SmallBusinessReports.org
No products or services are sold on this non-profit educational informational resource

SmallBusinessReports.org

Small Business Reports

business journal

  SPECIAL REPORT  OCTOBER 2018

Cost of a Customer Data Security Breach

Lost Trust  Lost Business

COST:  $148.00 per stolen record on average

A stark warning to merchants about their payment card processing:
Many resellers - including most banks - cannot keep up with new financial tech for security, inviting customer data breaches and fraud.

 “One-third of the cost of data breaches is from lost business”

IBM / Harris (2018) found that 75 percent of consumers in the U.S. say that they will not do business with companies that they do not trust to protect their data.

• 60 per cent of small to medium-sized businesses go out of business within six months of a cyberattack
• 70 per cent of cyber attackers deliberately target small businesses
• 71 per cent of cyberattacks hit businesses with fewer than 100 employees
• $180,000 is the average loss that small- and medium-sized businesses sustain from cyberattacks

The number of businesses experiencing losses from cybercrime is increasing in North America, and so is the scale of their losses. The number of businesses reporting losses of more than a million dollars is rising.

Security must be the foundation of payment processing.  Merchants need to be sure that their payment processor is keeping up with new financial tech for electronic payments security and is committed to keeping the merchant’s business and customers safe from very real threats of payment card fraud and identity theft.

One problem is that many resellers cannot keep up with new financial tech which exposes merchants to customer data breaches.  

Many merchants are with a reseller and are not even aware of it. 

Most banks are resellers.

Some resellers falsely claim to be direct payment processors when in fact they are resellers.

Question: 
Are you using a Top Ten payment processor with superior financial tech for low rates, high security and fast service?  Or are you with a reseller …paying higher rates for lower security and service?

One major factor impacting lost business costs is customer turnover in the aftermath of a breach.  Typical losses from a breach include abnormal turnover of customers, increased customer acquisition activities, reputation losses, and diminished goodwill.

Hidden costs in card holder data breaches – such as lost business, negative impact on reputation and employee time spent on recovery – are difficult and expensive to manage. For example, the study found that one-third of the cost of breaches is from lost business.

Small to medium-sized businesses are hit with nearly 4,000 cyberattacks per day, and that number is expected to grow. Almost half are likely to fall victim to a cyberattack.

Despite common misconceptions, small businesses are prime targets for hackers because of their size. Thieves aren’t concerned about how big a business is; as long as there is financial gain to be had from stealing, any company is fair game.

 In 2016 alone, over 14 million American small businesses were breached by cybercriminals.

Data Breach Protection

A data breach occurs when an unauthorized party accesses a merchant’s network and steals cardholder data. Breaches come in various types: network (hacking and skimming); malware and spyware; the physical loss of the card, paper records or a device like a computer or CD; and losses from employee dishonesty. 

Regardless of how the breach plays out, the result is always the same: unencrypted personal identifying information is compromised by fraudsters and identity thieves. The potential financial and reputational damages are extensive and costly.

Consequently, "data breach protection" are three words that should be foremost in the minds of all business owners operating on the internet — and today, that’s just about everyone. Recent statistics on the tremendous costs faced by merchants who experience data breaches underscore the fact that the stakes are just too high for breach protection to be relegated to your "to do" pile.

Data Breach Security

With fraudulent payment card transactions continually on the rise, it’s more important than ever that merchants protect themselves from potentially huge financial losses associated with a data breach.

Breach Protection Best Practices

Merchants must protect themselves, their businesses and their customers from data breaches by adhering to the Payment Card Industry Data Security Standard. This is known as being PCI compliant. The requirements of PCI DSS are focused on boosting security for the storage, transmission and processing of cardholder data.

Beyond PCI compliance, businesses should strive for the tightest security possible against fraud and other data breaches by using standard and advanced detection and prevention tools like those offered by the leaders in the payments industry. A secure processing platform is fully PCI compliant and provides access to fraud prevention tools including address verification service (AVS), card verification code (CVC/CVC2) and card verification value (CVV/CVV2).

