Computer data breaches covering passwords, user data and business data have moved from the exceptional to the commonplace: this year has seen breaches from the likes of The Racing Post, eBay, Obamacare, plus recent news that even Apple’s iCloud might have joined the list.
The steady increase in network-delivered computing and data capabilities is matched by both the growing amount of data companies collect on consumers and the volume of content we as the consumers readily supply. Hackers, be they individual, organised or institutionalised, will find and exploit more holes and get access to more and more data. And the really scary bit comes as they learn to mine, analyse, correlate and exploit what has clearly become “big bad data”.
The good news is that the Government, the public and businesses are more aware of IT security and related concerns than ever before. The bad news is that awareness is a result of breaches all around us.
The bad news, however, continues. Recent large-scale breaches in August, as documented by IT Governance UK, include a 4.5 million-record payment card breach from the American retailer Supervalu, the same number of user data details from a US Healthcare provider, some 220 million South Korean citizens from their friendly neighbourhood Government, and the not-yet-proven claim of 4.5 billion records by a cadre of Russian hackers. It’s pretty clear the situation is not improving.
The State of the Barn Door
The expected questions being repeated internationally across boardrooms and courtrooms typically cover two angles. Namely: “How do we stop it from happening?” and “Who should be held responsible?” And a bonus question comes in the form of “How should they be punished?”
While the second points may be important and necessary parts of the process, for the first question at least there is good news: we have access to ever increasing and improving methods to secure, encrypt, control and monitor our data. You can, effectively, stop it from happening.
The barn door needs to be closed. Since the horse that bolted is a virtual one, it’s also still in the stable and thus needs protection. The time to act is now. Even if data breaches have never occurred in your business, the time is now.
Consider home fire insurance policies: it is pretty unlikely that a house on your street has burned down in recent years, but chances are that most houses on your street, yours included, are insured against fire. And if we just don’t take that type of chance, why would your business take this type – and, just as importantly, why would your clients expect you to?
Small Business, Big Concerns
According to Worldpay (who see about 44% of the plastic transactions that occur in the UK), about three million cards were put at risk by breaches in 2013 alone. This is a staggering increase of over 1,500% on the previous year, with all signs that those numbers will continue to climb.
Adding little to consumer confidence is the fact that a recent Survey on Information Security Breaches from the Department for Business, Innovation and Skills indicates that “almost 70% of companies were able to keep knowledge of their worst incident internal”, although pending EU data protection legislation will also change some reporting obligations.
Meanwhile, the PCI Compliance Report 2014 published by Verizon states that 'organisations that are breached tend to be less compliant with the Payment Card Industry Data Security (PCI DSS) than the average of organisations in our research' (for a concise overview of the standard, see the ServerChoice blog Introducing... PCI DSS.
Worldpay has also recently expressed particular concern that while enterprise-level businesses are investing appropriately to strengthen their safety measures, SMEs (who represent 60% of breached firms) have only shown marginal improvement.
Shared Risks, No Rewards
With payment card transactions remaining a prime target for attackers, the Verizon report continues: “in most cases, payment card data breaches are not a failure of security technology or of compliance with the PCI DSS standard, but rather a failure of the business to have implemented appropriate compliance mechanisms.”
So, with the responsibility and much of the risk remaining with the holders of the data (and any or all of their as-a-service partners), it is their job to ensure that all holes are plugged and all barn doors closed. While the service providers are a clear part of the loop, all businesses small or large share those same responsibilities and risks to comply with increasing regulations. And, in the event of a severe breach, the fines can be crippling: consider 5% of gross turnover, as specified in the soon-to-be-enacted 2014 EU directives.
Businesses need to consider both their clients and their reputations: they may hold the responsibility and be subject to those fines but their client base is at risk. Today’s consumers are regularly, and most often unknowingly, accepting personal risks at levels that financial institutions would consider unacceptable for themselves: after all, stolen credit card numbers can be cancelled but stolen identities just keep on giving.
Find out more
If you’d like to better understand any exposure or risks to your business, ServerChoice are running a FREE PCI Awareness Workshop on 3rd December. Contact us today to find out more about the event, or to ask us about PCI consultancy and PCI-compliant cloud and colocation environments.