Mega-chain or mom and pop bakery, hospital or community college – every organization, no matter its size or its industry, is at risk for a data breach. Not surprisingly, 2016 has already been a brisk year for breaches. The Identity Theft Resource Center (ITRC) reports that as of March 8th, there have been 139 data breaches with a whopping 4.3 million records exposed.
A recent survey by Advisen found that 80% of organizations polled are concerned about data breaches – which shows that companies are paying attention to the trends. However, 55% revealed that their own organizations are not equipped to detect a data breach or to handle the aftermath of a data breach. And the scariest fact of all – most organizations have experienced a data breach whether or not they know it.
It’s not a matter of if a breach will hit – it’s a matter of when – and organizations need to decide whether they will be proactive or reactive in their security measures.
Up to Three to Six Months to Detect a Breach?
An area that needs significant improvement is the time it takes to detect a breach. It can take up to 98 days for financial companies to detect a breach, and for retailers, it is even worse at 197 days.
“The business world can’t afford to have 70% of 80 million to 90 million cyber-attacks go undetected. With the increasing volume of cyber-attacks costing the global economy over $575 billion, it’s clear that cyber security measures must change. It won’t happen overnight, but the best first step is to learn the warning signs of a data breach to supplement your security investments.”
But believe it or not, detected warning signs can also slip through the cracks. An organization could have the most sophisticated security a network could hope for yet fraud alerts can still go unnoticed or even be ignored. The Target data breach has become not only the casebook example of the results and fallout from a major data breach but perhaps more importantly – how these breaches can happen in the first place.
Prior to their breach, Target had some pretty impressive security protocols in place that would seem unbreakable. They had installed FireEye’s $1.5 million malware detection tool – the same tool used by the CIA and the Pentagon – and they had hired an offshore team to monitor their system 24/7, alerting headquarters to anything suspicious. As the hack on Target began, FireEye caught malicious activity in time, and the offshore security team did alert Target headquarters of the fraud attempt – but these alerts were ignored three times.
The subsequent results were disastrous and will go down in history as the first major example of how devastating a data breach can be. Fraudsters hacked into the networks of some 1,800 stores, and stole over $40 million in credit and debit cards as well as the contact information of 70 million Target customers.
A Proactive Defense Plan
TNW News recently shared several ways that organizations can become more proactive in securing their networks and preventing a breach.
- Don’t let your network become “static”: Hackers love when networks don’t change so that they can study their strengths and weaknesses. “Move your data around, change the network design” states TNW News.
- Avoid alarm fatigue: This is a bit like “crying wolf.” Companies may be used to alarms ringing for small things and so they ignore them. See the Target example above.
- Monitor for irrelevant information: Hackers will do homework on your company beforehand – who are your employees, what systems do you use, etc. But their information isn’t always up to date. Networks need to be on the lookout for the use of irrelevant information.
- Invest in cybersecurity training for employees: Employees are your first line of defense, train them to change their passwords and spot suspicious activity, such as phishing.
Since the breach, Target has become an advocate for cybersecurity, changing tens of thousands passwords, installing new point-of-sale (POS) systems, and spending millions on the adoption of EMV technology to authenticate credit cards in the card present environment.
But as Bluefin, the PCI SSC and other security experts have discussed before – EMV solves just one part of the problem, which is authenticating the card itself. Encrypting credit card data – both data and transit and data that needs to be stored (i.e., in the case of recurring billing, for example) – is essential for any company that accepts credit and debit card payments. And for data in transit, P2PE is the answer with tokenization being the solution for stored data.
Security expert Brian Krebs wrote for the Guardian in May 2014 on where companies were choosing to spend their cybersecurity dollar – what was important and what was not.
“There is an easy fix: if Target or Wal-mart adopted end-to-end encryption, the incentive for fraudsters to target payment terminals at all would be effectively removed, instantly,” states Krebs. “The data gets encrypted, and hackers have to go somewhere else – the bank or a processor – for a shot at your information. But there has been far too little discussion in the retail industry about adopting this additional security protection – mostly because it’s much more costly to justify the expense in the short run.”
But – we all know there is no one silver bullet to security, whether it is networks, firewalls, and authentication or encryption technology. Being proactive, aware and adept at change is key.