What Did We Learn in Data Security in 2014?
We learned that 2014 was the year of the data breach with over 761 data breaches exposing hundreds of millions of records. Target, Home Depot, UC Berkley, JP Morgan, and the list goes on and on of the high-profile organizations that were compromised. Unfortunately, the consistent theme on the breaches was the same, poor data security practices and simple mistakes. Are we doomed to repeat the mistakes of 2014? It is time to change your attitude toward data security and avoid the mistakes of yesteryear.
The Data Breach Epidemic is Expensive
Interestingly, many are calling 2014 the year of security breach awareness, as opposed to the year of the data breach. The reason being that the legal repercussions for hackers are small and usually non-existent, but the cost in damages to the victims of a data breach are massive. A survey by the Ponemon Institute revealed that in 2014, the average cost of a cyber-attack was $20.8 million for a company in the financial services sector and $8.6 million for a retail store. The expense of data breaches has led to the mandatory adoption of EMV payment acceptance for all retailers issued by all US banks. Plain and simple, banks are tired of paying for fraud. Therefore, any company accepting credit cards are on the clock to convert their POS to EMV by October 15, or they encumber all payment fraud liability.
Will We Learn from Our Mistakes? Data Security Requires Discipline
Considering that Insider & Privilege Misuse, Web App Attacks, Crimeware, and Physical Theft are the leading culprits for data breaches, organizations have a clear understanding of the threats they face. So many of these threats are completely avoidable. The glaringly obvious culprit is insider and privilege misuse. While a hassle to stay consistently on task for internal data management, mandating that your data management procedures are strictly enforced will naturally induce effective and provisional oversight. This will drastically reduce the simple errors, which have been made repeatedly in the world’s largest breaches.
PCI Noncompliance Common Among Companies Who Suffer Data Breaches
PCI compliance is an ever-increasing challenge that all companies handling payment card data have to adopt. As a former QSA for the PCI Security Standards Council, I can tell you that too many large organizations are not as concerned with PCI as they should be. Compliance is expensive and can be very labor intensive. However, answering umpteenth questions about processes and having a QSA make your life miserable for a few weeks is well worth it. Keeping compliant means you are doing everything in your power to make sure that sensitive data is secured. Look at these costs as insurance for your company!
As further evidenced by Verizon Enterprise Solutions who is finishing their annual 2015 PCI Report, early results show that each company breached was not in compliance at the time of the breach. Correlation? I think so. Verizon went on to add that companies consistently fell out of compliance once they achieved it. What that says to me is that, again, the cost and complexity of PCI Compliance is a deterrent and it just can’t be. As the decision maker for your security strategy, remaining PCI compliant is much, much cheaper than a data breach. One breached record costs over $200 to recover and most breaches involve thousands or more records. Not to mention a hit on stock price, lost sales, lost customer consumer trust, and a litany of other money eating breach related expensive side effects.
Lessons Learned, Now What?
Cyber-criminals are going to continue to attack and as last year showed us, there is no industry, company, or piece of data that is safe. Any organization storing sensitive data is a target. Compliance and locking down your data environment is paramount for organizations as we head into the next generation of data sharing.
PCI compliance is a hassle and it is expensive, but it significantly lowers your risk of a data breach. Data security is more about risk avoidance and getting toxic data out of your environment. We have learned that beefed up data security budgets are much cheaper than a breach. Moreover, 2015 should be a year that has a much more specific focus on getting rid of toxic data.