What motivates an organization to secure data? For one, there is the cost or impact of a breach, which spans from the losses the business incurs while resources are shut down to investigate the attack to the potential damage to a company’s brand. Not all retailers, however, find the prospect of a hefty price tag reason enough to invest in securing customer data (emails, addresses, identification numbers, credit card numbers, etc.). Luckily for consumers, there is an even more compelling reason to protect customer data – regulations. Businesses fearful of violating different industry regulations and state laws take heed and comply. But the question is this: does compliance actually hinder hacker activity?
Low Hanging Fruit
The cybercrime industry trades in data. Similar to corporate business models, hackers are looking for ways to optimize their Return on investment (ROI) by increasing revenue (data) while decreasing costs (attack resources). There are numerous ways to increase ROI, such as using Google as the vehicle for attack. How? A hacker can inject nefarious code in 1 million websites within just a few of hours – as the recent LizaMoon attack campaign illustrated. The first targets? Websites lacking basic security controls.
Case Study: PCI DSS
The industry regulation focusing on credit cards details is the Payment Card Industry Data Security Standard (PCI DSS). This regulation, set by credit card merchants such as MasterCard and Visa, provides a list of security requirements for retailers regarding credit card information. Companies who suffer from a breach and are found to have failed compliance are heavily fined. We tend to take this regulation as a case study since as opposed to other regulations this set of requirements is clearly defined. The list provides clear guidance on what to protect and how to go about it. The idea is that companies who comply with PCI DSS will not suffer from a credit card breach.
PCI Compliant Companies and Data Breaches
Much research and surveys have been done to check the efficacy of PCI. According to an October’s Verizon PCI Compliance Report, companies that suffered a breach compromising cardholder data were 50% less likely to be PCI-compliant than “a normal population of PCI clients”. More recently, a Ponemon survey presented the following finding: in the past two years, two-thirds of PCI-compliant organizations suffered no data breaches involving credit card details, as opposed to a one-third of non-compliant breaches. But what about data breaches that compromised data other than cardholder data? In other words, does PCI compliance enhance overall security? Interestingly, 63% of PCI-compliant organizations did not suffer from more than one data breach (credit card details or other data). In fact, 74 percent of non-compliant organizations experienced more than one breach as opposed to 26 percent did not.
There’s More to PCI than Spelling it Right
In fact, a similar survey published two years earlier showed how corporations can use regulations as a springboard for their security initiatives. The key driver behind success with security and compliance was corporate attitude. The paper highlighted three approaches companies evolve to when adhering to PCI compliance:
• Cynical companies are likely to view self-regulatory security initiatives such as PCI and others in a jaundiced or negative light.
• Checklist companies are more receptive to security initiatives such as PCI, but are not completely convinced that self-regulatory requirements for compliance will lead to better security.
• Enlightened companies are likely to see PCI as a means to achieving real and substantial security protections, thereby reducing security threats across their organization.
Viewing the evolution of these stages towards compliance, the survey shows how a strategic initiative incorporated into the enterprise culture succeeds in protecting customer assets.
Regulations are not a Silver Bullet
This is not to say that regulations should be perceived as a security silver bullet. First, they scope only the data that should be protected (For instance: PCI deals with credit card details. HIPAA – the health regulation- scopes Private Health information). Second, they define security in a certain point in time. Although security is a continuous process and the regulations encourage the continuity of the process, the controls are tested only periodically. An organization can pass regulation assessments in flying colors one day, but be non-compliant the following day. Consider the breach at Heartland Payment Systems – their PCI assessors showed that PCI was implemented at the organization yet the company suffered from the biggest credit card heist in US history where 130 million credit card numbers were compromised.
The Security of Intellectual Property
Up until now we discussed regulations surrounding consumer details, which are common targets for attackers. But there is also a market for Intellectual Property (IP) – albeit a much smaller and restricted one. The buyers and sellers in this case are nearly always the competitors and nation-states who are interesting in the data (such as business plans, customer base, and secret formulas) belonging to other companies. While IP theft occurs much less frequently than the theft of the more popular customer details, the impact a company suffers may be much higher. After all, IP is the core of the business. In the case of a publicly traded company, a compromise of the company’s intellectual property is sure to affect the value of the company, and ultimately concern all its shareholders.
|Part in a Series on Cybercrime – Read Noa’s Other Featured Cybercrime Columns Here|
Similarly to how regulation compelled companies to secure customer data, regulation can be put in place to require notification of any data breach (or any data breach above a certain threshold) to all shareholders of a company. The impact of such a regulation should be akin to the multiple privacy acts regarding customer data. Furthermore, in this case it makes sense even to incorporate a Sarbanes-Oxley-like regulation. Sarbanes-Oxley aims at the integrity of corporate financial records by placing direct executive liability. An “intellectual property” regulation should place those same requirements for protecting the corporate assets.
Next Column – When Consumers Just Don’t Care
Understanding the spirit of the regulation and reaching “above and beyond” the scope of the regulation in order to achieve overall security, shows that it does in fact reduce the number of incidents. For these companies, the regulations are making the hackers work all the more harder. We presented the findings from the business’ perspective, but next column we’ll look at the consumers themselves and ask: do consumers even care about security?