Author Archive for Dennis Pickard

The Real Cost of Data Breaches

Recently it seems like large-scale data breaches are an almost weekly occurrence. But, just because they are more commonplace does not mean their impacts are any less severe for businesses or for customers whose data is compromised.

Though there were several high profile data breaches in the last 9 months — eBay, AOL (again!), Neiman Marcus and more — the Target hack stands out from them all. With more than 40 million credit card numbers stolen, Target is still reeling from the cost of its data breach. So, just how much does a breach like Target’s actually cost?

The Cost of Data Breaches is on the Rise

In its ninth annual report on the global cost of data breaches, the Ponemon Institute found that the average cost to a company was $3.5 million, a 15 percent increase over the cost of a data breach in 2013. In the US, the cost incurred for each compromised record rose to $201, while the cost for breaches caused by malicious attack had a price of $245 per record. While big companies like Target may receive insurance money to offset the direct cost of a breach, data breaches carry many hidden costs.

The impact of any data breach goes well beyond just dollars and cents, but here’s the effect on the bottom line for Target: fourth quarter profits down 46 percent, and a profit outlook below Wall Street estimates for the entire next fiscal year. The company’s Q1 profits fell 16 percent, and it announced that the data breach has cost it a net $18 million so far, and that number is sure to rise.

The Cause of Data Breaches

While criminal activity and hacking make headlines, most data breaches are caused either by human error or system glitches. According to Symantec and Ponemon, 64 percent of breaches in 2012 were cause by human mistakes or system problems. And in the case of the Target breach, human error allowed the breach to continue to grow even after it was detected by security specialists. Organizations that have strong security postures, or those who have chosen strong partners to secure their sensitive data were able to reduce the cost of data breaches by 20 percent, according to the report.

How to Minimize Cost

The Ponemon report found that while the financial cost of a data breach was immense, a poor reputation and a loss of customer loyalty caused the most damage to the bottom line. Like any disaster, cleanup is not a one-time cost: companies must spend heavily to repair their brand image, fix relationships with old customers and acquire new ones.

The report also showed that heavily regulated industries such as healthcare, financial services and manufacturing have a higher per capita breach cost, with healthcare data breach costs averaging $316 per compromised record. With that much on the line, it’s important to have a strong secure cloud partner

Whether you’re choosing a private or secure public cloud, Layered Tech can offer a flexible cloud platform that meets your most pressing needs. Our secure cloud solution can connect to physical databases, providing you with a hybrid solution for high availability, site failover and disaster recovery. Optional add-ons provide additional security and compliance, back-up services, managed services, and application and system monitoring for a robust solution. Layered Tech is proud to partner with clients to drive innovation, to be a leader in secure cloud and compliant hosting solutions, and understands the importance of helping grow your business, and secure your data.

About the Author: Dennis Pickard holds CIA & CISA certifications and is the IT Audit Lead in the Compliance and Security Group of Layered Tech. He has more than 20 years of experience in compliance and technology audits, primarily in the Financial Services industry. Throughout his professional career, he has directed and performed numerous PCI DSS & HIPAA security and privacy analysis activities.

 

PCI DSS 3.0: An Overview of Core Changes

Payment Card Industry Data Security Standard 3.0 (PCI DSS) changes became effective on Jan. 1, and many businesses will be working to ensure they are meeting new and updated requirements throughout 2014.

Last month, Layered Tech become one of the first managed hosting service providers to become certified under PCI DSS 3.0 standards. Since we handle the majority of IT controls for many of our clients, it was an easy decision for us to seek certification as early as possible to help them address potential gaps in security and reporting requirements between now and the end of the year.  In 2015, all hosting providers must be in full compliance with the new PCI 3.0 standards.

The PCI DSS Lifecycle

PCI DSS (and its counterpart PA DSS) rules live on a three-year lifecycle, and PCI 3.0 began its life when announced in October 2013. Since the new standards became available in January, most cloud solutions providers (CSPs) will spend 2014 implementing the changes pushed by PCI 3.0.

Old PCI 2.0 rules are grandfathered in for 14 months (through Dec. 2014), but merchants and vendors alike will be working diligently to complete their transitions as soon as possible. Here are some of the most noteworthy changes under the new requirements that you should be aware of:

Requirements in PCI DSS 3.0 Go Beyond Compliance

The major changes in PCI 3.0 focus on raising user awareness of potential security and compliance concerns, beefing up security standards, and making user-controls more flexible. At its core, PCI focuses on securing cardholder data, so the new standards put a lot of emphasis on securing internal infrastructure, managing third-party access and authenticating systems with access to data.

  • Establish a culture of security through education. One of the largest themes of PCI DSS 3.0 is to maintain and drive accountability at every level of client organization by educating employees on security.
  • More rigorous requirements for penetration testing.  Earlier standards required some testing, but 3.0 requires more strenuous testing on both application-layer and network-layer levels, and QSAs will have to put more emphasis on penetration testing. Tests must cover the entire cardholder data environment and use an accepted testing model, like NIST. Unlike most of the PCI DSS 3.0 changes, however, organizations have until July 15, 2015 to fully comply with rules regarding penetration testing. Despite the longer deadline, we expect that penetration testing methodologies will come under increased scrutiny in years to come, so having a rigid testing method in place will be crucial.
  • Organizations must have written security agreements with service providers to define security obligations. PCI 3.0 requires that any business, third-party vendor or organization that accepts card payments is fully aware of their responsibilities in data security. The new standards provide an extra level of guidance to both CSPs and merchants to ensure that responsibility is shared, not outsourced.
  • Enhanced service provider scrutiny. CSPs must now use unique credentials for each of their clients (spurred by a data breach caused by a vendor using a single password across each environment), and must give customers documentation confirming their responsibility for data in their possession and maintaining compliance in the data environment.
  • Merchants and vendors must maintain a complete inventory of the cardholder data environment (CDE). This includes documenting each component of the environment, along with its function and purpose.

It shouldn’t be a big surprise that so many of the changes encourage CSPs and third-party vendors to share responsibility for maintaining security. So as more businesses seek help with their IT operations, third-party providers will have a  more prominent role in guaranteeing compliance. At Layered Tech, we manage all the IT controls through internal staff, without third-party support, helping clients limit scope, risk and costs.

The Value of Early Adoption

Since all organizations – vendors, assessors and CSPs alike — must adhere to the new standard by the end of 2014, Layered Tech felt it was important to achieve early certification. As our clients begin to recertify for their own business, we can now safely manage their controls and leave no gaps between their compliance efforts and our own. Layered Tech has always been on the leading edge of PCI DSS certification, and we continue to support the needs of our clients by staying ahead of the curve.

About the Author: Dennis Pickard holds CIA & CISA certifications and is the IT Audit Lead in the Compliance and Security Group of Layered Tech. He has more than 20 years of experience in compliance and technology audits, primarily in the Financial Services industry. Throughout his professional career, he has directed and performed numerous HIPAA security and privacy analysis activities.

 

Hooray for HITRUST

It can be difficult to prove whether a cloud or managed hosting provider is certified HIPAA compliant because today no formal process or status exists to verify that claim. The HIPAA Security Rule allows the use of any security measures that reasonably and appropriately implement its standards and implementation specifications. For health care innovators, this wiggle room can cause some uncertainty about whether their IT infrastructure is compliant and secure, or in danger of a costly HIPAA violation.

Continue reading ‘Hooray for HITRUST’