The Internet society has proffered solutions to mitigate incidents of large scale data breaches on the Internet in its recently released Global Internet Report 2016. The Society recommends, among others, that users should be put at the centre of solutions while costs to both users and organisations should be taken into account when assessing the consequences of data breaches.
The Internet Society, with the report, “seeks to increase awareness on the topic of data breaches and our collective responsibility to help secure the data ecosystem” and making recommendations on how to reduce the number and impact of data breaches.
The Report notes that: “Data breaches are on the rise. The impact of data breaches on users – consumers, employees and organisations is profound and lasting, including significant financial and non-financial costs. Even worse, in many cases the data breach could have been prevented. And, even if it could not have been prevented, the harm could have been mitigated.”
The Internet Society also recommended increased transparency through data breach notifications and disclosure and added that data security must be a priority. It advocated that better tools and approaches should be made available and that organisations should be held to best practice standards when it comes to data security.
The Report noted that “the impact of data breaches on users – consumers, employees and organisations is profound and lasting, including significant financial and non-financial costs.” It regretted that in many cases the data breach could have been prevented and, even if it could not have been prevented, the harm could have been mitigated.
The society asked some fundamental questions: Why are organisations not taking all available steps to protect those who entrust them with their personal information? Is it because they do not bear all the costs of the data breaches? Is it because there is not enough benefit to them in better protecting their users’ data?
It pointed out that “the ultimate casualty is trust in the Internet.”
The Report noted that data breaches are trending upwards and a growing number of people are impacted by data breaches.
It said though surveys do not as yet indicate that reported data breaches are having a significant impact on non-users’ willingness to go online, it pointed out that as more users are impacted by data breaches, such as by having their identity stolen for profit, more users will hesitate to use online services requiring personal information.
The Report finds that organisations are spending more on prevention which has not yet noticeably lowered the number of breaches, or the impact and cost of breaches when they do occur.
It highlighted some leading causes of data breaches, and their impact on organisations and users saying the numbers are staggering.
It provided case studies that show how easy some attacks are, but also how difficult it is for organisations to protect against all threats. It however noted that it is puzzling that many of these breaches exploited known vulnerabilities, and were preventable.
The Report listed the market failures that govern investment in cybersecurity. The first it listed is that data breaches have externalities and that costs that are not accounted for by organisations.
Secondly, it added that even where investments are made, as a result of asymmetric information, it is difficult for organisations to convey the resulting level of cybersecurity to the rest of the ecosystem. It added that as a result, the incentive to invest in cybersecurity is limited and noted that organisations do not bear all the cost of failing to invest, and cannot fully benefit from having invested.
The Internet Society also recommended that organisations should be accountable for their breaches; that general rules regarding the assignment of liability and remediation of data breaches must be established up front; and urged increase incentives to invest in security by catalysing a market for trusted, independent assessment of data security measures.
