Reputations and PCI Data Breaches

The natural human reaction to reading a company’s announcement about a Payment Card Industry (PCI) data breach is to declare a boycott against this company. How dare they be so nonchalant and careless with my handling our information? This reaction appears to be common when you read news articles about this very topic.

“87 percent would not (or were not very likely to) do business with a company that had faced a data breach”

http://www.nationalcybersecurityinstitute.org/general-public-interests/how-does-a-data-breach-affect-your-business-reputation/

The public fears a data breach because the majority of people out there have no idea what that actually means. I am sure all of you in this ‘cyber’ community get these questions constantly from friends and family about how these things can happen. I certainly do.

I am going to put myself out there though and make a fairly bold statement:

“A PCI data breach is good for a company”

The Priorities

I provide advisory and investigative consulting to companies from Fortune 1 to Fortune 5839827495, and there is a theme that I see from the top to the bottom. The companies that have experienced data breaches have stronger information security (InfoSec) programs as a result.

Almost every company I engage with asks me “How does my security team compare to other companies in my industry?” and this is the biggest problem. The business side of these companies are all about keeping up with or getting ahead of competitors in their field. If everyone across your industry jumps off a bridge, would you jump also?

The priorities of an InfoSec program should not be driven by others. This needs to be driven on internal needs and deficiencies. There are tons of ways to push this forward, however this isn’t the point of this post. The business side has a hard time allocating money to these priorities because most InfoSec program leads aren’t able to speak the right language.

The Breach

Enter the PCI data breach. This demands immediate attention that cannot be ignored by the business. It also spins up a lot of resources with enormous costs.

Some costs not always seen by an outsider to the breach investigation:

• outside legal counsel / breach coach
• public relations firm
• PCI mandated investigation firm known as PCI Forensic Investigation or PFI
• another firm hired under legal privilege
• travel and accommodations for employees and contractors
• software and hardware to support investigation
• extra online storage costs to preserve data on-prem and cloud
• extra instances of computers to offset loads
• premiums for expedited services with vendors

These all typically happen before any public notification of the breach is made.

The Announcement

Once you read about a PCI data breach in news stories, there has been an army of people working on this breach. The InfoSec focused expertise involved can easily be 10x or 20x multiplier of the team that is normally employed for this role in calmer times.

The public thinks:

“Oh no, I am never shopping there again. I don’t want my data stolen.”

In reality, this is the safest that network has ever been. There are tons of people looking over every possible problem. The affected company is getting a massive overload of recommendations on how to improve. It will also be under heightened scrutiny by the public and any regulatory bodies they are involved with, namely PCI for one.

The Response

We have worked with customers on post breach projects that have taken a 5 year timeline down to as little as 6 month. Money comes raining down from the top. Many times, the PCI breach uncovers less than ideal practices in other aspects of the infrastructure as well.

Some go on to really make a huge difference:

https://corporate.target.com/article/2015/07/cyber-fusion-center

Of the causes for breaches that I have seen, almost zero of them were ultimately a surprise. It is usually a weakness as a part of some aspect where a project exists to address. The InfoSec teams working for these companies do well to identify the improvements that are needed. It has never been due to laziness or lack of knowledge.

Breaches are Good

Companies are collecting more and more data about us. I prefer seeing breaches of PCI data over even more personal data or intellectual property. Although it is a costly incident, the damage done can be fixed relatively well.

Let me know what you think of breaches.

James Habben