Another Day, Another Breach

Heads up – there’s been another “massive” credit card security breach – the 3rd such incident in recent months. We don’t know which company suffered the breach, but it appears to be another card payment processor. We’re still in the “whisper period” as some call it – Visa and MasterCard have begun notifying banks, and banks in turn began notifying their customers of the potential impact. But there has been no disclosure by the victimized company – yet.

Over the past 3 months, I’ve witnessed two major security breaches (prior to this one), which all told placed tens of millions of cardholders at risk. What’s going on? Are hackers get more sophisticated in their attacks; are companies grossly negligent in their security; is PCI compliance a joke?

Upon reflection, I think a “perfect storm” of these factors is at work.

First, hackers are more sophisticated and more targeted in their attacks. Today’s threats are highly organized, staffed by experts, and focused on big payoffs. Furthermore, I think it’s naive to assume that all data breaches are perpetrated by criminals breaking in from the outside. Organizations must address the real possibility that their own workers are committing these types of crimes. It’s much easier to steal confidential data when you know the IT environment and have access to the data. There are several recent cases of insiders selling confidential data to criminal organizations (Countrywide and Prudential come to mind).

Second, some companies have clearly failed to adequately protect/secure sensitive data. If you take a look at the TJX case (which my colleague Kevin blogged about), you see a failure to implement basic enterprise security measures (encryption, intrusion detection/prevention, etc.). Making matters worse, many companies lack the proper monitoring and controls to prevent insider fraud or theft. There’s a tendency to focus on securing the perimeter and to neglect the very real threat represented by employees who hold the keys to the kingdom. Proactively limiting employee access privileges and monitoring high-risk employees are basic tenets of managing the insider threat.

As for PCI compliance, it appears that Heartland (at least) may get a pass on that one. Allegedly, hackers attacked Heartland’s private network, an area over which the PCI mandates do not apply. But I think the bigger point about PCI is that it cannot be an organization’s only strategy or guiding principle for enterprise security. The basis of any enterprise security strategy should the concept of risk management – a deliberate balancing of security costs vs. real business risk. It’s never possible to deliver perfect security or to prevent all breaches. But every company should have a disciplined strategy for identifying internal and external risk factors and for mitigating those risks with appropriate protection and controls.

Risk management – it’s not just for actuaries anymore.