Stopping Data Breaches is Everybody’s Job

The 2015 Data Breach Investigations Report, released in April by Verizon, estimated that there were 2,122 confirmed data breaches in 2014, generating $400 million in losses. This week we learned that one attack that was not included in this count happened in June 2014, targeting CareFirst BlueCross Blue Shield, serving 3.4 million customers in Maryland, Virginia and the District of Columbia. CareFirst only recently discovered the breach—names, birthdates, and email addresses of 1.1. million members—after putting in place new security measures.

In April, hackers redirected traffic from the Federal Reserve Bank of St. Louis’ research website to rogue pages. In its notice to users, the St. Louis Fed warned them that they may have been exposed to “phishing, malware and access to user names and passwords.” And Australian telecoms group Telstra said hackers gained access to the network of its Asian subsidiary Pacnet, and that it “was made aware of the breach” when its purchase of Pacnet was finalized on April 16.

To prevent the continuing loss of money, reputation, and customers, companies must make stopping cybercrime a team effort, internally and externally.  Collaboration is the essence of preventing data breaches and responding to them effectively.

I came to this conclusion after listening to a presentation by Jason Malo, a Research Director in CEB TowerGroup’s Retail Banking practice, at the 2015 CEB Financial Services Technology Summit. Malo pointed out that security should not be considered only the job responsibility of the Chief Information Security Officer (CISO). On-going collaboration across multiple internal teams and their leaders is crucial.

CMBO1621115SYN_More Than Information

While the CISO plays a leadership role in discovery, mitigation and analysis of a data breach and is in charge of management and monitoring across all business lines, other teams and their respective leaders should be involved in a variety of roles in different stages of a response to a data breach. These include the CIO and CTO providing technical support and the Chief Compliance Officer, the communications team, and line of business executives taking a lead role in the disclosure stage and in enabling customers.

The last stage of the response to a data breach—empowering customers—is also the first step towards preventing more data breaches in the future. Collaborating with your customers, like collaborating internally, is crucial for minimizing the impact of a data breach and lessening the probability of being hacked again.

Malo suggests that contrary to the trend towards a “frictionless” customer experience—the idea that fraud should be detected and corrected without customer involvement—it is better to empower customers. This includes customers who are looking to take a more active role in protecting their data and those that need to be nudged to do so.

The response to a data breach should be honest, prompt, compassionate, informative, and interactive. Answering the question “what should I do?” the interactive part of the response should include a menu of security options, recognizing that different customers have different risk-sensitivity profiles.

In his presentation, Malo pointed out to an Associated Press–GfK Poll that found that consumers do little in response to a breach—only 41% checked their credit reports, 31% changed passwords for online retailers, 18% signed up for credit monitoring. But he also pointed out that consumers are typically not being offered adequate tools to manage their data.

Companies should invest more in educating their customers (and potential customers) in security best-practices and what to do in case of a data breach, even before one occurs. Collaborating with customers, making sure they make it more difficult for criminals to steal their data if and when a breach occurs, is an important investment in the company’s reputation and customer relations.

It’s not getting easier and it may get much more serious, with the potential to severely impact business performance. A recent Ponemon Institute Survey found that 83 percent of companies in the Financial Services sector and 44 percent of Retail firms experienced more than 50 attacks per month. Earlier this year, Juniper Research estimated that the annual cost incurred from malicious data breaches worldwide will exceed $2 trillion in 2019. Juniper noted that this is 2.2% of the IMF’s forecast for global GDP that year. They also noted that US breaches account for over 90% of the global cost of data breaches. Even if the US will account for “only” 80% of the global cost in 2019, the impact on the US economy will be $1.6 trillion. Given that the IMF’s forecast for US GDP in 2019 is $21 trillion, we could see the cost of data breaches reaching 7.6% of the US economy over the next four years.

Originally published on