A gateway offers multiple interface options that allow merchants to choose their preferred method for submitting and processing payments securely. For example, the optional tokenization service hosted payment page can reduce your PCI burden by eliminating the need to store sensitive card data by only sending back minimal information such as a transaction ID, reference ID and authorization code.

Accept EMV Payments

EMV^® uses embedded microchip technology for authenticating credit and debit card transactions. It has been adopted by all major card brands and is currently in use in more than 80 countries around the world, most recently in the United States. Its adoption worldwide is considered to be critical to the development of a more secure payments industry. 

What is EMV?

EMV is the best available technology for authenticating cards and cardholders. It makes the card virtually impossible to copy, thus reducing the possibility of accepting counterfeit cards. In fact, countries where EMV payments are the norm have seen drastic reductions in card-present fraud.

The chip embedded in the card stores cardholder data and creates a unique value for each transaction. This dynamic authentication makes each transaction unique and more secure. Additionally, EMV chip card transactions may require the use of a PIN to authenticate the cardholder and results in a reduction in credit card fraud through lost or stolen cards.

EMV & Your Business

Businesses that have not yet transitioned to EMV card acceptance should consider doing so to protect themselves and their customers. This typically requires a software update and the installation of an EMV-capable terminal that can handle chip cards.

Important benefits of adopting EMV payment technology for your business include:

Dual Verification

A chip card-enabled terminal validates the card, and the cardholder authenticates that they are the card owner while the card is still in the POS terminal.

Fraud Reduction

Security features built into the chip reduce lost, stolen and counterfeit fraud. Unlike traditional magnetic stripe transactions, the EMV credit card terminals and chip-enabled cards work together to validate the card and cardholder.

Reduce Financial Liability

Prior to the October 2015 POS counterfeit liability shift, card-issuing banks were held responsible for any credit card. Since the shift, businesses that are unable to support chip cards have been held financially responsible if a fraudulent transaction occurs. 

Start Accepting EMV Payments Today.

Ingenico^® and Verifone^® EMV terminals and readers are available to merchants who are ready to transition to this new, more secure technology. Chip-enabled terminals also accept magnetic stripe cards, contactless and manual payments, allowing you to make all your payment transactions with one device while avoiding financial liability for card fraud.

Protection from Credit Card Fraud

Credit card fraud continues to be a major threat to all businesses — a threat that has potentially crippling financial implications. Of major concern are CNP (card-not-present) transactions, such as those handled by online and mail order/telephone order (MOTO) merchants. 

Fortunately, there are simple, established steps you can take to lessen the likelihood that your business becomes the victim of online fraudsters and thieves.

Online Fraud Protection

All online merchants — regardless of size — must be vigilant when it comes to online fraud detection and prevention. Both their reputation and their finances are at stake.

There are several basic credit card fraud protection tools available:

• AVS verifies the identity of the person making the transaction by comparing the billing address they provide with the address on file at the financial institution that issued the credit card.
• CVC/CVC2/CVV/CVV2 all display as a 3- or 4-digit number printed on the back of Mastercard^®, Visa^® and Discover^® credit or debit cards; on American Express^® cards, the number appears on the card front.

All codes provide an effective starting point for protecting your business against credit card fraud. Leading payments processors offer secure merchant accounts and web-based solutions for business of all sizes to use for online credit card processing. With our portfolio of e-commerce solutions and payment processing services, businesses can benefit from a tailor-made approach that meets their needs, even as they grow or their requirements change.

Payment Processing Industry Regulations

Electronic payment processing is a highly regulated industry, which is to be expected since it deals in sensitive and private personal financial information. The goal of these regulations is to protect all parties involved in electronic transactions — cardholders, merchants, processors and the issuing banks — from identity theft and fraud. 

 Regulations That Directly Affect Merchants Include:

IRS Mandate (Section 6050W)

Merchants are required to report their annual gross payment card transactions processed by credit, debit or co-branded cards and third-party network transactions to their merchant services providers, who pass the information along to the IRS.

Durbin Amendment

Rules have been implemented that lower the debit card interchange fees the Visa^® and Mastercard^® networks charge merchants.

PCI Compliance 

The Payment Card Industry Data Security Standard (PCI DSS) encompasses a set of requirements that help to ensure that all merchants who process, store or transmit credit card information maintain a secure transaction environment.

