mailing list archives
Why There Will Be Another Major Data Breach
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 26 Feb 2014 18:55:38 -0700
The storm of consumer-focused data breaches started off as intermittent
downpours -- Choicepoint, TJ Maxx, SONY, LinkedIn, Twitter, Adobe Systems --
and is now a torrent: Target, Neiman Marcus, Kickstarter, White Lodging,
the Sands Casino, and now everyone who's attended or worked at the
University of Maryland since 1998. In each case, hackers weren't after the
company's intellectual property or trade secrets: they were after your
information, because it's the key to your money.
In fact, though it's been widely reported that the Target breach cost $240
million so far, that amount doesn't take into account the fraudulent
charges individuals had to fight and is itself split among the many
financial institutions whose customers were affected by the breach.
Meanwhile, Target said in January that it expected to lose only 2-6% of
sales over last year, and only in the first quarter.
That is why these breaches are just going to keep happening: in the absence
of laws or regulations forcing all companies to protect your data (and your
money) better, companies simply aren't going to lose enough money in a data
breach to "justify" the costs of better security.
Meanwhile, all of us will end up paying more to offset the costs of these
breaches, in terms of higher account fees, lower service levels and the
like. But better laws requiring companies to protect the customer data they
use, collect and store do not appear to be coming your way any time soon.
Deep in the midst of this current and ongoing cyberinsecurity epidemic, the
White House issued its long-awaited "guidelines" for cybersecurity and
critical infrastructure last week. In the document, its authors wrote:
Similar to financial and reputational risk, cyber security risk affects a
company's bottom line. It can drive up costs and impact revenue. It can
harm an organization's ability to innovate and to gain and maintain
Why might a document laying out guidelines and best practices have to
remind its readers and target audience that there are serious costs to bad
cybersecurity practices? Because the guidelines have no force of law and no
incentives to encourage companies to comply -- and the Administration says
it has no plans to track if or how anyone even bothers to comply with the
It's not like these companies don't know what best data security practices
are - reports indicate that at least one Target employee raised alarms
before Black Friday last year -- and it's not like there aren't a plethora
of other companies who would help them if they don't have the internal
resources. But updating systems, doing regular information security checks
and focusing on employee training can be time-consuming and expensive.
But when the costs of any one data breach are shared by so many companies
and individuals, the cost of rigorous data security to any one company
might well be more than what it stands to lose in a given breach. We see
this with the slow roll-out of more secure chip-and-pin cards, which are
broadly used elsewhere in the world but won't be widely available in the
U.S. until after 2015: it's an (increasingly) expensive system to
implement, and no one entity pays enough because of the fraud the old
system encourages to bother going first.
Cybersecurity is fast becoming a classic market failure: the costs of
protection thus far outweigh the potential costs of a breach. But unlike
most other classic examples of market failures -- education and
environmental protection, to name two -- the government seemingly has no
appetite to step in and resolve the market problem with laws, regulations
or even tax incentives. Instead, they're stuck reminding companies how
costly a breach could eventually be.
So the next time you hear about a data breach -- and with recent history as
a guide, that'll be fairly soon -- and you wonder why this keeps happening,
just remember that it all comes down to money: yours (that the criminals
want), and the cold hard cash that some corporations and institutions
haven't spent to keep your information secure.
If you're worried about data breaches leading to identity theft, you can
monitor your credit for free using the Credit Report Card, a tool that
updates two of your credit scores every month. A large, unexpected change
in your scores could signal identity theft and you should pull your credit
reports immediately (you can do this for free once a year at each of the
major credit bureaus).
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
sales () riskbasedsecurity com
Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus
on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
- Why There Will Be Another Major Data Breach Audrey McNeil (Mar 05)