Much has been written about the Equifax data breach, including a Take On Payments piece several weeks ago. Since the announcement of the breach in early September, my LinkedIn timeline has been filled with articles and messages from sales and development professionals claiming that their technologies and solutions could have prevented the Equifax breach. Unfortunately, the weakest leak isn't a technology problem or issue. It is, and will continue to be, the human element.
Before I hear from the sales and development professionals I just referred to, let me say that I believe that technology does play an important role in mitigating data breaches. For example, statistics show that homes equipped with a security system—"hard targets"—are significantly less likely to be burglarized than homes without them—"soft targets." I suspect the same is true for companies and data breaches in that those who do a better job of securing their data with technology are harder targets than those who do not. However, technology is only one aspect of preventing data breaches—which brings us back to the human element.
We are the weakest link. We architect and program security systems with flaws. We fail to properly update software or install patches on a timely basis. We open suspicious attachments on emails. We sometimes visit dubious websites and click on suspicious ads or links. We divulge too much information over social media. We share sensitive information with people we think we know and who we think are friendly. And we are mistake- and accident-prone. Education does and will continue to help, but humans will continue to make mistakes and be accident-prone, thus data breaches will remain an ongoing problem.
The late, great musician Tom Petty said, "Music is probably the only real magic I have encountered in my life. There's not some trick involved with it. It's pure and it's real." While Petty's remark that music is probably the only real magic is debatable, there is no debating that data breach prevention has no magic bullet. Educating people remains critical, but, as is all too often the case, education also ends up falling short. As a risk expert, I really wish that I had the answer to preventing data breaches. Unfortunately, human actions trump any answers that I might have. Given the grim outlook for data breaches, it is imperative for companies and individuals to have a plan in place to minimize the damage when a data breach occurs.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed