Security breaches capture headlines and create opportunities for rich and sometimes passionate discussions about what needs to be done.
When the breach includes payment information, a typical response is to suggest that the merchant was “PCI compliant at the time.” That normally creates a storm of commentary and analysis. Big merchants make for big headlines.
However, what if the likelihood of breach wasn’t greater for larger merchants? And what impact, if any, do the costs and fines associated with breach have?
What about consumers? Reports suggest people will walk away from brands that experience a breach. Do they actually?
All topics of speculation.
Today, Dr. Branden Williams (bio, @BrandenWilliams) and MAC released a new report, The Impacts of Breaches that took a different approach to gather, analyze, and present evidence to guide better discussions and decisions.
“The survey is somewhat unique in the industry as respondents cut across the Payment Card Industry Data Security Standard (PCI DSS) compliance ecosystem, rather than focusing on the customers of a single vendor or payment brand.”
Brief and easy to read, the white paper details a series of key findings.
In addition to discovering that actual PCI compliance rates are lower than advertised, the data reveals some interesting and somewhat intuitive findings on the correlation of breaches. With a quick read, you can easily arm yourself with new data and insights.
As big data captures more attention, I thought this summary was both appropriate and informative:
“... a word about correlation and causation as several variables in the analysis indicate correlation. Correlation indicates that the data in the specific groups move together in the same direction at the same time. Meaning, an action that causes an increase in one group would also show up as an increase in another group. Correlation does not indicate causation as movement in one variable does not necessarily cause movement in another—even when they move together.”
The three that stood out to me as significant for security leaders:
1 - There is no one level more likely to be breached than another
As we see more reports and evidence surface that attackers - especially those of opportunity - seek payment systems they can easily compromise, it’s not surprising that everyone is a target. This matters since now we have more evidence that the size of the organization neither makes you a target, nor reduces your risk.
Williams shared some additional insight.
“The Level 4 (small merchant) population suffered the highest count of breaches, but they were the least affected by breaches when looking at the size of the population (in the millions). Just by having a level 4 merchant population, there is a high probability that any given breach will be from that population (86.6%) with Level 3 merchants coming in second (11.8%).”
Basically, while there is no statistical significance among the groups, there is a higher probability of a Level 4 merchant getting breached.
As a leader, it’s an interesting point for discussion.
In the paper, Williams lays out some suggestions on how the industry can work to achieve better compliance. It also signals the likely benefit of companies of all sizes working together to improve how we protect our systems, detect when problems happen, and respond accordingly.
2 - Breaches and fines are relatively small and localized
Security leaders are frequently pitched solutions predicated on a huge cost of breach. While some headline breaches drew fines and penalties worthy of follow-up headlines, the evidence of this survey suggests that the breaches and associated fines are relatively small and localized.
Does that mean we’re placing focus in the wrong areas or worrying about the wrong things?
"This was perhaps one of the most counter-intuitive result of the study," said Williams. "Only two respondents reported fines."
Williams suggests this is a great way to connect with the business - perhaps like this:
"Hey guys, you were right. The sky isn't always falling. Given the data in this report, are you comfortable with our current risk profile? I've prepared a few recommendations, with full business impact analysis, to help illustrate where we can transfer or reduce the risks associated with a breach."
The payment card industry is leading the way in terms of detection and is slowly figuring out user-friendly response. However, if smaller merchants don’t experience an unnecessary burden as a result of small, localized breaches, we might continue to focus on other methods to strengthen the system and ease their experience.
3 - Post-breach transaction levels indicate that consumers do not significantly alter spending habits after breaches
This is the jewel of the report.
After large breaches, usually a handful of stories surface that “outraged” consumers intent to take their business elsewhere. It generates attention, speculation, and a fair dose of skepticism.
Williams took a different approach. Instead of asking consumers, he simply measured their behavior.
“The survey also assessed whether transaction volume changes after a breach. The majority of respondents (69%) reported unknown changes in transaction volumes, while 27% reported no change at all, and only 4% reported a decline (see Figure 4). Unknown transaction changes could be related to a lack of data or a specific desire to track it because it is assumed to remain steady. Common business sense would suggest that if breaches caused a massive decline in transaction volume, acquirers would work to quell this decline through proactive security measures.”
The evidence, for now, suggests that consumers spending habits don’t generally decline or change post-breach. Largely, this is good news for the payment card industry, merchants, and consumers alike.
Some thoughts for the discussions we need to have
The recommendation makes a lot of sense:
“Given the relatively low number of breaches and the small amount of fines assessed (as revealed in this study), acquirers and processors have little incentive to quell breaches through proactive measures. These entities can either absorb the losses or pass them along to merchants instead of proactively working to address the issue. It simply is not a big enough business problem for the majority of firms in the ecosystem.”
Here is where I see the opportunity:
"PCI DSS is complex, and many merchants do not fully understand the inner workings of the standard, how it applies to them, and how to ensure their technology partners are properly securing their data."
Williams posits, “Security vendors know that breaches mean sales. But is the reactionary open-checkbook for security actually doing anything other than cleaning up the existing mess? Does a breach actually modernize a firm's infrastructure and response capabilities past the industry average?”
Engaging in industry-wide discussions based on evidence and analysis creates the best opportunity to figure out where and how to apply our resources to affect the best outcomes.
We have much to discuss.
What do you think? Share your thoughts in the comments, or hit me on Twitter to keep the conversation going (@catalyst).