Why Do We Still Have Cyber Breaches?

Evan Schuman wrote an opinion piece in Computerworld yesterday that I found very interesting.

Neimans suffered a credit card breach in 2013 that would be considered small by today’s standards.  Initially they reported that a million cards were compromised;  later that number was reduced to about 375,000.  About 9,000 of those cards were used for fraud.

The company settled a class action lawsuit against them for the breach for about one and a half million dollars.  That translates to about $4.20 per customer.  After 4 years.  After taking out the lawyer’s fees, it leaves about $1.00 per consumer affected.

If not enough people apply for a piece of the pie, Neimans gets to keep whatever is leftover.

In the settlement, Neimans talked about all the changes that they made since the breach –

• They hired a CISO.  Apparently, until the breach, Neimans, a $5 billion retailer, did not have an executive in charge of cyber risk.
• They hired some additional cyber security people.  It doesn’t say how many or what they are doing.
• They are reporting about cyber risk to the C-Suite and the Board now.  More frequently.
• Neimans installed chip credit card terminals in their stores now.

So, if you think about it, after 4 years Neimans’ insurance carrier paid out a million+ dollars, they hired a few more people and they are talking some at the C-Suite level.

There were, of course, other costs.  Neimans had to hire lawyers to defend them.  They likely had to pay fines to their banks.  They may have lost some business, but in general, the costs are likely pretty modest – especially considering that they are a $5 billion concern.

I am glad that they hired a CISO and a security team.  That is likely a good thing, but should not have required a breach to make it happen.

Now, of course, before executives get too excited about this, compare this to Home Depot, who recently announced that they had spent $300 million – so far – recovering from their breach.

So it appears to be a mixed bag and getting breached certainly is a distraction for businesses, for years afterward.  Depending on the business, more or fewer customers will leave after a breach (depending on how painful it is for the customer to move, in part).

So at least right now, there is no strong incentive for businesses to be very proactive and that is pretty much what we are seeing.

If consumers want this to change, they will have to vote with their wallets and pocketbooks.  If businesses saw a consistent 25% or 33% drop in revenue after a breach and that revenue didn’t come back in a couple of months, that might change the equation, but until that happens with some consistency….

I did see a statistic recently that said that 20% of businesses hit by ransomware go out of business.  Now that is a compelling number.  Apparently, getting your data encrypted is a bigger risk that losing your customers credit cards.  The stores and banks understand this equation.  While it is expensive to credit people for fraudulent transactions and issue new cards, it is less expensive than losing business.  In this case, the banks and the businesses both lose out, but it stops the consumers from getting out their pitch folks and torches and doing some serious damage.

Imagine what would happen if consumers had to pay if their accounts were breached?  For one thing, it would likely mean that people would use their credit cards a lot less.  Since that means a whole lot less spur of the moment purchases, the stores really don’t like that option.

It is an interesting situation.  For the most part, everyone has settled in and hunkered down for the duration.  No one likes the status quo, but they like the alternatives even less.  That goes for both customers and businesses.

One thing to consider, however, before I put this to bed

The cost to businesses of the theft of intellectual property on an annual basis dwarfs the entire credit card fraud bill.  And, for the most part, insurance only pays a tiny part of that cost. Most of the cost is unknown (often the theft is not even discovered for years), uninsurable and in some cases, unrecoverable from.  Consider that for a moment.  For businesses, this is a much bigger incentive for not getting breached.

Pretty interesting.

Information for this post came from Computerworld.

by