Just about every week, an announcement is made that a new data breach may possibly affect thousands of people. Every once in a while (although somewhat rare) a breach can affect millions. While it’s true that companies are doing a better job of protecting personally identifiable information, there’s still much room for improvement. Too many companies are making data safety assumptions that just aren’t true. Didn’t anyone ever tell you about assumptions?
Earlier this month, it was announced that a hospital in Oregon experienced another data breach. And it wasn’t the first time for this hospital; Prior data leaks have occurred due to stolen and exploited employee devices. This breach, however, was attributed to data being stored in the cloud in an unsecured manner.
Now before everyone jumps on the “I knew the cloud wasn’t safe” bandwagon, let’s think this through. The cloud, for all intents and purposes, is as safe a place to store data as any other publically accessible online environment. While there are some relatively valid concerns about the potential for a cloud infrastructure provider’s employee to make off with this sensitive data, these concerns are not strongly supported by statistics. In fact, in 2012 the statistics regarding the cause of data breaches changed slightly to show a trend that indicates that inside attacks are shrinking in frequency. Meanwhile, malicious attacks are increasing. Last year, over 37% of attacks were malicious or criminal, 35% were due to employee or contractor negligence, and 29% involved IT and business process failures (Ponemon Institute Cost of Data Breach Study)
Also in 2012, over 2.5 million California residents had their personal information stolen, putting them at considerable risk of identity theft. Even worse, 1.4 million people had their personal information exposed due to a lapse in basic security measures such as “social security numbers, credit card and bank account information, medical and insurance data, and driver’s license number” (read full report here).
Needless to say, it is likely that many companies aren’t using basic encryption for sensitive information. Those operating procedures need to be reconsidered. Encryption is not as “expensive” of an operation as it once was, thanks to increased processing power and the many database and application vendors that support encryption out-of-the-box. Encrypting information is an easy approach to safeguarding your customers’ personal information, provided, of course, that proper key management techniques are followed. In fact, I’d go so far as to say that all personally identifiable information (including email address) should be encrypted if at all possible. And by the way, it should be.
One of the worst things that can happen to an eCommerce company (or any company for that matter) is a data breach – and not just because of the potential fines and lawsuits. The damage to the brand is immediate and long lasting, and even if it wasn’t “your fault”, there will be no judge or jury to pronounce your innocence. When it comes to consumers, the perception of your site’s security becomes reality. The negativity of a breach is so damaging to your brand that there’s virtually nothing you do or say that will carry enough positive weight to offset it.
The world of security can be a lot like football. You have to keep advancing while maintaining a high level of protection. Plus, it’s foolish to assume you can run the same defensive plays while the offense constantly adapts its attack and attempts to steal the playbook. So why are so many companies still doing it? Hackers are getting smarter every day, which becomes more and more evident as more and more intelligent new exploits are detected. Encrypting valuable and private information, whether it’s a playbook or customer data, is the safest move to make and one that requires little effort. It’s a step you can’t afford to ignore. Otherwise, there’s a good chance you’re going to drop the ball.