The high costs and reputational damage caused when breaches expose sensitive customer information appear to be having little effect in persuading many companies to protect their data.
Sixty percent of companies that experienced data breaches within the past two years failed to encrypt sensitive customer information, a recent study by Experian PLC’s Data Breach Resolution Group and think tank Ponemon Institute LLC suggests.
And while malicious outsiders often are stalking organizations for opportunities to steal customer data, including identity credentials and credit and debit card account information, using basic data-security policies and training employees properly likely could prevent many future breaches, the study’s authors suggest.
To explore the triggers and reactions to recent data breaches, Experian and think tank Ponemon Institute jointly surveyed 725 IT professionals whose organizations experienced a significant breach in 2010 and 2011. Experian and Ponemon conducted the online survey between in November and December last year.
Asked to focus on a specific data breach, 60% of respondents said the data exposed were not encrypted, 24% said the data were encrypted and 16% were unsure. Exposed data included customer passwords or PINs, cited by 48% of respondents; credit or bank account information, 45%; credit or payment-history information, 41%; Social Security numbers, 33%; and driver’s license numbers, 29%.
In light of the broad publicity about the high costs and reputational damage of breaches that expose customer identity and payment data, the widespread lack of data encryption is “dismaying,” Ozzie Fonseca, senior director of Experian’s Data Breach Resolution Group, tells PaymentsSource.
Where respondents said they knew the cause of the breach, 34% said it was the result of benign employee negligence. Other known causes included outsourcing data-handling to a third party, cited by 19% of respondents; a malicious insider, 16%; an internal systems glitch, 11%; an external “cyber attack,” 7%; failure to shred confidential documents, 6%; loss of data during physical delivery, 5%; and unspecified reasons, 2%.
Half of respondents cited productivity as the biggest damage the breach caused, followed by a loss of customer loyalty, 44%; legal action, 34%; unfavorable media coverage, 30%; customer turnover, 28%; and a decline in a company’s share price, 25%.
Asked to identify the top threats to organizations’ data security, 66% of respondents pointed to negligent or temporary employees and contractors, and 53% indicated negligent third parties, including vendors and outsourcers, as a top risk.
Forty-five percent of respondents said “missing equipment,” including portable devices, was a top risk to data security, while 25% listed social media as a top risk to data security and 23% said “missing backup media” was a top risk.
Asked what their organization is doing to address these vulnerabilities, 63% of respondents said they were conducting employee training and awareness programs, compared with 54% who said so in a similar study Experian and the Ponemon Institute conducted in 2007. More than half, or 56%, of respondents were “controlling endpoints to the organization’s systems,” compared with only 35% who were doing so four years earlier.
Some 43% of organizations said they were hiring in-house personnel to lead data-protection efforts, compared with only 26% who said so in 2007, and 39% were conducting data-breach post-mortems, up from 21%.
In the wake of a breach, 49% of respondents said their organizations were limiting the amount of personal data they collect, 48% said they were limiting data-sharing with third parties, and 42% were limiting the amount of data the organization stores.
Some 61% of respondents said their organizations increased their security budget after the breach, and 28% hired additional technology staff.
The fact that 60% of respondents involved in breaches reported their data were not encrypted is a bad sign, Fonseca says. “Encryption is now widely accepted a best practice,” he notes.
Although encryption adds to organizations’ expenses, the cost of encrypting data “is significantly less expensive than it was even a decade ago and much easier to implement,” Fonseca says.
On the plus side, growing awareness and publicity about data breaches may be helping to stanch the tide, he suggests.
“Overall, I think the total number of data breaches is not spiking, and organizations are increasingly taking steps to prevent them. Companies just have so many competing priorities that it takes time,” Fonseca says.
What do you think about this? Send us your feedback.
