It’s been almost a year since Target’s point-of-sale systems were compromised by malware in one of the most significant consumer-facing data breaches in U.S. history. Large-scale cyberattacks jeopardize the privacy and integrity of customer data, while also putting IT assets and business strategies at risk. A 2014 study conducted by the Ponemon Institute and sponsored by IBM discovered that for businesses, the average cost of a data breach was $3.5 million, up 15 percent year-over-year.
The damage to stores like Target and Home Depot isn’t one-time, though. The effects on reputation and consumer trust are long-lasting, demonstrating how cybersecurity isn’t merely a compliance detail but a core part of doing business today. Moreover, it is a facilitator of trust at a time when even big, established enterprises – from retailers to banks – are under tremendous pressure from cybercriminals.
Report finds that shoppers remain wary of breached companies
Recovering from a data breach can take months or years, considering how long stakeholders must review the firm’s security posture, comply with relevant regulations and perform needed system upgrades. After that, there’s rebuilding rapport with customers whose data may now be in the wild, hardly an easy task.
A recent study of 865 Americans by CreditCards.com underscored the work now cut out for prominent breach victims:
- Approximately half of U.S. holiday shoppers who use credit and debit cards plan to avoid Target, Home Depot et al this season. Twenty-nine percent of the individuals in this group said that they probably wouldn’t purchase items there, even if they had been regulars at these stores in the past. Another 16 percent were more steadfast, affirming that they would absolutely not shop there.
- Only one in eight consumers reported increased likelihood of using a credit card for holiday shopping. This trend may be due to fears about the card skimmers or POS malware. However, it’s worth noting that credit cards are much safer than debit cards, since in the event of fraud money is not removed from the user’s actual bank account.
- Forty-eight percent of respondents said they were more likely to pay with cash because of payment card breaches. Responses varied between income levels, with households earning more than $75,000 in annual income being less concerned with visiting breached stores or using cash than their counterparts who made $30,000 or less.
These findings corroborate studies from earlier this year, such as a Radius Global survey that revealed that 69 percent of consumers would reduce business with a breached company. At the same time, half of those respondents reported that they would actually pay more for products and services from firms that went the extra mile to protect their data privacy. When reputation is at stake, so is the business at large.
Identifying core data and gauging the risk of a breach
It’s easy to fixate on the most publicized breaches, i.e. the ones affecting national and global brands, but there are dangers for small and medium-sized businesses, too. An October 2014 post on the Trend Micro Security Intelligence Blog explained that all organizations need to take steps to mitigate the risks of a breach, in light of even the wealthiest and most cutting-edge firms having struggled so far to secure their critical data.
For SMBs, loss of customer trust may be more acutely felt than it would at a multinational companies. Breaches may also be more subtle and mundane than the elaborate infrastructure attacks of the Target or JPMorgan Chase breaches. The Trend Micro TrendLabs report, “5 Data Security Risks Every Small Business Should Know About,” identified some of the pitfalls that could lead to data leakage and erode the business, including:
- Negligence: Almost 80 percent of employees leave their computers unattended, opening a door for malicious insiders. Amtrak, while hardly a small company, was hit by an insider breach this year when an employee was discovered selling readily available customer data. A 2014 Trend Micro survey also found that roughly 20 percent of Japanese IT professionals confirmed their organizations had been compromised from the inside.
- Mobility: Bring-your-own-device policies have become mainstays of many enterprises. Gartner researchers have reported that half of them plan to handle smartphones exclusively via BYOD by 2017. Webroot discovered that more than 60 percent of companies have employees who use phones and tablets for work.
- Policy enforcement: Technology can only go so far in mitigating the risk of a data breach. The best network security solutions still need to be set up by humans and aligned with enterprise security policies. Monitoring user privileges has long been a preferred way to curb exposure to data breaches, and it is still essential to any IT system. But any policy is only as good as its enforcement.
Creating incentives for companies to update their cybersecurity practices
There has been no shortage of events that could have served as catalysts for companies to become more serious about security software. So why are organizations still being breached from the inside and outside, often because of preventable errors?
For starters, the current risk environment is challenging. More than 80,000 new malware strains enter the wild each day, and 20 percent of all the malware that has ever existed was created in 2013. With so many threats out there, a simple mistake could lead to an infection and a company-wide data breach.
There’s also the uncertainty that looms over many IT budgets. Worldwide IT spending is forecasted to rise barely more than 2 percent year-over-year in 2014, according to Gartner. Companies with constrained resources may not be in the best positions to upgrade their security mechanisms to deal with a rapidly changing threat landscape.
In some countries, governments and legal systems are also only now coming up to speed with the prospect of frequent data breaches. New Zealand’s parliament recently introduced legislation that would require disclosures as well as fines. Trend Micro senior security architect Peter Benson has called for additional measures beyond the proposed fines (which are relatively low) and nebulous definitions.
Ultimately, both the private and public sectors around the globe will need to chip in to address intrusion prevention. As shoppers vote with their feet this holiday season, it should become clear that more needs to be done to protect data and privacy.