Near Field Communication (NFC)

Near Field Communication, or NFC, is short-range wireless technology that allows smartphones and similar devices to communicate when they’re within a few inches of each other. This contactless technology has been around for years and has many applications that people use on a daily basis, including synching their smartphones to their cars and paying fares on public transportation. 

NFC is also used for mobile contactless payments at both attended point-of-sale (POS) locations like stores, and unattended locations like vending machines, that use the existing merchant payments infrastructure.

NFC at the POS

NFC transactions are quick and convenient, which helps to keep the customer satisfied and makes it possible for merchants to process sales efficiently. NFC is also compatible with coupon and special offer redemptions that draw in customers and sales.

Perhaps most importantly, NFC transactions are considered to be more secure than those involving traditional magnetic stripe credit cards, which can be stolen or cloned and used for unauthorized purchases.

An NFC-enabled smartphone or other mobile device is set up with a payment app and payment account information, typically a credit or debit card. Shoppers simply wave or tap the device — or an EMV^® chip card — in front of an NFC receiver at checkout. They may also be required to scan a fingertip or provide a passcode to approve the transaction.

The receiver reads the signal and the transaction is validated by the internal Secure Element (SE), where personal and financial information is stored. Once validation is complete and the transaction is authorized by the processor, the transaction is charged to the shopper’s designated credit card and a sales receipt is issued.

NFC & Digital Wallets

Digital wallet is a term that refers to an electronic device that allows an individual to make electronic commerce transactions. A person can store a wealth of information in their digital wallet, including their ID, driver’s license, health insurance card and loyalty cards, as well as credit card account data, which can then be used to make purchases at a POS terminal.

NFC & Secure Processing

As with all electronic financial transactions, security is a concern with NFC. One issue is “eavesdropping” by criminals attempting to steal data. However, since the NFC-equipped device or card must be in close proximity to the receiver, hackers have a very limited range in which to intercept signals. Additionally, there are established secure channels that encrypt the account data, which can only be decoded by an authorized device.

The Secure Element step in the process, which holds authorization power, is critical. Tamper-proof and protected by a unique digital signature, the SE is contained in a chip in the terminal and the customer’s mobile device. Alternatively, it functions virtually in the cloud to help protect the transaction from software and hardware attacks.

Physical theft of an NFC-equipped device is another security concern. Digital wallet users are encouraged to password protect their device to keep their private and payment information out of the hands of thieves. 

Get Started Now

Many major retailers are already NFC capable. This “tap and go” technology is expected to grow in popularity with U.S. consumers as more retailers and service providers upgrade to processing equipment that can handle both EMV and NFC transactions.

PCI Compliance for Electronic Transactions

PCI compliance simply means adherence to the Payment Card Industry Data Security Standards, or PCI DSS, which are administered by the Payment Card Industry Security Standards Council (PCI SSC). The council was established in 2006 by the major payment card brands — including Visa^®, Mastercard^®, Discover^® and American Express^® — to manage security standards for electronic transactions.

It is the responsibility of all parties to payment card processing — including businesses, merchant services providers, financial institutions and card issuers—to keep the process safe by achieving and maintaining PCI compliance.

Security for Wi-Fi Connectivity

A Wi-Fi connection to the internet can be less secure than wired connections because a cybercriminal does not require physical access to gain entry into the network. In order to secure a wireless network and to meet PCI compliance standards, there are two encryption protocols currently used by IT professionals.

Wi-Fi Security Protocols

Wireless Protected Access — known familiarly as WPA — and WPA2 were developed to improve the security of Wi-Fi connections by requiring the use of wireless encryption. WPA2 requires a stronger encryption than WPA, but IT professionals say it also may slow down the network’s performance. Both protocols provide Wi-Fi users with a high level of security and can help minimize the risk of a breach.

Securing a Wireless Network to Achieve PCI Compliance

Industry regulations for PCI compliance require merchants to protect cardholder data and any payment card information, whether it is printed, processed, transmitted or stored. It requires organizations to extend the same level of security from the wired network to the wireless network and provides specific guidelines as to how to protect point-of-sale data over the wireless network.

