2014 was undeniably a horror year for data breaches, with two of the world’s largest brands – Sony and eBay – falling victim to cyber-attacks. It is fair to say that 2015 hasn’t seen an improvement; as businesses build stronger walls around their systems to secure customer data, cyber-criminals construct taller ladders to scale these walls.
A number of brazen attacks have been splashed across news headlines this year including the serious security breach of US Central Command, which saw hackers claiming links to ISIL take control of the organisation’s Twitter and YouTube accounts. In a more salacious case, the online dating website exclusively for adulterous affairs, Ashley Madison, had the names of 37 million customers stolen and published on the internet, resulting in the highly-publicised resignation of the company’s CEO.
While these incidents occurred in America, the UK cannot judge from afar. We hold one of the worst track records when it comes to the online theft of credit and debit card details. In 2014 alone there were 117 crimes relating to stolen details, representing 62 per cent of all breaches in Europe. In the past, business leaders may have been blasé about cyber security but in the wake of continuing attacks, consumers are quite rightly demanding stronger protection from fraud, and companies are starting to take notice.
Traditionally the majority of the immediate costs following a breach come from claims made by payment card networks alleging fraudulent transactions, but this is not the full picture. The Ponemon Institute, in its 2015 Cost of Data Breach Study, details a host of other factors that contribute to the cost, including an alarming increase in the number of malicious or criminal attacks, which are the most costly type of breach. In 2015, 47 per cent of all attacks were classified as malicious or criminal, compared to 42 per cent in 2014. The report concludes the average cost of a data breach to a company sits at $3.79 million US; an increase of 23 per cent over the last two years.
By far the most damaging factor in the aftermath of a breach, however, is the loss of business as a result of diminished trust from customers. In fact, Semafone’s own research showed 86% of people (91% of women and 81% of men) would be unlikely to do business with an organisation that had suffered a security breach involving credit or debit card data. When such a disaster occurs, companies find themselves spending heavily on advertising and communications to restore a positive brand image, and in extreme cases, building an entirely new customer base from scratch. This problem has been shown to be particularly acute in industries where trust is at the heart of the business, such as healthcare and pharmaceuticals.
Organisations have always needed to balance the risk of an attack against the costs involved in preventing it and in recent years the price of effective prevention has frequently been judged too high. Compliance with Payment Card Industry Data Security Standard (PCI DSS) regulations, for example, has often been by-passed. These regulations, drawn up by the card providers to protect customer data, require many technological checks and controls and can be expensive and labour-intensive to implement. At the same time, the consequence of a data breach has been perceived to be relatively mild, consisting largely of a fine and an element of compensation to the customers affected. When faced with the prospect of spending thousands to implement and maintain proper security for a contact centre, the risk of a breach can seem to be worth taking.
Compliance with PCI regulations is still not cheap. Four years ago the average annual spend for an organisation handling over 6 million card transactions a year was £150,000. Today, additional requirements such as the increased use of external auditors have been added to the check list, driving the cost even higher. While technological advances are helping organisations to avoid handling card data wherever possible, PCI compliance is still a serious matter.
Legislation, too, has become fiercer. The revised European Data Protection Regulations threaten large corporations with a fine equal to 5% of their global revenues if they can be shown to have been negligent with customer data. Businesses will also be required to report data breaches within 24 hours, therefore stamping out the opportunity to conceal the facts.
In the light of all these factors, companies have no alternative but to do their utmost to protect both themselves and their customers from fraud. By comparison with the true cost of a data breach, PCI compliance can no longer be considered “too expensive”, but ultimately no amount of checks and access controls can guarantee the safety of customer data. For peace of mind, companies have two real options; keep spending on security to stay one step ahead of the bad guys or hand your card data in its entirety over to payment specialists. The second of these options is becoming increasingly appealing.
Fraud attacks are unlikely to stop any time soon, with criminals having every incentive to continue to develop increasingly sophisticated techniques for outwitting security systems. Merchants would do well to take heed.
Written by Tim Critchley, CEO of Semafone, which provides secure voice payment software to contact centres. The Secured by Semafone trustmark is used by Semafone’s clients and partners as a sign to customers that their card data is secure when making a payment over the phone.