Tech Guest Viewpoint - Focus on breach response as much as prevention

By Todd Waskelis, AT&T

Data breaches can be financially catastrophic as they drive costs to repair the damage, costs to secure their systems, costs to repay the consumers, losses in profits, losses in consumer confidence, and lawsuits seeking damages for alleged negligence. Intense media and Congressional scrutiny have classified all data breaches as direct attacks on privacy and any company that has possession of personal identification information should consider focusing on security controls beyond simply achieving compliance. Although the headline-making breaches are highly sophisticated, most attacks simply take advantage of lax security practices and failure to focus on fundamentals like proper patch management and event analysis. The good news is that many security breaches can be prevented by implementing and enforcing basic security best practices with proven technologies.



The evidence is clear that data breaches are a pervasive problem for most organizations in the United States today. Yet, despite negative repercussions in terms of cost outlays and reputation damage, many companies do not take appropriate steps to prevent a data breach, or to prepare for and mitigate the risks when the inevitable occurs. As security professionals, we have said this time and again, security is not just about compliance, the best way to prevent a breach is to ensure that the security controls and requirements are continuously validated and all the requirements are being met 24/7.



Adherence to PCI DSS standards (required by the credit card brands) does not guarantee immunity from the ever-evolving tactics used by the global criminal community to exploit data and systems. The complexity of attacks and growing sophistication of cyber criminals shows that following the PCI DSS should be the bare minimum of any organization required to protect card holder data.



In today’s environment, one of the most significant risks associated with a payment card breach is legal liability and subsequent fines and fees. The following risks may present themselves in the wake of a payment card security breach suffered by a merchant:



1. Class action lawsuits from both consumers and issuing banks

2. Legal action from the merchants own acquiring bank against the merchant

3. Fines and penalties levied by the card brands

4. State and federal regulatory actions including fines and ongoing audits

5. Shareholder lawsuits (based on misrepresentations/omissions concerning data security)



Many organizations struggle with properly managing the entire data breach response process and effectively coordinating and communicating with all the different players involved in post breach activity. A breach can cause not only major financial, operational and productivity loss, but also significant damage to brand and reputation if handled poorly. It is important to develop a coordinated approach so that all major aspects of breach response are built into the program, including forensics and legal counsel. The response must consider possible jurisdictions and venues of the affected individuals who could be in multiple states, provinces, and countries.



Todd Waskelis is VP, Security Consulting, AT&T