Can You Afford to Lose Customer Data?
I noticed a recent article talking about additional fines for ChoicePoint. They were fined for a second breach of security that occurred 4 years after the original intrusion. This may be an extreme case, but it’s a tragic reminder of the importance of proactive security.
As you may recall, ChoicePoint became a poster child for data loss when a 2004 breach was discovered. They struggled for years as the fines piled up and subsequently sold themselves off piecemeal, with Reed Elsevier retaining the ChoicePoint name. However, the story is not as important to me as the company they keep.
Nowadays, whenever someone writes about data breaches, they inevitably mention three names: ChoicePoint, TJX, and Heartland Systems. This continual rehashing of past mistakes is doing massive harm to the brands that the companies have developed. And in that, there are lessons here for every company that must make a claim about security.
If you are talking to your leadership team about spending for security, be sure to let them know that the cost of a positive brand image is many times the amount you will spend on computer security this year. If your organization makes a spectacular blunder in the security space, you could be one of those names that gets bandied about any time someone needs a cheap joke about cyber crime. No matter how much work you do after the breach, it probably won’t matter.
Your job as a security professional is to translate these problems into business terms. Start by estimating the annual value of your corporate brand. Then model a catastrophic security scenario and cost out the 10 year effort it could take to rebuild the brand, after the incident occurred. Once you’ve done all that, the real value of good security might be more interesting to Management.
Jim Molini, CISSP, CSSLP
With all due respect, the value of the corporate brand has not hurt TJX or Best Buy, both who lost financial data based on weak controls. Best Buy covered up the problem until they could not and TJX mollified their customers with free credit monitoring for a year.
The problem is that the “damage” falls within the level of risk that many companies are willing to accept–sometimes set at 5-percent of top-line revenues. They consider this a cost of doing business, so why worry.This is how it was seen by TJX and Heartlant.
You should apply pressure to PCI, whose Data Security Standards are lacking in depth and breadth necessary to properly protect private data. PCI-DSS needs to be reworked to consider a more defense in depth approach, something the federal government has learned–the hard way!
Hi Scott,
Personally, I haven’t swiped a credit card at Best Buy for 10 years, ever since I saw them imaging my signature inside their POS system. So has it hurt them? Maybe not enough. From that perspective, you’re right.
However, if there’s a company like these that has to live on razor thin profit margins, 5% of top line revenues is a LOT of money. Why would executives ignore that? Probably because they’re not aware of the real risk.
However, I’m also not sure that we could apply pressure to PCI, since they’re sponsored by the organizations who share all this risk. If they’re not pushing harder, why would anyone else?
Thanks for posting.
Jim