Data is the new black.
That’s right, data. Not brown, blue or orange. It’s an especially appropriate assertion given our pending Valentine’s Day holiday (and of course, our recently released 2016 Vormetric Data Threat Report). As the new black, data should be loved, revered and respected. For if that data is loved, revered and respected, so are the customers that data belongs to. Why? Because that data is secure. Loved, revered and respected data is not insecure data.
It doesn’t take a rocket scientist to understand that insecure data is much more susceptive to data breaches than secure data. These past three years in particular have really shed light on the severe impact leaked or stolen data (aka data that wasn’t properly protected in the first place) can have on organizations and individuals – and why it ultimately makes for a very unhappy customer. Here are some examples:
Target Proves Fallible
Following its 2013 breach, Target was forced to pay consumers $10 million. The company also reached a $67 million settlement with Visa, which was brought on behalf of Visa cardholders affected. In December 2015, it was announced Target had agreed to settle with MasterCard for $39 million. While this might not seem like very much given the sheer size of the company and revenue it brings in, you can be rest assured this isn’t the end of Target’s data breach payouts.
If you think Target’s woes are purely financial, think again. Since the breach, the company has contended with lost sales, diminished customer goodwill and diminished trust. To be fair, the company was grappling with growing pains prior to the breach – but the attack unfortunately made the situation even worse.
Home Depot Misses the Mark
In September 2014, Home Depot reported 56 million credit cards were potentially affected by a breach spanning five months. According to reports, prior to the breach Home Depot had started encrypting its payment terminal data but was outpaced by the hackers. Around one year later, SC Magazine reported the “expected cost to Home Depot for a cyber intrusion may reach into the billions.”
Perhaps even more damning than the cost was the backlash against the company. In May 2015, consumers filed a 187-complaint against Home Depot. In it, they cited “overarching complacency when it came to data security.” “Complacency” and “business” should never be used in the same sentence – unless one is referring to a trait that hampers success.
Needless to say, subsequent lawsuits against Home Depot have clearly illustrated a breach in trust between the company and its customers. As we all know, building trust takes time. My colleague Tim Stewart described it perfectly in her December 2015 blog about the second anniversary of the Target breach: Successful retailers understand the strategic advantage of what is called “lifetime value” in terms of the consumer. And nothing destroys lifetime value more quickly than lack of consumer confidence. For retailers, protecting customers’ information this holiday season, and all year long, has become a large part of maintaining this confidence.
The VTech Hack: Getting Personal
Although it may seem like the case, severe data breaches aren’t unique to the U.S. One example of a recent breach that raised hackles – and with very good reason – was the attack against Hong Kong-based company VTech. Here’s why:
- Stolen data included private information of over 5 million parents, and profiles of over 6 million children (including chat logs, kid’s photos and more)
- Additional compromised data included names, addresses, emails, IP addresses, secret questions and answers for passwords
- The affected are children, a particularly vulnerable segment of the population
For now, it’s difficult to say just how damning this breach will be for VTech. There’s some definite indications the company’s climb back uphill won’t be easy. For starters, members of the press scorned VTech’s January 2016 announcement that it was unveiling a home monitoring system. Understandably, they didn’t hesitate to point out the irony of this strategy. Boing Boing’s Cory Doctorow was particularly biting, writing “Remember the Hong Kong-based crapgadgeteer Vtech, who breached 6.3 million kids' data from a database whose security was jaw-droppingly poor (no salted hashes, no code-injection countermeasures, no SSL), who then lied and stalled after they were outed? They want to make home security devices that will know everything you say and do in your house.”
The Common Denominator
What do the companies above all have in common? There are a number of thoughts that come to my mind, but for the purpose of this blog, I’m focusing on one big one: they failed to encrypt critical data.
As we put in our December media alert about the VTech breach, if businesses really want to minimize the reputational damage should the worst happen, proactive steps such as strong encryption should be taken now to ensure the protection of that data even if it falls into the wrong hands.
It should be obvious we Vormetricans are fans of an “encrypt everything” approach. By this, we don’t mean businesses should encrypt literally each and every piece of data that comes or goes. Not all data is created equal, after all. Customer’s social security numbers are highly sensitive; an email between two employees discussing last weekend’s game nowhere near as much.
In an October blog, I outlined strategic considerations for companies contemplating an encrypt-everything approach. They include data type flexibility; enterprise scalability; executive buy-in; data classification; management and ownership; and operational costs. Should an organization decide to kick off or ramp up its encryption strategy, we recommend a three-tiered approach. Our CSO Sol Cates clearly broke it down in his July blog post:
- Understand: Understand what your IP is and educate yourself. It is also important to identify the data that should be considered the crown jewels for your organization.
- Classify: Determine where your data resides and how it communicates with the existing infrastructure.
- Protect: Here at Vormetric, we can’t stress this enough. Look at ways to protect data. Whether encryption, tokenization or other methods of data security, you can’t cover your bases with a sole reliance on compliance!
Solutions for Protecting Data
Ultimately, every organization has different needs and therefore, needs different remedies. After years and years of working with an array of customers spanning countless industries, we think it’s pretty safe to make this assertion. With this in mind, we developed some collateral for companies investigating encryption solutions. We went so far as to break down the advantages and disadvantages of encryption at each level in the computing stack. Included are the following technologies:
We understand this may seem daunting, but we can’t stress it enough: the benefits so greatly outweigh the “drawbacks” (time spent reading, researching, liaising with vendors and implementing the solution) it’s almost mind-boggling.
Love Your Data, Love Your Customer
We live in a world that is fraught with data threats, full of hackers that want to do more than just make a financial mark – in some cases, they want to make moral point, a geopolitical point or a technological one.
In my introduction, I made the case there is a connection between loved data and a loved customer. In my mind, an organization that takes steps to secure sensitive data is one that is committed to its customer’s well-being. It’s one that doesn’t want its customer to have to cancel their credit card bills; to sign up for an ID theft monitoring service; to nervously track all personal information; to join a class-action lawsuit; to stop doing business with it; to not feel jaded and frustrated by powerful organizations that don’t seem to truly understand the unsettling nature of leaked data.
Love your data by protecting it. Protect it because you love your customer.