Global Internet Report 2016
Here we are nearly at the end of 2016 and the Internet Society has produced their yearly report on the Global Internet, it’s an extremely comprehensive report covering all the aspects of the internet and its usage by all within the private and public Domain. This year, the report highlights the growing trend of Data Breaches and the costs associated with those breaches to both companies and well as the private individual. Therefore the following article will discuss some of the issues being highlighted in the report and offer some recommendations to try and combat the ever growing threats.
We are acutely aware of how the Internet impacts and transforms the world. It has the potential to accelerate human progress, bridge the digital divide and build societies that drive innovation, entrepreneurship, and progress.
However, today we are at a defining moment in the evolution and growth of the Internet. Large-scale data breaches, uncertainties about the use of our data, cybercrime, surveillance and other online threats are eroding users’ trust and affecting how they use the Internet. Eroding trust is also affecting the way governments view the Internet, and, is shaping the
policy environment for the Internet around the world.
What is a data breach? “A breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to, personal data
transmitted, stored or otherwise processed in connection with the provision of a public
electronic communications service.”
The Information Commissioner’s Office (ICO) of the UK2
“Data breaches are the oil spills of the digital economy” widespread recognition that they are a serious problem globally, data breaches continue to increase in number, size, and cost. They are toxic for user trust in the Internet, and their impact can spread across the whole data ecosystem affecting millions of users.
The ultimate casualty of data breaches is trust in the Internet. Would people continue to go to a store that let strangers shop with their credit cards? Go to a psychiatrist who disclosed confessed affairs in public? Work for a company that allowed anyone to access confidential
personnel records? It is unimaginable.
Target had 40 million customers’ credit card numbers stolen and put on sale online; Ashley Madison’s records on 37 million married users and their personal affairs were taken and published online; and the US Office of Personnel Management had at least 21.5 million records, including highly sensitive security clearance records of past, present, and potential employees, stolen.
The impact of these breaches on consumers, users, employees and third parties, some of whom did not even know the organisations had their data, is profound and lasting. Users lost time and money protecting their finances and their identity from theft; others saw marriages dissolve and even committed suicide, and still others may be subject to blackmail and exposure. Also, the victims can never be sure that the impact has been contained.
All were let down by the very organisations they had entrusted with their personal information. Even worse, in many cases, the data breach could have been avoided. Some breaches occurred because the systems were not protected from known bugs; others because users were not trained in how to avoid being tricked into providing access. Even then steps could have been taken to avoid harm in the event of a breach, such as minimising the amount of data collected and encrypting the data that was kept.
The questions we need to ask are simple ones.
- Why are many organisations not taking even the basic steps to protect the personal
information they hold?
- Is it because they do not bear all the costs of the data breach?
- Is it because there is not enough perceived benefit in better protecting their users’ data?
Organisations may only consider their costs and neglect the potential costs to their customers and others. It is also hard for an organisation to signal that they are better
prepared against a data breach than others, reducing the benefit of data security.
Data breaches are on the rise. The impact of data breaches on users – consumers, employees and organisations is profound and lasting, including significant financial and non-financial costs. Even worse, in many cases the data breach could have been prevented. And, even if it could not have been prevented, the harm could have been mitigated.
While users bear the lasting costs of each breach, the ultimate casualty is trust in the Internet. The vision of the Internet Society is that the Internet is for everyone, everywhere. Trust in the Internet is at the core of that vision. Without trust, those online are less likely to entrust their personal information to the Internet, and, those who are not yet online will have a reason to stay offline. The Internet economy will not grow as fast as it could, and the UN Sustainable Development Goals (SDGs) will be that much harder to achieve.
The Current Trends and Associated Data
Data breaches are trending upwards:
- A growing number of people are impacted by data breaches. Reported breaches are increasing, with a rising number of known records breached and even more that are unknown in number. The leading cause is outside attacks, mostly for financial gain. Most breaches appear to occur in the US, but that is likely because of data breach notification rules that lead to more disclosure
- Surveys do not, as yet indicate that reported data breaches are having a significant impact on non-users’ willingness to go online. However, as more users are impacted by data breaches, such as by having their identity stolen for profit, more users will hesitate to use online services requiring personal information. They may also stop doing business with a company that has been breached. A widening breach of trust among users, in turn, could provide nonusers with a reason not to go online.
