A new report on the nature of data security threats faced by companies, detection and response trends, and the consequences that follow reveals that employee negligence was responsible for more than a third of the incidents studied.
The BakerHostetler Data Security Incident Response Report reviews more than 200 incidents that the issuing law firm advised on in 2014 in sectors like retail/hospitality, healthcare, professional services and financial services. It concludes that that human error was the number one cause of data security incidents. Employee negligence was responsible for incidents 36 percent of the time; other leading causes were theft by outsiders (22 percent), theft by insiders (16 percent), malware (16 percent) and phishing attacks (14 percent).
“The large number of the incidents we saw in 2014 that included employee negligence as part of the primary underlying cause is proof that companies cannot eradicate security risk solely through the use of better technology,” the report notes. “Sure, encrypting portable devices can help in cases where employees leave devices in unlocked cars, but technical security solutions do not stop employees from being phished, failing to review logs, or improperly configuring servers.”
The report continues that “companies must match security solutions that provide defense-in-depth with detection capabilities as well as employee training and awareness driven by the right ‘tone from the top’ and appropriate information security policies and procedures.”
The report also concludes that rapid response to data breach is critical for several reasons, including:
- creating the opportunity to stop an attack in its early stages before sensitive data is accessed,
- preserving available forensic data to enable a precise determination of what occurred, and
- generating affirmative evidence to help the company respond in a way that protects affected individuals and minimizes potential financial and reputational consequences.
“Forensics firms continue to report that as many as two-thirds of the incidents they investigate are not self-detected by the company. Our data showed the opposite,” the report continues. “Incidents were discovered by our clients — as opposed to a third party — 64 percent of the time. Of the 36 percent discovered by third parties, 27 percent were due to theft. We cannot stress enough the need for companies to spend sufficient time and resources developing their detection capabilities.”
After a breach occurs, the report notes that merchants face both litigation and regulatory action. “Merchants who have payment card data stolen from them or from one of their vendors may face non-compliance fines, case management fees, and assessments to reimburse issuing banks for the cost of issuing new cards as well as the incremental fraud that occurred on the stolen cards,” it reports. “We saw fines and assessments from all four card brands in 2014. The PCI DSS non-compliance fines ranged from $5,000 to $50,000. The initial demand for operating expense and fraud assessments ranged from $3 to $25 per card involved.”
TransFirst® takes a proactive and comprehensive approach to secure payment processing by providing indepth information on PCI compliance as well as a Data Breach Security Program that meets expenses from an actual or suspected data breach as long as the merchant is not involved in the breach.
As the BakerHostetler Data Security Incident Response Report concludes, business owners must confront privacy and data security issues to be “compromise ready” should a breach occur. Working with an established and experienced processor like TransFirst is a great place to start.