Companies are getting better at recovering from data breaches, but the risks of a major incident remain as high as ever.
“The trend we are seeing is more data breaches, but fewer overall records are being exposed,” Mike Urban, Fiserv Inc. director of financial crimes solutions, tells ISO&Agent Weekly.
These days, midsize companies seem safest because the danger lies in the extremes–large organizations present the juiciest targets for criminals, and small companies often seem like the easiest prey, experts say.
But large companies have made major strides the past two years toward protecting sensitive customer data, helping to limit the damage when criminals attack, Urban suggests. Criminals, in turn, have focused their attention on smaller companies that lack the budgets and personnel to erect strong barriers, triggering more breaches at smaller organizations, he says.
“The ‘megabreaches’ we saw a few years ago with TJ Maxx and Heartland brought a big crackdown that has caused hackers to shift their focus to smaller organizations with less protection, where they may succeed but grab a smaller number of records,” he says.
That does not mean other organizations can let down their guard.
Data-stealing malicious software and Trojan viruses climbed to new heights during the first half of last year, which portends more breaches this year as criminals craft new versions of malware, the Anti-Phishing Working Group forecasts.
Large companies still present the richest opportunities for criminals because of the potential size of their databases, while the perils of breaches are higher for such companies when headlines announce breaches involving familiar consumer brands.
Such publicity about major data breaches rose during the past few years after 45 states enacted laws requiring owners of databases to inform victims of the exposure.
The moment news surfaces about a major data breach affecting a famous brand name, consumers take note, says Avivah Litan, a Gartner vice president.
Citigroup Inc. experienced a major data breach in 2011 that generated significant publicity. It caused consumers to rank it first among companies whose data breaches they considered “most damaging” during the previous year in an online poll Gartner conducted in August involving 3,000 adults.
But the financial pain associated with such breaches is beginning to ease, new data suggest.
After generally rising for seven years, the average cost to take appropriate action after sensitive account data are exposed fell 9.3% last year, to $194 per exposed account from $214 in 2010, the results of a new study the Ponemon Institute LLC released this month show.
Based on an industry average of about 28,000 breached records per incident, the average total cost of coping with a data breach last year was $5.5 million, down 23.6% from $7.2 million a year earlier, Ponemon estimates in its 2011 Cost of Data Breach Study, which Symantec Corp. cosponsored. Symantec provides an array of Internet-security and fraud-detection services.
Traverse City, Mich.-based Ponemon during 2011 studied 49 companies in 14 industries that experienced a serious data breach, interviewing personnel about the direct and indirect costs of the incidents.
Direct costs to organizations in the wake of a data breach include notifying individuals of the exposure, hiring forensics experts to investigate the breach’s cause and remedy the situation, and providing customers with a hotline or other support, and free credit-monitoring, the firm notes.
Indirect costs, which vary widely, can include lost customers and a damaged reputation, the study report suggests.
For the first time since 2005, when Ponemon began studying the effects of data breaches, companies said they experienced fewer customer defections following such events. As a result, the estimated cost of lost business resulting from a breach fell 33.7% last year, to $3.01 million from $4.54 million a year earlier, Ponemon says.
Customer turnover in the wake of a breach may be declining because companies are doing a better job of communicating with consumers and reassuring them they will not suffer direct losses as a result of the exposure, Urban suggests.
Some companies also are minimizing direct losses by following the Payment Card Industry data security standards, which require companies handling card data to encrypt full credit card numbers or avoid storing the entire number to avoid exposure.
Zappos Retail Inc. in January announced a breach that exposed data of 24 million customers, but the company said thieves stole only the last four digits of consumers’ credit card numbers, which sharply blunted losses.
But most companies still fall short in defending against attackers by failing to encrypt other types of customer data and using sound internal procedures, Experian PLC’s Data Breach Resolution Group found in sa tudy conducted with Ponemon and released early this year.
Criminals are becoming increasingly adept at using general customer data, such as email addresses and transaction histories, to launch phishing scams to trick consumers into revealing payment card and bank account data, Urban notes.
Sixty percent of companies that experienced data breaches in the past two years failed to encrypt such information, suggests Experian’s study of 725 IT professionals whose organizations experienced a significant breach in 2010 and 2011.
In light of the broad publicity about the high costs and damaged reputations of breaches, the widespread lack of data encryption is “dismaying,” says Ozzie Fonseca, an Experian senior director.
Although encryption adds to expenses, the cost of encrypting data “is significantly less expensive than it was even a decade ago and much easier,” Fonseca says.
And while malicious outsiders were often at fault, Experian found many companies could prevent breaches by tightening internal policies and training employees.
Among respondents who knew the cause of the breach, 34% said it resulted from employee negligence. Other causes included outsourcing data handling to a third party, cited by 19% of respondents; a malicious insider, 16%; an internal systems glitch, 11%; an external “cyber attack,” 7%; failure to shred confidential documents, 6%; loss of data during physical delivery, 5%; and unspecified reasons, 2%.
In the past few years many companies have made significant progress in securing data and in training workers to respond to data breaches, helping to reduce certain costs.
But as criminals turn up the heat, companies must take every precaution against ever-changing attack strategies.
