Enterprises have so much data floating around in their networks these days and many can’t get their arms around it, much less isolate sensitive customer credit card data and secure it to prevent a breach.
According to this EiQ Networks survey, the biggest security nightmare that keeps IT pros, network and systems engineers awake at night is fear of an external breach for financial gain. Of 272 respondents from industry sectors such as health care, financial services, government and retail, 25 percent also admitted they wouldn’t know how long it would take their company to find the root cause of a security breach.
As more employees use their own smartphones and Internet-enabled tablets at work, corporate perimeters are also becoming increasingly porous and vulnerable to breaches. The EiQ study revealed that misuse by employees is considered the greatest risk facing enterprises today — yet 50 percent of security pros surveyed said they monitored less than a fourth of mobile devices in real time.
Similar findings are borne out by an ESG study and an Internet Security Threat survey by antivirus software vendor Symantec. The latter reported that 168 new vulnerabilities discovered in 2014 were on mobile operating systems.
Who are prime targets?
Small businesses have just as much to fear from online cyber threats as their large corporate counterparts. According to Symantec's 2013 report, 50 percent of all targeted attacks were aimed at businesses with fewer than 2,500 employees, while 31 percent were targeted at businesses with 250 employees or less. Two years later, they report fewer "mega-breaches," but more businesses compromised, supporting that cyberattackers are continuing to attack smaller shops.
Although they may think they have nothing a cyber criminal would want to steal, small businesses make juicy attack targets because they often retain highly sensitive, unsecured customer information on their internal systems — including customer credit card data, which is a major violation of PCI compliance requirements.
Symantec also found that small businesses can become pawns in more sophisticated attacks when their unsecured websites are hijacked by criminals who lie in wait for other targets to visit so that they can infect them. This so-called “watering hole” attack is one popular way cybercrooks leverage a small business’ weak security defenses to disarm the strong security of another target. One such attack infected 500 organizations in a single day.
Hackers’ tactics and goals
Hackers have a built-in advantage when it comes to compromising data. They think day and night about how to invent and execute a clever attack and gravitate to pathways that offer the least resistance for the greatest payoff.
Many work for organized crime syndicates and are masters of social engineering, focusing on their victims with methodical precision by studying their digital personas on social media channels. They piece together bits of information to help them more easily penetrate weak systems and lure unsuspecting targets into clicking on links in seemingly genuine emails, unleashing malware that compromises computers or allows keystroke-logger robots to collect user login IDs, account data and other sensitive information.
Because many companies don’t have full-time security defense teams with the same intensity and focus on deterring attackers, the odds of a successful breach are in the criminal’s favor. Often, businesses don’t learn they’ve been the victim of cybercrime or credit card fraud until the damage has been done.
Cyberfraud has always been about hitting the big jackpot, and data breach horror stories abound whenever and wherever unsecured credit card data resides. The latest involves a massive global credit card fraud scheme by four Russians and a Ukranian in what New Jersey’s U.S. Attorney called the largest hacking and data breach scheme ever prosecuted in the United States. The conspirators are accused of running a worldwide hacking operation that penetrated the computer networks of more than a dozen major U.S. and international corporations, stealing and selling at least 160 million credit card numbers, and causing at least $200 million in fraud-related losses.
Recent data breach damages
According to The Nilson Report, global card fraud losses totaled more than $14 billion in 2013 — jumping from about $11 billion in 2012. The United States is also the only country in the world where counterfeit card fraud continues to grow, with issuer losses accounting for more than 26 percent of global fraud losses in 2012. Because the U.S. leads the world in online sales, card-not-present fraud losses are also the highest. The report also notes that smaller merchants who don’t invest in fraud-fighting tools are particularly vulnerable.
Damage from a credit card breach can be catastrophic for businesses of every size. Financial costs often include lost business revenue; legal and regulatory fees; awards arising from lawsuits and fines imposed by the issuing card companies; time and money spent detecting, diagnosing and fixing the causes of the breach as well as alerting fraud victims that their personal information has been compromised. Other costs range from the loss of customer goodwill to negative publicity that damages a company’s brand.
Consider these sobering statistics:
2015 Cost of Data Breach Study from the Ponemon Institute:
- Total cost per data breach incident in the U.S during fiscal year 2015: $6.5 million.
- Average cost of data breach per compromised record: $154.
- U.S. companies experience the most expensive data breach incidents: $217 per record.
- Mistakes made by people and system problems account for 54 percent of data breaches.
- Breach costs were substantially higher in heavily regulated sectors (particularly healthcare, finance and pharmaceutical) than other industries.
- Merchants are paying $3.08 in costs for each dollar of fraud losses they incur.
- Nearly one in three victims of identity fraud chose to avoid specific merchants after falling victim to fraud.
These reports and studies serve as powerful reminders of the importance of safeguarding customer card data wherever it’s stored. Businesses that accept or process credit card payments from customers online, in a store, by phone or by mail must comply with 12 PCI-DSS rules that require this data be secured; yet many firms still rely on outdated technology that doesn’t adequately protect card data, exposing their business, employees and customers to risk of a breach. Even if merchants use state-of-the-art technologies to store the data internally, they need to minimize the points at which credit card data is handled because the risks and impacts from a security breach could be devastating.
Editor's note: This post was originally published in October 2013 and has been updated in August 2015 with new statistics from more recent reports, to ensure accuracy and comprehensiveness of content on Paying It Safe.