Over the past several months, we have written multiple posts on the topic of payment security. (See the other posts here and here.) Large parts of the global business community still do not seem to be taking heed after watching the firings of the CEO and other high-level executives at U.S. retailer Target following its huge holiday-season credit-card breach that affected 70 million customers. Many companies are still not serious about security but instead follow a dangerous route of a compliance driven security posture along the lines of “if the auditor didn’t find it, why fix it?” This post, the third in our group, therefore focuses on a point that should play a key role in your decisions around security in general instead of compliance: risk.
In assessing your company’s risk for a data breach and the level of action and security you should put in place, there are two key factors that need to be considered in your decision:
Impact: What is the value of your data, and what would the real impact be if you lost it? How many card records do you have stored on your systems in various locations like cardholder files, transaction log files, extract files to be sent to other systems for settlement or the like? And – are these files protected sufficiently, meaning if someone is able to steal the file – will they get to the sensitive credit card data?
Probability: What is the chance of a data breach hitting your company? This is a little bit harder to determine. History of breaches, as well as research from various security investigation teams (Verizon, Symantec, etc) have shown that nowadays it is not a question of whether attackers are probing to get into your network. It’s just a matter of how or when they will get in. In 2014, even Joseph M. Demarest, Jr., assistant director of the United States’ FBI Cyber Division issued a warning, “You’re going to be hacked. Have a plan.”
The important question is, “How and where will you be able to stop them before they get to your confidential data?” In a video about our SecurData product, we used the following visualization to explain that encrypting data at rest is a “last line of defense” that assumes that all other protection levels have failed:
Unfortunately, the traditional methods of data protection such as Perimeter Security, Access Control or Antivirus have proven to be insufficient again and again — and that is exactly why security standards such as PCI call for extra levels of protection.
What does a breach really cost?
The media quickly reports numbers of records compromised or credit card records lost, but what is the real financial implication of a data breach to your company? Let’s assume a credit card processor runs 5 million credit card transactions a day. Broken down to transactions per second (TPS), this would be a transaction rate of an average of about 58 TPS, i.e. about 5 million transactions a day or 1.825 billion transactions a year. Based on discussions with customers, a reasonable ratio of unique cards to total number of transactions seems to be about 15-20 percent, which would come out to about 274-365 million unique cards that could be lost. Attackers usually stay on a system infiltrating data for about 3-6 months before they sell the data, since usually by that time even the most inactive credit card users have used their cards at least once.
Looking into the latest 2015 Verizon Data Breach Investigation Report (DBIR), you will find the following table that shows the expected costs of a data breach by number of records:
Figures in US Dollars
Looking at the example stated earlier, a breach of round about 300 million cards would even exceed the entries shown in the table above. For each factor of 10 in the number of records, you can see there is about a factor of 2.6 in expected loss. So extrapolating based on the column EXPECTED, a breach of 300 million cards would have a cost of easily about US $13 million.
However, if you compare these numbers from the estimate taken from the DBIR, the 2008 Heartland Payment breach was about 130 million cards and resulted in a loss of at least US$140 million in breach related costs. Another example – Target — 40 million payment cards and personal information on 70 million customers — and non-insured losses have added up to US$162 million.
This shows that in the financial industry, you might well use the “Prediction Upper” column for a more realistic point of reference. In this case, our sample processor with 5 million transactions a day could well face a loss of somewhere in the range of US$300 million.
While the actual amount would, of course, depend on how many credit cards you actually process, looking at examples from Heartland Payment or others shows that, as a rule of thumb, a data loss can easily wipe out the profit the company made in the preceding three to four years.
Is that really likely to happen?
So what truly is the likelihood of a breach wiping out your company’s profit of the last few years? Is it too low to care?
Well, let’s make a comparison. How likely is it that you will have a disaster in your data center? Pretty low, right? So the likelihood is low but the impact of a disaster is huge. The scenario is much the same with a breach.
So why is it that just about any financial institution has a disaster recovery plan (often involving a separate computing site), while only very few have a true last line of defense – effective data-at-rest protection – implemented to protecting their huge amounts of sensitive (credit card) data? Note that I am not referring to solutions like VLE (see why here: 'The difference between being PCI compliant and secure') – but what I am referring to is effective protection at the data level by tokenizing or encrypting the actual sensitive data itself.
And if you look into what the actual cost of implementing such a data-at-rest protection solution like tokenization or encryption as last line of defense is, it will be a tiny fraction of a cost of a breach, while seriously decreasing the risk of suffering one.
Other dimensions of risk
So far we have focused on the monetary aspect of risk, which can be calculated with a surprising amount of certainty. What is impossible to calculate, though, are factors such as loss of customer trust (which can be extremely expensive), but also individual factors such as impact on the computing platform or on your career.
Fortunately, the HPE NonStop platform has not had a single public security break-in yet, but in my opinion, that is no reason for complacency or overlooking and underfunding the platform.
But because it has hummed along quietly for decades without a single major incident (both in downtime and security), the HPE NonStop platform has become somewhat invisible to the top decision makers in many companies. However, that doesn’t mean that your company is not a target.
Despite its safety record, do you think your CEO and CSO are aware of the financial risk the NonStop platform creates because of the nature of the applications and data running on it?
If you have never done these calculations or communicated the potential for loss and risk to the responsible risk management entities within your enterprise, now is the time!
Then, based on a complete picture of risk for your company, decide on your strategy to reduce that risk, either by addressing the impact or the likelihood … or both.
And of course it is always great to discuss and exchange experiences on these topics with other people facing similar challenges in the HPE NonStop industry. The upcoming HPE NonStop Technical Bootcamp is a perfect place for that. So I hope I will see you there! Find me at the comForte booth and I will be happy to discuss and also to introduce you to people who have actively addressed this important topic already in their companies. And of course feel free to contact me directly as well at h.horstcomfortecom!