A recent flurry of reports via Experian, through its data breach resolution arm, in tandem will well-known security research firm the Ponemon Institute, paint a depressing portrait of the data breach landscape -- especially for firms involved in handling customer credit and other sensitive data. The moral of the story turns out to be a combination of ongoing education for security firms and data handlers alike, along with a profound need for preparation in advance of data breaches before they occur.
Once the execption, now alas, the rule: data breach notices for account and credit card holders.
[Image Credit: Shutterstock 228957529 ©Rob Wilson]
If you live in North America and have a credit card, you are more likely than not to have been informed of one of more potential breaches of related account and personal information in 2014, according to a recent series of studies jointly undertaken by the Ponemon Institute and Experian Data Breach Resolution. This less-than-cheerful outlook is further butressed, alas, by a number of elements from those reports that may be summarized as follows:
1. 68 percent of respondents to one survey said that pressure to migrate over to new payment systems puts customer data at risk
2. Only 53 percent of payment execs are convinced that "chip and pin" credit cards actually decrease their risks of experiencing a data breach
3. Introduction of new mobile payment systems, such as Apple Pay, increase the risk of a breach that discloses customer data, according to 59 percent of those same execs
One might very well ask: "What should companies that handle customer financial data be doing to deal with this situation?" The answer, according to Experian, requires a two-pronged approach. First and foremost, employees and developers at companies that handle credit information (or who create tools or environments to process such data) need to be aware of the potential for breach. They must keep their thinking caps firmly in place to watch out for signs of potential breach, and to take proactive measures to prevent such breaches form occurring (or at least, to limit the possibility of their occurrence as much as technology and human ingeniuity will permit). Second, players across the payment industry must coordinate and collaborate to raise their consciousnesses about potentials for breach, and cover each other to provide consistent, end-to-end security measures and protection from breach on the front end, while creating response plans for breach (including regular practice sessions, much like those required for disaster recovery and business continuity) along the lines of incident response processes and procedures already well-understood in the information security world.
This means that companies need to invest in training new hires to develop data breach smarts, along with ongoing awareness training for those already on staff. That way, they can make sure they are prepared for a data breach, while also doing everything they can to avoid their occurrence. I'd have to say this makes a pretty strong case for security training (and possibly certification, in some cases) for all employees who are involved with customer data in some form or fashion. It also explains the ongoing high demand for security-savvy IT professionals across the board, but nowhere so much as in businesses and organizations whose data holdings include customer identity and financial information of some kind.