Looking back on 2017 thus far, it seems not a week has gone by without another security breach making headlines. Most recently, news of the Equifax, Deloitte and Securities and Exchange Commission (SEC) breaches has made waves. Hopefully, this trend is raising alarms among corporations throughout the world—they could be next. Often by the time a company reports there has been a breach, it has been occurring for months. With the growing frequency and scale of these breaches, people should take serious precautions to ensure the security of their personal information.
While organizations have several resources at their disposal to address and prevent breaches, what can individuals do? Many tips that have been recommended for years, such as using strong and unique passwords, are often neglected. In fact, each time a new list of hacked passwords is released, easy-to-guess passwords like 123456 are among the most frequently used.
Rather than provide laundry list of precautions, I advocate for a cyclical approach that individuals and organizations alike can follow to proactively protect online information.
The first step is to identify the assets that need to be protected, the ways in which these assets can be protected, and what will be done should the assets become compromised. As part of this process, you should determine how best to respond to the various risks identified. These include risk reduction (implementing safeguards to reduce the risk), risk acceptance (deciding that a risk is so unlikely or uncostly that it is acceptable), risk transference (buying insurance), and risk avoidance (avoiding a behavior or use of software that would result in risk exposure).
Let’s say, for example, you identified banking information as an asset to protect. In order to protect this information, you plan to reduce your risk by creating a strong, unique password that is used for this account only, and by only accessing the account from your personal internet at home. You also decide to purchase identity theft insurance as a means to transfer the costs of recovering any compromised asset(s) to the insurer. Finally, you make plans to immediately contact your bank should you notice that your information is compromised and to work with your identity theft insurance provider for remediation.
During the prepare phase, you identified several means to protect your assets from various threats. Next steps include installing the software needed to reduce risk, purchasing insurance to transfer the risk, or ending behaviors to avoid the risk. In the example above, you would visit your bank’s website from your home computer and set a strong, unique password. You would also find an identity theft insurer and purchase a policy from them.
Even with the best protections in place, a security breach is bound to happen and will require you to react. As in the case of Equifax, it may be that there was nothing you could have done to prevent the compromise. However, personal information is still exposed and requires some sort of action. Refer back to the steps you identified in the preparation phase.
Further, it is possible that something happens as a result of the ever-changing information security landscape or due to lack of planning and preparation. In this case, it is still necessary to respond to ensure any damage from a breach is mitigated.
Finally, because this is a cycle, it is necessary to revisit the preparation stage. Whether done as a reaction to an incident or because new information comes to light that suggests new protection practices are needed, it’s important to revisit your plan on a regular basis. As you come full circle, it’s a good idea to ask yourself these questions: 1) What have I learned since the last time I planned that I need to address? 2) How well are my protection mechanisms working? 3) How well has my preparation to react to breaches worked?
By regularly following a Prepare, Protect and Respond cycle, you can move from being a passive protector of your data assets to an active protector. By not taking a “set and forget” approach to security, you make it more difficult for attackers to gain access to your personal information.
Robert E. Crossler, an assistant professor of information systems, joined the Management, Information Systems & Entrepreneurship Department in the Carson College of Business at Washington State University in July 2016. He obtained his bachelor’s degree in information systems from the University of Idaho and his PhD in accounting and information systems from Virginia Tech. His primary teaching interests are in the area of data, database management, and information security. Crossler’s award-winning information privacy and security research has been published in top industry journals such as MIS Quarterly, Information Systems Journal and Decision Support Systems. His research in information privacy was recognized by the INFORMS Information Systems Society with their 2013 Design Science Award. His research in information security was recognized by The DATA BASE for Advances in Information Systems as paper of the year in 2014 and by the Journal of Information Systems with its inaugural “Best Paper” award in 2017.