Too many people respond with a shrug and maybe change their password. That’s asking for trouble.
3 min
How do consumers respond when their online accounts are exposed to hackers? Many of them simply don’t.
Data breaches at major firms have become all too common, with more than 110 million user accounts exposed in just the second quarter of 2023. Yet our research found that nearly two-thirds of U.S. consumers would return to a site after they were notified of a breach—with only the bare minimum of precautions, like changing their passwords.
Almost a quarter of the roughly 200 people we surveyed said they would return to the compromised website with no changes to their behavior at all. Only 10% said they wouldn’t go back.
Even people who had cybersecurity training within the past 90 days—in other words, people who should be primed to protect themselves—took risks. In this subsequent study, over a quarter of roughly 500 people said they would return to the breached website while taking the absolute minimum security measures, and only about 9% would take more-complicated steps such as setting up two-factor authentication. And they would do that only if they experienced real financial consequences, like fraudulent charges on their credit cards.
Why wouldn’t people protect themselves? Many of the consumers we surveyed believed that there were few—if any—alternatives to the websites they used frequently, and all websites seemed to be affected by data breaches. Why bother beefing up security? Likewise, some people said they would stick with a compromised site because they had put so much time and effort into their presence on it—a classic sunk-cost fallacy.
Since doing nothing may put your finances and personal information at risk, what should you do in case of a breach? Based on my experience as a researcher in this domain and guided by input from customers recovering from data breaches, I recommend the following actions.
Take each data-breach notification seriously. Immediately change passwords on the affected sites and sign up to follow the updates from the breached firm. This is also a good time to ensure your passwords are unique and not being used across several sites.
Find out what kind of breach it is. Some breaches violate your privacy—such as stealing your playlist or viewing preferences—but may not be as damaging as other hacks. So they may just require a simple password change on the affected site. Even the breach of encrypted password data, such as in the LastPass data breach, while serious, isn’t an immediate threat.
On the other hand, things like compromised credit-card numbers, financial data and personally identifiable information need stronger attention. Even seemingly innocuous breaches of social-media networks may reveal data that can be used to impersonate you and perhaps be used to invade the privacy of those around you. For instance, hackers might be able to figure out your “forgot password” questions on websites by learning where you grew up, the names of your pets and more.
Set up push notifications for financial data. When you’re notified of data breaches that involve credit cards or payment information, review the transactions on the affected accounts, going back to the previous payment period. Whether or not there has been unusual activity, protect yourself by adding mobile push notifications for credit-card transactions—an option offered by most credit cards, online-payment mechanisms and banks. Most notifications happen in real time, so consumers affected by data breaches can quickly identify and contest improper charges.
Use free credit monitoring. Some credit cards and banking firms such as Discover and Chase provide free monitoring of consumer credit and provide monthly updates of noteworthy events and changes. Some go further and provide benefits such as removal of your personally identifiable information found on public sites, including data brokers. Using these services is an easy way to identify and report fraudulent activity, as well as protect against identity theft—so review this data regularly if your information has been exposed.
Enable dual-factor authentication on all of your accounts. This is a good practice in general but is especially important for anyone affected by data breaches. With dual-factor authentication, you enter your password as usual but then confirm your identity using a personal device, typically a mobile phone. This limits someone from logging into the account with a stolen password.
Along with enabling dual-factor authentication, there are a number of steps you should take in the event of a social-media breach.
First, change the password and log in with the new one. Check the login-activity page to see if anyone other than you has logged in, and then look for the option to delete all other active sessions—so every other device that is currently logged in is effectively logged out.
Also review all direct messages, posts, and comment activity on the account, and report anything suspicious. If it affects other people, let them know. Finally, pause or temporarily deactivate the account, if that is an option, to make it even tougher for hackers to get access.
Rajendran Murthy is the J. Warren McClure Research Professor of Marketing at the Rochester Institute of Technology’s Saunders College of Business.
