In the fallout from the high-profile news of the payments breaches suffered by Target and others, a question persists: why is this news so surprising?
Lots of analysts and industry observers have documented the rising numbers and increasing frequency of such attacks. Just one, for example—IBM’s X-Force Trend and Risk Report—says that in 2013, more than half a billion records of personally identifiable information were leaked through scores of attacks against strategic targets.
The cybercriminals behind these crimes, of course, are the real bad guys and should be pursued vigorously. But that’s a job for law enforcement, who have unique resources, talents, and training to do so.
Everybody else’s job is to protect their data in the first place. That’s where things slip through the cracks, however, especially in light of several recent reports alleging that customers don’t trust merchants, merchants don’t care, and employees of those merchants don’t realize the dangers or who think security on the job is someone else’s responsibility.
Meanwhile, the criminals find the cracks, penetrate the systems, and steal the valuable data—lots of times without anyone realizing it. Perhaps the big thing with the recent news accounts of breaches is that they were, in fact, detected and reported.
As this cyberfraud plague grows, at least one thing is clear. Just as the objective of the thieves is information, a crucial defense against them is the circulation of information about specific attacks, methods, locations, and defenses. Shared information, ironically, is the main defense against breached information.
But first, the reports:
• HyTrust asked 2,000 U.S. adults “Do you really believe organizations care about your private data and keeping it safe and secure?” Result: 72.5% said no.
“A survey like this is basically a snapshot in time, not a full measure of public opinion, but the high level of distrust is still breathtaking,” says Eric Chiu, president. “Many organizations maintain that they’re doing everything they can to protect private customer information, but the public at large believes otherwise. And in industries where data security is vital—retail, financial services, and healthcare, for example—this lack of confidence will inevitably have a negative impact on the bottom line.”
• Newtek Business Services polled representatives of 1,400 small business owners, asking them, in light of the recently reported breaches, if they are concerned about credit card security at their business. Of these, 67% said no. When asked if they knew anything about EMV, or chip card, security, 63% had no idea.
“With data and security breaches increasing in intensity and frequency, it is surprising, but revealing, that independent businesses are not having the concern they should over their own cyber security. It is the `It’s not a problem until it happens to you’ attitude that is concerning,” says Barry Sloane, chairman, president, and CEO.
• Absolute Software Corp. polled workers in companies that each employ more than 1,000 people in banking, retail, healthcare, and energy industries, and who use mobile phones at work. It focused on the sentiment of those workers concerning security measures related to their mobile devices.
Twenty-five percent said there should be no penalty for losing a phone since data security is not their responsibility. Twenty-three percent said they do not know their company’s procedure for dealing with work device loss or theft. Thirty-five percent of those who had lost their phone once did not change their security habits afterwards. Fifty-nine percent estimated their corporate data to be worth less than $500, or just the cost of the phone.
“If firms don’t set clear policies that reflect the priority of corporate data security, they can’t expect employees to make it a priority on their own,” says Tim Williams, director, product management.
If there’s anything that connects these studies it is the sense that people just don’t realize their own responsibility or what tools may be available to use in their own protection. It’s no wonder that, as Mercator Advisory Group says in a recent report, vendors that specialize in card fraud protection see the competition in their market heating up.
“Competition in the U.S. market for card fraud detection solutions is about to ramp up,” says Michael Misasi, senior analyst. “Vendors that have traditionally served international markets or that have expertise in adjacent capabilities are taking aim at the mainstay solutions in the United States.”
Of note in that report are indications that fraud alerts sent by banks or other card providers are on the rise, with cardholder use of such alerts going from 36% in 2012 to 38% in 2013. In other words, the rapid dissemination of information about suspected fraudulent attacks seems to be becoming recognized as a prime means of defense.
A perfect case in point of this is the recent release by Monitise of its Alerting+ solution designed for financial institutions. Through this product, banks can evolve consumer alerts from one-way notifications too real-time two-way conversations.
Another confirmation of this premise can be seen in a recent white paper from The Members Group which advocates for consumers to become more involved in the fight against fraudsters. Nicole Reyes, senior fraud prevention analyst, makes two basic recommendations: Educate consumers on fraud trends and tips they can use to protect themselves; and use text or email alerts to put information directly into the hands of consumers.
“There is no need to wait for a significant breach to remind your cardholders just how important it is to be diligent when monitoring their card accounts and transactions,” she says.
Sources used in this report include: