It’s a common story. Three to six months pass by at work and you’re requested to input a new password for your desktop account login. It’s a hassle, and you can only remember so many variations of your favourite password: ‘Password123’. You settle for ‘Pa$$word123’ and assume that it’s enough to get you through until the next round of password renewals. 
Similarly, you get a notification that your bank account has been hacked. You report the one fraudulent purchase to www.strangepurchases.com, get your card cancelled and change your e-banking password. It is likely to be another variation of your last password and again you continue on with life, hoping that this minimum effort will prevent you from getting hacked.
Nowadays, even if your data is accessed, the reaction from the public is short-lived and forgotten. People, and even companies, are beginning to suffer what security experts are calling ‘breach fatigue’.
Breach fatigue includes some of the following symptoms:
- Individuals take serious action against weak security systems only after their data has been illegally accessed or breached. For example, you only back up your photos after your hard drive fails and you’ve lost all your holiday photos;
- Individuals assume that their service providers will provide necessary cybersecurity protection and know if and when a breach occurs;
- Companies trying to ensure the safety of their IT systems and data are too busy complying with regulations to try and improve their security systems;
- Companies begin to rely heavily on their risk and compliance departments to ensure that their systems remain secure under the assumption that they do not need to apply any other security policy until they are told to do so; and
- Individuals and companies stop making an effort to secure their data and IT systems as they believe that technology moves too quickly for them to catch up to or understand.
Ultimately, breach fatigue is common and understandable. Technology and its many advances are predicated on the principle that people should not have to fear for their data or assets and that they don’t always need to be technologically literate with the applications they use.
Currently, there are no easy ways of solving this particular new form of ‘security malaise’. However, companies can always start by ensuring their risk management and IT security teams are and remain enthusiastic about the changing and complicated world of IT security, without bogging them down in policy compliance at every turn.
It is somewhat harder to keep the public’s attention on these issues. It only seems that awareness is raised when large, scandalous breaches occur and even then public opinion tends to have a short memory. It appears that the public has taken for granted that data breaches are inevitable and now rely on how well their service provider deals with breaches, rather than expecting their service provider to never suffer any breaches at all.
It is not surprising that breach fatigue has become a common ‘illness’ with regards to data security. With the frequency of news articles revealing major breaches or hacks in large and small companies, the public has taken for granted that data breaches will occur. Likewise, it’s difficult to stay on top of all these new ways in which a breach can occur. There is little awareness being spread to the public on easy ways to keep their data safe that do not involve the need for technological literacy, and many companies rely on their IT or risk management teams to keep them safe. It’s important therefore to always seek out IT security and risk management contractors who have not yet succumbed, and may even bring fresh ideas to the table.