As today is Cyber Monday, and while millions are starting their Christmas shopping while falling back into a post-holiday routine at the office, a ghost haunts the minds of some security professionals working for online retailers. These retailers, faced with tough economic obstacles, are worried about more than just slow sales. Thanks to the media and consumer perception, they have security to consider too.
“In a year of bad economic news, the outlook for security experts has been perhaps even bleaker. With one major breach after another, confidence among both consumers and lawmakers has dwindled,” commented Geoff Webb, Senior Manager for Product Marketing with systems and security management firm NetIQ.
He pointed out that Heartland Payment Systems kicked off the year with a long-term breach that to this day is still being felt. Heartland is one of the companies whose name is whispered as an example of data security and consumer protection. You cannot talk data protection or data loss without hearing Heartland’s name.
“The response from the financial markets to Heartland’s share price was punishing, losing as much as 50 percent of their value, but the long term costs to the industry as a whole have yet to be assessed,” Webb said.
“These costs are measured in terms of lost business, sinking consumer confidence in the security of their information, and the increasingly close scrutiny of lawmakers, both in the US and around the world.”
Another famous breach, Webb added, was TJX, and the impact from it is still growing. "TJX recently reported expenses of over $117 million associated with their 2006 breach. Forrester Research estimates the cost of a data breach between $90 and $300 per record, and when breaches can be measured in hundreds of thousands, or even millions of records, that can quickly add up to a lot of online pain.”
Breaches like those at Heartland and TJX are why PCI DSS was created. The Payment Card Industry Data Security Standard is an industry standard for securing credit card information that all retailers must adhere to.
Implementing PCI DSS can be costly and painful in its own right, Webb said, but not implementing it is far more painful and the costs much higher. In addition, PCI DSS can be complex, and certification is a point in time certification, the second something is added to the network, the PCI DSS certification could be moot if there is a security issue that arises from that change.
When a company is breached, there are costs and fines to be paid, costs associated with the clean up the security issues that lead to the breach in the first place, as well as other nickel-and-dime costs that will add up to a ton once they are all accounted for. These costs are even worse for businesses that are nowhere near as large as the TJX’s of the world. Just one data breach for a mom-and-pop operation can shut a business down.
These costs are also compounded by perception. If consumers lose trust in a company because of security problems, then that company is on a downward spiral that can sometimes be hard to overcome, no matter how much is spent in PR.
“The fact is that as consumers become both more concerned about, and better informed of their information privacy, they will start to look very closely at the security history of the companies they buy from. How long is it going to be, for example, before the online security rating for retailers becomes a competitive differentiator?” asks Webb.
“Is it a sad, but undeniable fact that right now retailers are under attack, and it is entirely likely that some have already been breached. Now, as the retailers struggle to free themselves from the mire of a down economy, the last thing any of them need is a major breach hanging over their heads. The cost could be a sudden and painful lack of trust among customers and online, which could potentially lead to a retailer not being around for next year’s Cyber Monday.”
So for a business, what’s scarier than not having people spend money during the recession? Not being there at all...