Target, Home Depot, and last week, Staples – it seems as though there are always new headlines cropping up about data breaches at major retailers or restaurants.
For consumers, that can be worrying and disappointing, given it’s often their debit and credit card data falling into the hands of attackers. It’s also a huge concern among businesses, given data breaches can tarnish their reputations and revenues. In fact, in a new report from Kaspersky Labs, preventing data from being leaked or hacked is the top security concern for about 34 per cent of the 3,900 businesses it surveyed.
So why is that data breaches are still so prevalent, and hearing about them is almost a matter of routine?
Zaichkowsky points to an economics theory called “black swan,” first coined by academic Nassim Nicholas Taleb and used to describe an event that has a huge impact once it happens, but had been difficult to predict in the lead-up to its actual occurrence. For years, companies believed data breaches just couldn’t happen to them, as they appeared to be rare and far between, but now they’re investing in all kinds of detection software for potential network intrusions.
“[A data breach is] devastating, and that’s how it’s perceived. But because the volume of attacks, over how many years now, is continuing to increase … companies basically woke up and smelled the roses,” Zaichkowsky says. But he adds there are still problems with how companies are currently trying to catch indications of being compromised – and some of them have to do with the tools they’ve invested in, as well as the lack of IT staff to use them.
For example, he said in the case of Target, security staff there did catch wind of a malware.binary alert, a generic flag for potentially dangerous behaviour on the system.
“They had to pick and choose, and that didn’t make the cut, so it slipped by their notice, and that happens all the time,” Zaichkowsky said. “Coming from an incident response background, working with companies that were breached, most of the time they do get some kind of alert that was a tip-off, that they just didn’t go investigate.”
He adds sometimes IT departments just don’t have enough people to check out all of the alerts and incoming potential threats that they see every day. Plus, a lot of detection tools are too complex for some staffers, with a lot of training required before they’re able to use them to good measure. For these companies, picking tools that offer a unified look at any potential threats is a good plan, as is automating indicators of potential threats so humans only have to deal with the ones that need to be investigated.
However, data breaches aren’t limited to large corporations. Zaichkowsky lives in Durango, Col., a town of about 17,000. Within the span of three years, three data breaches at local businesses made the news in his town, with two restaurants and an event getting hit by attackers. One of the restaurants had to close four months after the breach was discovered.
That just goes to show that small businesses aren’t immune, and hackers aren’t overlooking them, he says.
“I’ve actually been on the phone with small to medium businesses where I’ve had to tell them, you’ve been breached,” he says, adding a data breach can be especially devastating for a smaller company that doesn’t have the resources to deal with the fallout. Hiring a payment card industry firm to investigate would cost at least $10,000, he adds, not to mention the costs of paying fines and offering compensation.
“I’ve had merchants literally crying on the phone, telling me they’re going to go out of business. We’re talking like family-run businesses that have been around a while.”
For small businesses that want to protect themselves from getting breached, Zaichkowsky says they can upgrade their point-of-sales equipment, ensuring they can accept cards with chips and PINs, rather than signatures. While that won’t fully solve the problem, it also helps if they can also invest in hardware that encrypts their card data.
“We’re not getting better at detecting data breaches, to be honest,” he says. “It comes down to a cultural issue. With an organization, security is seen as a cost vector, and they want to take shortcuts … We need to get away from that.”