The “root cause” of the credit and debit card data breach at Target Corp. last year was the company’s lack of a chief information security officer (CISO).
That’s according to a former Target manager who made the comment during a talk at the “Work-Bench Enterprise Security Summit,” according to press reports.
The news came in the same week that the Ponemon Institute released a new study, which found that 43% of enterprises experienced a data breach in 2013 – up from 33% in 2012.
The study also found that the cost incurred for each lost or stolen record containing sensitive and confidential information increased to an average of $201 per record – or $5.9 million per breach. Those costs are up from $188 per record in 2012, and $5.4 million per breach.
The lesson from these two news items is that no business can afford a lackadaisical attitude towards cyber security, as hackers and other cyber threats are targeting small and large businesses alike. And while CISOs are out of reach for most companies because of the cost, there are outside consultants in the market who can review your plans and develop a strong security plan for your organization.
The primary reason for the increase in the cost of a breach is the loss customers incur following the data breach due to the additional expenses required to preserve the organization’s brand and reputation. In fact, the average rate of customer turnover or churn increased by 15% since the previous year in Ponemon’s study.
The study found that data losses were mainly caused by:
- Malicious or criminal attacks (44% of companies reported this as the reason for their breach). These were the most expensive breaches, at $246 per record.
- Employee negligence (31% of organizations). This factor typically cost the organization $160 per record.
- System glitches (25% of organizations). This factor cost organizations an average of $171 per record.
Fighting the threat
While most companies are not the size of Target and cannot afford to have a CISO on staff, you can still learn from Target’s mistakes. Karl Mattson, who worked at Target from 2008 until 2013 – most recently as manager of cyber and global intelligence – said that the lack of a security culture was Target’s undoing.
Besides not having a solid infrastructure in place to prevent the breach, Target also responded poorly. When the company’s intrusion-detection software discovered the suspicious activity and alerted Target’s IT staff, the company did not take immediate action, he said.
However, many companies cannot afford a CISO, so they are turning to virtual CISO engagements. These are security executives for hire, and they will help develop a security roadmap for their clients.
They will typically conduct reviews of your information security, breach response plans, sensitive data, database, and more.
After the reviews, they will usually produce a report with recommendations for improvements in your policies, security framework, security culture, and more. They will also help you implement the recommended strategies – and they are typically on call in case of a breach.