Organizations are getting better at surviving data breaches, but the risks of experiencing a major incident are as high as ever.
"The trend we are seeing is more data breaches, but fewer overall records are being exposed," Mike Urban, director of financial crimes solutions at Fiserv Inc., tells PaymentsSource.
These days, being midsize seems the safest bet, as the danger lies in the extremes–large organizations are the juiciest targets for criminals, who also are attacking smaller organizations more often, experts say.
But large companies have made major strides the past two years in protecting sensitive customer data, helping to limit the damage when criminals attack, Urban suggests. Criminals, in turn, have turned their attention to smaller companies that tend to lack the budgets and personnel to erect strong barriers, triggering potentially more breaches at smaller organizations, he says.
"The 'megabreaches' we saw a few years ago with TJ Maxx (
That does not mean organizations can let down their guard.
Data-stealing malicious software and Trojan viruses climbed to new heights during the first half of last year, which portends more breaches this year as criminals craft new, ever-evolving versions of malware, the Anti-Phishing Working Group forecasts (
Large companies still present the richest opportunities for criminals because of the potential size of their databases, while the perils of breaches are higher for such companies when headlines announce breaches involving familiar consumer brands.
Such publicity about major data breaches rose during the past few years after 45 U.S. states enacted laws requiring owners of databases to inform individuals of the data exposure (
The moment news surfaces about a major data breach affecting a famous brand name, consumers take note, Avivah Litan, Gartner vice president and distinguished analyst, tells PaymentsSource.
Citigroup Inc. experienced a major data breach in 2011 that generated significant publicity (
Other major attacks that registered with consumers as damaging last year included Sony Corp.’s PlayStation breach in April (
But the financial pain associated with such breaches is beginning to ease, new data suggest.
After generally rising for seven years, the average cost to organizations to take appropriate action after sensitive account data are exposed fell 9.3% last year, to $194 per exposed account from $214 in 2010, the results of a new study the Ponemon Institute LLC released this month show.
Based on an industry average of about 28,000 breached records per incident, the average total cost to an organization of coping with a data breach last year was $5.5 million, down 23.6% from $7.2 million a year earlier, Ponemon estimates in its 2011 Cost of Data Breach Study, which Symantec Corp. cosponsored. Symantec provides an array of Internet-security and fraud-detection services.
Traverse City, Mich.-based Ponemon during 2011 studied 49 companies in 14 industry sectors that experienced a serious data breach, interviewing key personnel about the direct and indirect costs of the incidents.
Direct costs to organizations in the wake of a data breach include notifying individuals of the data exposure, hiring forensics experts to investigate the breach's cause and remedy the situation, and providing customers with a hotline or other support and free credit-monitoring, the firm notes.
Indirect costs, which vary widely, can include loss of customers and reputational damage, the study report suggests.
For the first time since 2005, when Ponemon began studying the effects of data breaches, organizations said they experienced fewer customer defections following such events. As a result, the estimated cost of lost business resulting from a breach fell 33.7% last year, to $3.01 million from $4.54 million a year earlier, Ponemon says.
Customer turnover in the wake of a breach may be lower as companies are doing a better job communicating with consumers and reassuring them that they will not likely suffer direct losses as a result of the exposure, Urban suggests.
Some companies also are succeeding in minimizing direct losses by following the Payment Card Industry Data Security Standard, which requires companies handling payment card data to encrypt full credit card numbers or avoid storing the entire number in case of unauthorized data exposure.
Zappos Retail Inc. in January announced a breach that exposed certain data of 24 million customers, but the company said thieves stole only the last four digits of consumers’ credit card numbers, which sharply blunted losses (
But most companies still fall short in bulwarking against attackers by failing to encrypt other types of sensitive customer data and implementing sound internal procedures, Experian PLC’s Data Breach Resolution Group found in study it conducted with Ponemon released earlier this year (
Criminals are becoming increasingly adept at using general customer data, such as email addresses and transaction histories, to launch phishing scams to trick consumers into revealing payment card and bank account data, Urban notes.
Sixty percent of companies that experienced data breaches within the past two years failed to encrypt such sensitive customer information, suggests Experian's study of 725 IT professionals whose organizations experienced a significant breach in 2010 and 2011.
In light of the broad publicity about the high costs and reputational damage of breaches that expose customer identity and payment data, the widespread lack of data encryption is “dismaying,” Ozzie Fonseca, an Experian senior director, tells PaymentsSource.
Although encryption adds to organizations’ expenses, the cost of encrypting data “is significantly less expensive than it was even a decade ago and much easier to implement,” Fonseca says.
And while malicious outsiders were often at fault, Experian found that many companies could have prevented certain data breaches by tightening internal policies and properly training employees.
Where respondents said they knew the cause of the breach, 34% said it was the result of benign employee negligence. Other known causes included outsourcing data handling to a third party, cited by 19% of respondents; a malicious insider, 16%; an internal systems glitch, 11%; an external “cyber attack,” 7%; failure to shred confidential documents, 6%; loss of data during physical delivery, 5%; and unspecified reasons, 2%.
Organizations in the past few years have made significant progress in securing data and in training individuals to respond to data breaches, helping to reduce certain costs.
But as criminals turn up the heat, companies must take every precaution against new and ever-changing attack strategies.
What do you think about this? Send us your feedback.