Additionally, merchants should have secure Wi-Fi as it is defined and required by PCI regulations, including but not limited to the following: 

• The merchant should ensure that only trusted individuals have access to the payment application and its associated environment
• The mobile device should be stored in a secure location when it is not in use. The merchant should consider locking the mobile device to the merchant‘s physical location when possible
• The merchant should place mobile devices in a location that offers the greatest level of security (less customer and employee access), observation, and monitoring when possible
• Where data passes through a network under the merchant‘s control (e.g., Wi-Fi or Bluetooth^®), ensure that the network is implemented as a secure network

Wi-Fi Network Security

The PCI Security Standards Council states the following key points: 

• Even if an organization that must comply with PCI DSS does not use wireless networking as part of the cardholder data environment (CDE), the organization must verify that its wireless networks have been segmented away from the CDE and that wireless networking has not been introduced into the CDE over time
• Although the PCI DSS outlines requirements for securing existing wireless technologies, there are validation requirements that extend beyond the known wireless devices and require monitoring of unknown and potentially dangerous rogue devices
• A rogue wireless device is an unauthorized wireless device that can allow access to the CDE; wireless networks can be considered outside of PCI scope if no wireless is deployed or if wireless has been deployed and segmented away from the CDE
• Regardless of whether wireless networks have been deployed, periodic monitoring is needed to keep unauthorized or rogue wireless devices from compromising the security of the CDE
• Segmenting wireless networks out of PCI scope requires a firewall between the wireless network and the CDE 

Increase Security with Strong Passwords

The best passwords are designed to be difficult to discover through intelligent guessing. Security experts recommend the following password guidelines to help maximize Wi-Fi security:

 Use a minimum password length of 12 to 14 characters, or as many as the software allows

• Include lowercase and uppercase alphabetic characters, plus numbers and symbols if allowed
• Generate passwords randomly if possible
• Avoid using the same password twice in multiple user accounts or software systems
• Avoid character repetition, keyboard patterns or letter/number sequences
• Don’t use relatives’ or pets’ names, ancestors’ names, birthdays, anniversaries or ID numbers

IBM 2018 Study: Hidden Costs of Data Breaches Increase Expenses for Businesses

Average Cost of Data Breaches Increased

“One-third of the cost of data breaches is from lost business”

IBM Security announced (2018) the results of a global study examining the full financial impact of a data breach on a company's bottom line. Overall, the study found that hidden costs in data breaches – such as lost business, negative impact on reputation and employee time spent on recovery – are difficult and expensive to manage. For example, the study found that one-third of the cost of breaches were derived from lost business.

IBM Security and Ponemon Institute found that the average cost of a data breach globally in 2018 is $3.86 million, a 6.4 percent increase from the 2017 report. Based on in-depth interviews with nearly 500 companies that experienced a data breach, the study analyzes hundreds of cost factors surrounding a breach, from technical investigations and recovery, to notifications, legal and regulatory activities, and cost of lost business and reputation.

"While highly publicized data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified," said Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services (IRIS). "The truth is there are many hidden expenses which must be taken into account, such as reputational damage, customer turnover, and operational costs. Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake."

Hidden Figures – Calculating the Cost of a Breach
In the past five years, the amount of mega breaches (breaches of more than 1 million records) has nearly doubled - from just nine mega breaches in 2013, to 16 mega breaches in 2017.³ Due to the small amount of mega breaches in the past, the Cost of a Data Breach study historically analyzed data breaches of around 2,500 to 100,000 lost records.

Based on analysis of 11 companies experiencing a mega breach over the past two years, this year's report uses statistical modelling to project the cost of breaches ranging from 1 million to 50 million compromised records.  Key findings include:

• Average cost of a data breach of 1 million compromised records is nearly $40 million dollars
• At 50 million records, estimated total cost of a breach is $350 million dollars
• The vast majority of these breaches (10 out of 11) stemmed from malicious and criminal attacks (as opposed to system glitches or human error)
• The average time to detect and contain a mega breach was 365 days – almost 100 days longer than a smaller scale breach (266 days)

For mega breaches, the biggest expense category was costs associated with lost business, which was estimated at nearly $118 million for breaches of 50 million records – almost a third of the total cost of a breach this size. IBM analyzed the publicly reported costs of several high profile mega breaches, and found the reported numbers are often less than the average cost found in the study.⁴ This is likely due to publicly reported cost often being limited to direct costs, such as technology and services to recover from the breach, legal and regulatory fees, and reparations to customers.

