data breaches . . . and they're getting bigger. Target. Home Depot. Sony. Anthem. The list goes on and on.
The costs of many of these breaches are devastatingly large. And yet most data breaches are readily preventable. After reviewing more than 1,000 data breaches from 2014, the Online Trust Alliance (OTA) found that more than 90% of them could have been avoided.
Some organizations will take this news and beef up their security efforts. But many organizations won't do anything differently. Even in light of the mounting frequency and costs of data breaches, many organizations will just keep humming along. They will get breached -- or already have been and just don't know it. Eventually, they'll get burned. Then they'll learn and finally step up their efforts.
I see this story again and again. An organization doesn't take security (or privacy) risks seriously enough. The organization gets burned, and that is the wake up call. The organization then gets serious.
I've noticed two general attitudes toward risk: (1) those who must burn before they learn and (2) those who learn rather than burn. For some, despite all warnings, they just won't step it up until after they get burned. It's akin to how teenagers won't heed warnings and have to learn the hard way.
There are many things that can readily be done to reduce the risk of data breaches. There may never be a way to get to 0% risk, but any significant reduction in risk is a huge benefit and will have a great return on investment.
For example, most problems in security are due to human mistakes. These are preventable with effective training. Hackers often don't get in because of their technical savvy. They get in because they are good con artists and trick people. In movies and on TV, hackers are often able to break into any network just by typing a few keystrokes -- reinforcing the mistaken view that hacking is preventable by merely fortifying technical controls. You can encrypt data and create requirements for strong passwords, but a hacker can get in by tricking people into divulging their passwords. That's why training the workforce is essential.
Most data breaches are avoidable -- if only organizations chose to learn rather than burn. But unfortunately, far too often, organizations must burn before they learn.
* * * *
Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company, and a Senior Policy Advisor at Hogan Lovells. Along with Paul Schwartz, Solove is a Reporter on the American Law Institute’s Restatement Third, Information Privacy Principles. He is the author of 9 books including Understanding Privacy and more than 50 articles. Follow Professor Solove on Twitter @DanielSolove.
The views here are the personal views of Professor Solove and not those of any organization with which he is affiliated.
Please join one or more of Professor Solove's LinkedIn groups:
Education Privacy and Data Security
Click below to sign up for Professor Solove's newsletter. It is free and is only sent out occasionally, so it will not clog your inbox.
Bringing Sun on the Earth! ITER Korea Program Budget Coordinator (P2) @??Korea Institute of Fusion Energy (KFE) | ??MEI (Master of Entrepreneurship & Innovation)
9 年I mean, Always Study Hard. Ash.
Bringing Sun on the Earth! ITER Korea Program Budget Coordinator (P2) @??Korea Institute of Fusion Energy (KFE) | ??MEI (Master of Entrepreneurship & Innovation)
9 年Ash are left after burn...
Integrated Nanofabrication & Cleanroom Facility (INCF) at Lehigh University
9 年Always try to learn rather than burn, however be well prepared for burn.
?? SEO & Marketing Specialist | Web Developer | Landscape & Drone Photographer | Passionate Hiker ???
9 年One of the sentences I heard quite often was: "Why do I need a firewall at home or a virus scanner? I am not bank" If people already think about that at home, what do they think at there place of work? As long as companies tell them there data is protected, they will think that way and will not make sure that they protect there data at home and at work.