Breached Companies Improve Security Measures to Protect Consumers
Written by: Camille Puschautz | Fri, 07 Aug 2015 21:17:40 +0000
Mega-breaches at retailers, financial institutions, and healthcare organizations have become a part of everyday life. As a result, consumers have become more concerned about identity protection, and many organizations—particularly those that have fallen victim to a data breach already—have enhanced their security measures.
"Most companies understand the scope of how devastating these breaches are, and organizations across the board say they are working on new security practices," says Scott Schober, CEO of Berkeley Varitronics Systems Inc., a firm that provides design and consultation for the wireless telecommunications industry.
According to a study from the Ponemon Institute, security practitioners believe their organizations have made strides to improve security after major breaches. Here's how executives are looking to change the security norms in their companies.
Expand cybersecurity budgets
The amount of money that breached companies pay to cover damage and recovery can be astounding. Since Target's data breach in 2013, the retailer has spent nearly $158 million on breach-related expenses. The gross cost is even greater, but insurance has offset $90 million, according to the company.
Home Depot, which acknowledged a data breach in September 2014, has spent over $43 million in expenses related to the breach. And the Sony data breach has cost that company $15 million so far.
Many businesses and government organizations are expanding their security budgets up front, before they are hit by a breach. Nearly two-thirds of security experts who participated in the Ponemon study reported their organization has increased investment in cybersecurity, and a 2014 study from PricewaterhouseCoopers found that financial firms intend to increase their cybersecurity spending by $2 billion by 2016. Additionally, government spending on cybersecurity operations increased to $1.1 trillion in 2014.
Schober recommends that organizations direct their new funding toward a security audit, executed by a third party.
"It is money well spent if it can protect you from the major costs of a data breach," he says.
Improve payment tools and hire security personnel
In October 2014, President Barack Obama issued an executive order asking businesses to move to more secure payment methods. Breached organizations were among the first to lead the way.
Target and Home Depot committed to adopting EMV chip-and-PIN technology, which provides an extra layer of security for consumer credit cards. (EMV stands for Europay, MasterCard, and Visa.) Chip -and-PIN technology, used widely in Europe, is considered to be more secure than magnetic strip technology, which currently is the most common payment card method.
Chip-and-PIN cards can be hacked, but it's more costly and more difficult than hacking magnetic stripe cards, Schober explains. The switch to chip-and-PIN will likely cost Target over $100 million because the process includes installing new terminals and changing the company's branded credit and debit cards, according to a company release.
According to a company press release, Home Depot has already adopted chip-and-PIN technology in 85,000 point-of-sale terminals in stores. The company has also implemented enhanced encryption of payment data in all U.S. stores. When a customer uses a debit or credit card to pay for merchandise, the enhanced encryption protection scrambles the information to make it unreadable and virtually useless to hackers, according to the company.
Executives also have recognized the need to hire more experienced personnel to help protect their data. Nearly three-fourths of respondents in the Ponemon study said that well-publicized mega-breaches resulted in their providing tools and personnel to deal with data breaches.
"Many organizations count on their IT staff for security, and that's simply not appropriate," Schober says. He adds that having an executive-level individual is essential for security proficiency. For example, according to an April 2014 corporate press release, Target hired a new chief information officer and chief information security officer to oversee its security recovery.
"You need a point person whose sole responsibility is security," Schober says. "Spreading out the responsibility between several executives is a big mistake."
Bar third-party accesses
Companies have also improved their company policies regarding security regulations. Target's systems were hacked through network credentials stolen from a third-party vendor. Similarly, hackers accessed Home Depot's networks by stealing a password from a vendor. Limiting access to vendors and contractors may help prevent this from occurring again.
Target has ceased allowing contractors to access the servers and is blocking network communications from vendors. The company also has implemented a process known as "whitelisting," where only certain applications are permitted to communicate with registers and point-of-sale servers.
New cybersecurity advancements are essential, says Schober, because consumers can expect to see more big breaches in 2015, not less.
"We've just touched the tip of the iceberg," he says.