More than 76 million people were affected by the JP Morgan security breach and at least 53 million credit and debit cards were compromised by the Home Depot breach. Now, you’d expect that this could negatively impact these two corporations. After all, Target claims a similar breach cost them $148 million. However, it appears that these recent breaches had little, if any, impact on the companies. In fact, Home Depot’s recent profits for the quarter were up by two percent and annual profits are expected to reach target levels. JP Morgan’s quarterly profits were also up as they raked in over $5 billion. You would be hard-pressed to find any evidence that these companies were negatively affected in any financial way by the breaches they experienced. So why not?
Data breaches are up by 25.7% over the same period last year. To date, there have been 606 breaches this year, which is about 2 per day. This breach overload may have contributed to something called ‘data breach fatigue’. The Ponemon Institute reported that more than one-third of consumers ignored data breach notifications and did nothing, while more than “50 percent did not take any steps to protect themselves from identity theft afterwards”. Why not? Well, first of all, for most of those who were victims, the biggest result of their data being stolen was stress (76%). Most (81%) did not suffer any financial loss, and, if they did, it only amounted to an average of $38. The biggest problem was the hassle of getting a new credit card, which for most people (51%) took less than a week. 71% of respondents said that they continued to do business with the company because they believed that either “data breaches affect most companies and I think it’s unavoidable” (61%) or, “it is too difficult to find another company with comparable products and services” (67%). These results can be interpreted in two ways. Either victims lack the ambition to change their behavior or they feel that breaches are now simply the norm. Since they won’t be suffering much, if any, financial loss, they really don’t see any need to worry about any new breaches that will inevitably occur. Such announcements will be simply shrugged off.
But here’s the problem. If customers don’t care if a company has a breach or not, then why should companies worry about security? Why increase the security budget when it won’t really affect the bottom line? We could, in fact, see companies backing away from investing in security, despite the projection that security breaches are expected to increase. Such investment may be all well and good when the economy, or at least the stock price, is performing well, but, as soon as these head south with company profits, I would expect that security would be the first to be sacrificed. After all, people no longer expect any company to be free from breaches, right?
In short, as companies back away from security investment, hackers will find it easier to attack them. This could further increase the number and extent of breaches. For a while, however, there will be a period where two opposing forces, apathy and fear, balance each other. The companies that give up on security investment will be balanced by those who fear the ever-increasing number of high-profile breaches and invest more in security. But as these security-investing firms also end up getting hacked, it is likely that data breach fatigue will gain more of a foothold.
So who ultimately pays for security breaches, anyway? That’s not so easy to decipher. For retailers, it may appear that the burden of payment falls on the credit card companies. However, they are now changing their credit cards to contain computer chips which require customers to enter a PIN number before a purchase can be made. There will be no more handing your card to the waiter at a restaurant, unless you also want to give him or her your PIN number, which I would strongly advise against. But how can you buy online if you have to physically enter a PIN number? In Europe, where I live and where this type of card is the norm, how you purchase online depends on your bank. Generally, there is a limit for such buying. In addition, if you make large online purchases, like an airline ticket, your bank will call you within minutes to ask if you, indeed, have just made a purchase. Some may find this a problem, but I feel much safer having this backup. (Just a heads-up for Americans traveling to Europe. If you don’t have a card with a PIN number, don’t expect to use any ATM machines, because they all require that you enter one.) Like it or not, the move to such chip-embedded cards is inevitable and by the end of 2015 most Americans will have one.
As the US slowly shifts towards chip and PIN cards (only 2% of Americans have them now), credit card companies and banks will require merchants to comply with this standard or bear the costs for any credit card breaches. In fact, “U.S. retailers have until Oct. 1, 2015, to install chip-and-PIN compatible card readers at stores. After that date, merchants will be held liable for any fraudulent charges resulting from misuse of magnetic-stripe cards.” In other words, merchants will have to upgrade their current system and buy new card readers, which is quite an expense to bear. Of course, they won’t be the ones to bear it. Consumers will. In fact, whether a company pays to have increased security or suffers a breach because of apathy, the consumer will eventually be the one that bears the final cost.
There is little doubt that company networks will increasingly be breached. The primary reason for this is the growing number of endpoints (mobile devices) that are connected to company networks and are, thus, potential attack points for hackers. Poorly managed BYOD (Bring Your Own Device) policies combined with irresponsible employee online behavior make companies easy targets for hackers. The reliance on security technologies that have already been shown to be lacking also helps contribute to this state of affairs. Newer technologies exist that prevent irresponsible employee behavior from endangering sensitive corporate data, but few companies are aware of them or discount them as being too revolutionary. InZero Systems, for example, has an architecture which breaks a single mobile device into two devices that are separated at the hardware level. With such architecture, an irresponsible employee can do whatever they want online with their personal side of the device and never endanger sensitive enterprise data on the device’s work side. Since data cannot cross this barrier, the network remains secure, and data breach fatigue is, therefore, removed from the equation.