Copyright 2020, Dow Jones & Company, Inc. All Rights Reserved Worldwide. LEARN MORE
What a quarter-million dollars gets you in the western capital.
Alexandre de Betak and his wife are focusing on their most personal project yet.
CIOs can take steps now to reduce risks associated with today’s IT landscape
3 min
As tech leaders race to bring Windows systems back online after Friday’s software update by cybersecurity company CrowdStrike crashed around 8.5 million machines worldwide, experts share with CIO Journal their takeaways for preparing for the next major information technology outage.
IT leaders should hold vendors deeply integrated within IT systems, such as CrowdStrike , to a “very high standard” of development, release quality and assurance, said Neil MacDonald , a Gartner vice president.
“Any security vendor has a responsibility to do extensive regression testing on all versions of Windows before an update is rolled out,” he said.
That involves asking existing vendors to explain how they write software, what testing they do and whether customers may choose how quickly to roll out an update.
“Incidents like this remind all of us in the CIO community of the importance of ensuring availability, reliability and security by prioritizing guardrails such as deployment and testing procedures and practices,” said Amy Farrow, chief information officer of IT automation and security company Infoblox.
While automatically accepting software updates has become the norm—and a recommended security practice—the CrowdStrike outage is a reminder to take a pause, some CIOs said.
“We still should be doing the full testing of packages and upgrades and new features,” said Paul Davis, a field chief information security officer at software development platform maker JFrog . undefined undefined Though it’s not feasible to test every update, especially for as many as hundreds of software vendors, Davis said he makes it a priority to test software patches according to their potential severity and size.
Automation, and maybe even artificial intelligence-based IT tools, can help.
“Humans are not very good at catching errors in thousands of lines of code,” said Jack Hidary, chief executive of AI and quantum company SandboxAQ. “We need AI trained to look for the interdependence of new software updates with the existing stack of software.”
An incident rendering Windows computers unusable is similar to a natural disaster with systems knocked offline, said Gartner’s MacDonald. That’s why businesses should consider natural disaster recovery plans for maintaining the resiliency of their operations.
One way to do that is to set up a “clean room,” or an environment isolated from other systems, to use to bring critical systems back online, according to Chirag Mehta, a cybersecurity analyst at Constellation Research.
Businesses should also hold tabletop exercises to simulate risk scenarios, including IT outages and potential cyber threats, Mehta said.
Companies that back up data regularly were likely less impacted by the CrowdStrike outage, according to Victor Zyamzin, chief business officer of security company Qrator Labs. “Another suggestion for companies, and we’ve been saying that again and again for decades, is that you should have some backup procedure applied, running and regularly tested,” he said.
For any vendor with a significant impact on company operations , MacDonald said companies can review their contracts and look for clauses indicating the vendors must provide reliable and stable software.
“That’s where you may have an advantage to say, if an update causes an outage, is there a clause in the contract that would cover that?” he said.
If it doesn’t, tech leaders can aim to negotiate a discount serving as a form of compensation at renewal time, MacDonald added.
The outage also highlights the importance of insurance in providing companies with bottom-line protection against cyber risks, said Peter Halprin, a partner with law firm Haynes Boone focused on cyber insurance.
This coverage can include protection against business income losses, such as those associated with an outage, whether caused by the insured company or a service provider, Halprin said.
The CrowdStrike update affected only devices running Microsoft Windows-based systems , prompting fresh questions over whether enterprises should rely on Windows computers.
CrowdStrike runs on Windows devices through access to the kernel, the part of an operating system containing a computer’s core functions. That’s not the same for Apple ’s Mac operating system and Linux, which don’t allow the same level of access, said Mehta.
Some businesses have converted to Chromebooks , simple laptops developed by Alphabet -owned Google that run on the Chrome operating system . “Not all of them require deeper access to things,” Mehta said. “What are you doing on your laptop that actually requires Windows?”