- Organisations are spending more on prevention, but this has not yet noticeably lowered the number of breaches, or the impact and cost of breaches when they do occur. In turn, the cost of breaches, when calculated, typically only include the cost to the organisation, and not the full cost for the users who were the ultimate victims of the breaches.
These trends cannot be allowed to continue without significant harm to individuals’ privacy and users’ trust in the Internet, resulting in lower and more selective use of the Internet.
The Original report highlighted some leading causes of data breaches, and their impact on organisations and users. The numbers are staggering: Target had 40 million customers’ credit card numbers stolen and put on sale online; Ashley Madison’s records on 37 million married users and their personal affairs were taken and published online; and the US Office of Personnel Management had records on 21.5 million past, present, and potential employees, stolen.
The impact of these breaches on consumers, users, employees and third parties who did not even know the organisations had their data is profound and lasting. Some users lost time and money protecting their finances and their identity from theft, some saw their marriages dissolve, and even committed suicide, and others may be subject to blackmail and exposure.
The case studies show how easy some attacks are, but also how difficult it is for organisations to protect against all threats. For users, the case studies highlight the increasing sense of insecurity online, requiring trust in organisations whose security users could not possibly assess. An ever increasing number of users have been directly or indirectly impacted by a data breach. The case studies make concrete the real and ultimate impact of these breaches on the users whose trust in organisations, as consumers or employees, is betrayed.
The Issues we Face
In the face of financial and non-financial costs highlighted by the data and case studies, it is puzzling that many of these breaches exploited known vulnerabilities, and were preventable. For some of these, there were patches available, but not used. Some involved social engineering attacks, in which employees were tricked into giving up their password or introducing an infection, typically in ways that could be prevented. Of course, not all breaches result from attacks, and not all attacks are preventable. Some are the result of attacks using zero-day exploits not known before being employed. Others result from accidental disclosure of data, for example through the loss of a device containing sensitive data. While not preventable, given how common they are, such breaches are at least foreseeable. It is possible to mitigate the impact, by minimising the amount of data gathered, and encrypting the data that is stored and sent. The question remains why, given the cost of breaches, more is not done by organisations to address the preventable ones, and to lower the cost and impact of foreseeable ones? This raises the issue of the economics of trust. There is a market failure that governs investment in cybersecurity. First, data breaches have externalities; costs that are not accounted for by organisations. Second, even where investments are made, as a result of asymmetric information, it is difficult for organisations to convey the resulting level of cybersecurity to the rest of the ecosystem. As a result, the incentive to invest in cybersecurity is limited; organisations do not bear all the cost of failing to invest, and cannot fully benefit from having invested.
The 5 “R’s” (Recommendations)
- Put users at the centre of solutions; and include the costs to both users and organisations when assessing the costs of data breaches.
- Increase transparency through data breach notifications and disclosure
- Data security must be a priority. Better tools and approaches should be made available. Organisations should be held to best practice standards when it comes to data security.
- Organisations should be accountable for their breaches. General rules regarding the assignment of liability and remediation of data breaches must be established up front.
- Increase incentives to invest in security by catalysing a market for trusted, independent assessment of data security measures.
Data breaches are a growing concern worldwide. To mitigate this problem and its economic impact, this summary article drawn from the Internet Society Global Report proposes a shift in the approach to data breaches, involving all stakeholders. As users increasingly move their lives online, to achieve the full benefits of the Internet worldwide there must be user trust. That trust is dependent on how users’ data is protected from breach. Each data breach creates a new group of users whose trust may have been betrayed, which spreads to their acquaintances through word of mouth, and more broadly through news reports, creating doubt, which undermines user trust at large. With this report, the Internet Society’s goal is to offer recommendations that will help to provide better data security. This, in turn, has the potential to increase use of the Internet, and raise the economic and social impact of the Internet on the broader economy and society. That, finally, will help meet the Internet Society vision that the Internet is for everyone, everywhere.
Dr Graham R Smith is a Global Member of the Internet Society, living here is Azerbaijan.