Last month, a data breach at the headquarters of Educational Credit Management Corp., a guarantor of federal student loans, compromised 3.3 million borrowers’ personal information (see Wall Street Journal article here). That was probably a $600 million incident. But did you hear about it? Probably not. As professional communicators in the financial services space, we and our clients are often eager to tell the cyber security story, especially given the potential implications for businesses – but is anybody listening?
Security breaches aren’t cheap: According to the Ponemon Institute’s fifth annual U.S. Cost of a Data Breach Study, data breach incidents cost U.S. companies $204 per compromised customer record in 2009, compared to $202 in 2008. But they do seem to be under-reported. Is this because they are stealth, because the corporations who are targeted keep it under wraps, or because we just don’t care?
Probably some combination of the above. In the “Last Word” department of Risk Management magazine’s April issue, editor Morgan O’Rourke calls attention to the general ambivalence that U.S. media and citizens display toward cyber security threats. Morgan attributes lack of interest to the fact that hackers and data breaches often feel like “old news” to the general public, despite the frequency and potential severity of incidents (see NPR’s timeline). But, as Morgan points out, few consumers take the words of warning to heart: “password” and “123456” persist as two of the most popular choices for web passwords.
We’ve all heard about Google’s cyber security difficulties with China, or known someone whose Facebook account was hacked and spread a virus to their friends via a rogue status update. But we don’t hear about a lot of cyber-burglary cases. The financial services sector is particularly vulnerable to cyber security breaches simply by virtue of the information that financial firms store on their servers: credit card data, bank account balances and identification numbers, and social security numbers, to name a few.
As professional communicators in financial services (and the insurance sector in particular), here’s the challenge: how do we draw attention to these risks, which pose serious threats to businesses and individuals, without resorting to fear-mongering or continuing to beat the same proverbial dead horse? Vivid examples can go a long way, but cyber attacks are often invisible: rarely is there physical destruction to display as evidence, and on top of that, victims of cybercrime often don’t want to draw attention to their ordeals. Even when a compelling case study exists, it can be tough to deliver the message without coming across as preachy or paranoid.
Maybe we need a high-profile mascot, like Smokey Bear, or a celebrity to champion the cause (Steve Jobs? Bill Gates? The cast of MTV’s Jersey Shore? Just kidding on that last one). Or as Morgan O’Rourke suggests, maybe we just need to lead by example. The advent of social media has turned us into a world of online over-sharers: perhaps the first step is encouraging our friends/followers/connections to take responsibility for their own cyber security.
To beef up your own password security, check out the tips offered by Microsoft:
- Use 14 or more characters, including letters, numbers and punctuation (where possible).
- Run your password through an online security “checker” to test its strength
- Avoid words that can be found in the dictionary – in any language – and sequences on the keyboard such as “12345” or “qwerty.”
That’s our Financial Services Practice Group’s “Two Cents” – have we motivated you to pick a more secure password? What do you think it will take to get the word out about cyber security?
To reach Kelly: