Lax security culture is endemic

LulzSec spun out of Anonymous, and then spun back in again, continuing to make high-level, headline-grabbing attacks. This week they threaten the Met’s computer systems and those controlled by the UK judicial system in support for Julian...


LulzSec spun out of Anonymous, and then spun back in again, continuing to make high-level, headline-grabbing attacks.

This week they threaten the Met’s computer systems and those controlled by the UK judicial system in support for Julian Assange; in the US they’ve released the details of 90,000 US troops, hacked out of the defence and government-systems consultancy Booz Allen Hamilton. Monsanto has been struck, and under threat are Exxon Mobil, ConocoPhillips, Canadian Oil Sands, Imperial Oil and Royal Bank of Scotland.

It was the massive Sony PlayStation attack in April - by hackers who haven’t put their hands up - which should have shocked businesses into action by now. Although I don’t think it has. The details of more than 75 million customers were accessed, and then in June LulzSec claimed to have hacked Sony again - finding all the customer data still un-encrypted.

I continue to speak of my outrage that months after Sony’s first attack, customer data remained un-encrypted… the idea of blue chip companies failing to employ the most basic protection is a cause for despair.

As I see it there are two deadly sins in IT security. Yes, only two, and yet they cause so much distress - so why don’t businesses buck up their ideas?

1: The deadly sin of negligence
I would go so far as to say a lax corporate culture to security is endemic and the research backs me up, showing that negligence remains the most common threat to security. Just this month the Information Commissioner Christopher Graham was forced to tell the NHS that human error is not an excuse saying, “recent incidents such as the loss of laptops at NHS North Central London (containing the medical records of over 8 million people) … suggest that the security of data remains a systemic problem.” I agree with him, across the breadth of all organisations.

Studies show that restricting access to card data is the most important Payment Card Industry Data Security Standard (PCI DSS) requirement, but also the most difficult to achieve. At Vindicia, along with the sorts of measures you’d expect, like hiring white hats to try and break into our systems, we go so far as to hire experts to simulate social engineering efforts by pretending to deliver pizzas, meet friends, whatever it takes.

Experts agree the preferred preventative measure is training and awareness programmes. Not just the clever tech solutions - a plain acknowledgement of the human capacity to prevent mistakes from happening. Having said that of course, the second most popular preventative measure - and it’s a pretty close second - is the expanded use of encryption. Sony, please make a note of this.

2: The deadly sin of cost cutting

More than half of merchants are not proactively managing data privacy and security, and this is probably connected to another research finding - that more than half of businesses are overwhelmed by the cost of PCI DSS compliance.

The costs can be high - for the largest merchants, in Tier 1, annual PCI DSS audit costs average £140,000 a year. That’s excluding technology, operating, and staff costs. And 10 per cent of these businesses are spending £300,000 or more annually on PCI auditors.

This is a lot, but has to be weighed against the escalating cost of breaches. While the most common cause of breaches is negligence, the most expensive cause of breaches is malicious or criminal attacks - those costs have rocketed to an average of £200 per compromised record.

So let’s really look at the costs involved here. Last year, the most expensive data breach cost a company £22 million to resolve. The average cost of a data breach increased to £4.5 million per company - an average of £130 per compromised record (that’s taking into account all the causes, including negligence and malicious or criminal attacks).

Interestingly, the highest proportion of this cost - 39% - is in lost business. The customer leaves. Ouch. To put that in context, just 9% of the breach cost is attributed to customer acquisition efforts. One per cent goes towards a fee or discounted service to the customer and just one per cent again to public relations or communications regarding the breach.

So, how is it worth risking an average data breach cost of £4.5 million to your company by shirking the auditing cost of £140,000? Particularly knowing that the bulk of this cost is in lost business? It simply is not.

Posted by Sanjay Sarathy

Sanjay is chief marketing officer at Vindicia, whose Software as a Service products integrate  marketing into billing platforms.and provide Tier 1 PCI DSS compliance to clients, protecting the details of 70 million customers.

The reports referred to are:
2010 Annual Study: U.S. Cost of a Data Breach
PCI DSS Trends 2010: QSA Insights Report

"Recommended For You"

PCI security - what's wrong Small businesses in UK battling wave of card breaches, says Worldpay