With all the talk over the last few years about skyrocketing breach disclosures, it would seem as if the problem is pretty widespread, right?
If you only rely on what you hear in public disclosures, you don’t get the full picture. Actually, the published reports only scratch the surface.
According to research firm Gartner, 42 percent of U.S. retailers interviewed in a recent survey were “certain” they had been breached by a hacker. Only 14 percent, however, actually disclosed the incident to the public.
The types of threats Gartner used for the survey include “phishing” attacks, stolen laptops, outside hacks and insider breaches. Of the 50 subjects, four had been fined by credit card companies for not meeting Payment Card Industry (PCI) rules. Eleven were threatened with fines.
It appears the problem will only get more unsavory. Credit card companies predict incidences of payment card fraud will double over the next two years.
These statistics are important for a number of reasons. First, the top industry affected by data breaches is retail. About 20 percent of all hacks happen to retailers, Gartner says. In particular, my research shows that smaller retailers are more likely not to disclose these breaches. And worse, smaller retailers are often at more risk because they have fewer resources and often lack adequate security.
Another important reason is that retailers – big and small – are simply afraid of the negative publicity associated with a breach. As a result, successful hacks are often swept under the proverbial rug. This matter is important to governments across the world, many of which are now grappling with how to keep consumers safer from identity theft.
It is certainly gaining attention in Canada. In a scathing report issued June 3 by the country’s privacy commissioner, nine in 10 people whose data were compromised had been put at risk because their information was simply stored in an unsecured electronic format. Plus, the report said too many companies are failing to implement “elementary security measures” such as firewalls or laptop encryption. These are basic things here, folks.
Due to reports such as these, tough data breach notification legislation is likely just around the corner.
So, what’s the best solution here? Some say the government should force companies to publicize all data breaches. But, according to a recent research report by Carnegie Mellon University, that measure may not help security at all.
Rather, the easiest solution is to be proactive, not reactive. Here are some easy tips you can perform to keep your customers safer and your bottom line higher:
- Inventory all sensitive data held by your company and identify possible threats, from security holes in your network to unhappy employees.
- Keep employees on a need-to-know basis. You should always limit employees’ access to crucial data. If they don't need to see particular data, don't give them access.
- Truncate all credit card numbers and delete expiration dates on customer receipts. An expiration date coupled with another form of data is often all a criminal needs to steal a customer’s identity and money. This is required by law.
- Investigate your vendors to make sure they have adopted industry-accepted security practices.
- Shred all records containing sensitive information if the records aren’t needed. Why risk identity theft for something you don’t even need?
'Til next time,
Joan
The eSecurity Diva
Comments