What Impacts the Average Cost of a Data Breach?
For the past 13 years, the Ponemon Institute has examined the cost associated with data breaches of less than 100,000 records, finding that the costs have steadily risen over the course of the study.  The average cost of a data breach was $3.86 million in the 2018 study, compared to $3.50 million in 2014 – representing nearly 10 percent net increase over the past 5 years of the study.

The study also examines factors which increase or decrease the cost of the breach, finding that costs are heavily impacted by the amount of time spent containing a data breach, as well as investments in technologies that speed response time.

• The average time to identify a data breach in the study was 197 days, and the average time to contain a data breach once identified was 69 days.
• Companies who contained a breach in less than 30 days saved over $1 million compared to those that took more than 30 days ($3.09 million vs. $4.25 million average total)

The amount of lost or stolen records also impacts the cost of a breach, costing $148 per lost or stolen record on average. The study examined several factors which increase or decrease this cost:

• Having an incident response team was the top cost saving factor, reducing the cost by $14 per compromised record

• The use of an AI platform for cybersecurity reduced the cost by $8 per lost or stolen record

• Companies that indicated a "rush to notify" had a higher cost by $5 per lost or stolen record

This year for the first time, the report examined the effect of security automation tools which use artificial intelligence, machine learning, analytics and orchestration to augment or replace human intervention in the identification and containment of a breach. The analysis found that organizations that had extensively deployed automated security technologies saved over $1.5 million on the total cost of a breach ($2.88 million, compared to $4.43 million for those who had not deployed security automation.)

Regional and Industry Differences
The study also compared the cost of data breaches in different industries and regions, finding that data breaches are the costliest in the U.S. and the Middle East, and least costly in Brazil and India. 

• U.S. companies experienced the highest average cost of a breach at $7.91 million, followed by the Middle East at $5.31 million.
• Lowest total cost of a breach was $1.24 million in Brazil, followed by $1.77 million in India.

One major factor impacting the cost of a data breach in the U.S. was the reported cost of lost business, which was $4.2 million – more than the total average cost of a breach globally, and more than double the amount of "lost business costs" compared to any other region surveyed. One major factor impacting lost business costs is customer turnover in the aftermath of a breach; in fact a recent IBM / Harris poll report found that 75 percent of consumers in the U.S. say that they will not do business with companies that they do not trust to protect their data.

For the 8th year in a row, Healthcare organizations had the highest costs associated with data breaches – costing them $408 per lost or stolen record – nearly three times higher than the cross-industry average ($148).

"The goal of our research is to demonstrate the value of good data protection practices, and the factors that make a tangible difference in what a company pays to resolve a data breach," said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. "While data breach costs have been rising steadily over the history of the study, we see positive signs of cost savings through the use of newer technologies as well as proper planning for incident response, which can significantly reduce these costs."

Cost components include the abnormal turnover of customers, increased customer acquisition activities, reputation losses, and diminished goodwill.

Typical activities for the discovery of and the immediate response to the data breach include the following:

>Conducting investigations and forensics to determine the root cause of the data breach

>Determining the probable victims of the data breach

>Organizing the incident response team

>Conducting communication and public relations outreach

>>Preparing notice documents and disclosures to data breach victims and regulators

>>Implementing call center procedures and specialized training

Lost business: Activities associated with cost of lost business including customer churn, business disruption, and system downtime. Also included in this category are the costs of acquiring new customers and costs related to revenue loss.

SOURCE:

visa.com
digitalguardian.com
digitaljournal.com
www.cutimes.com

SmallBusinessReports.org    

 costofadatabreach.mybluemix.net/

bankingjournal.aba.com/2018/07/average-cost-of-data-breaches-increased-year-over-year-study-finds/