Tag Archives: risk

Do Consumers Really Bail On Breached Merchants


There was a recent blog post on the PCI Guru blog, but it was a bit off the beaten path since it had seemingly nothing to do with PCI compliance; at least not directly. Dr. Brandon Williams decided to investigate if customers leave after a retailer suffers a breach. Did you stop shopping at Winners after their breach? For how long?

There are a number of interesting tidbits in the final report. But in general most customers come back after about six months. Breaches do not seem to create an incentive to leave a retailer permanently. This research may give some merchants the idea that breaches don’t matter as much as they think. And I agree with them, but only in this one aspect of their risk profile. There are other aspects to consider.

Our favoured risk analysis approach here at NCI is the OpenFAIR method. It categorizes losses into primary and secondary. Primary losses are the costs the company bears directly: i) response, ii) productivity, and iii) replacement. This is not what we are talking about when we consider loss of customers.

To have that discussion we need to talk about secondary losses. Secondary losses are due to a 2nd party acting based on the outcome of a breach. These three types of loss are:

  • Fines & Judgements – e.g. fines from banks for violating your PCI agreement
  • Competitive Advantage – e.g. a competitor stole your product designs and gets to market before you
  • Reputation – e.g. a breach leading to customers leaving

What this paper talks about is the impact on reputation. Based on this research it would appear that the cost of reputational damage is not as great as many of the executive suite would fear. (Incidentally I have seen research that indicates that reputational damage is one of the top 3 things executives fear). You’ll take a hit, but as long as you can weather the storm of a couple of bad quarters you’ll be OK in the medium term.

It would appear, at first glance, that we can’t rely on reputation damage to move the needle on improving cyber security. At least if you view cyber security as a cost centre that has no possibility to generate competitive advantage on its own (but that’s another blog post). So if we do want to move the needle how to go about that? Market forces alone aren’t sufficient, perhaps regulation and compliance are going to be needed after all.

But what should your response be? Should you implement the risk mitigation that your security team is saying you should? As with everything in business it depends.

  • If you are can weather the storm and absorb the hit to your bottom line then you may choose to do nothing.
  • But you really should investigate just what the possible impacts of that 6 month decline would be (part of a quantitative risk analysis). Then weigh that against the cost of implementing the tools to reduce the chance of the breach in the first place. A $10k investment might reduce the chance of a $100k loss of revenue. 10% return is a pretty good deal.
  • If you’re a small firm, the loss of that much revenue might mean you are out of business, or have to go to the bank for a short term loan. In that case you should seriously consider implementing some kind of security control(s) to reduce the impacts of a breach.

Notice the common theme here? You’d be forgiven for missing it, I deliberately didn’t hit you over the head with it. You should do a quantitative risk assessment in order to make an informed decision. If you aren’t you’re doing your business a disservice.

Written By: Jason Murray, Manager of Professional Services, NCI

Follow Jason on twitter @andrecrabtree

Our true value as security professionals

Whether we are talking about financial security, territorial security, or even personal security, the concept of security is constantly evolving as it pertains to the business world and in the overall, global sense. Having recently joined the world of corporate IT security, I was immediately struck by the similarities between the evolution of corporate data, network, site and communications protection and the overall global evolution of security of state and citizen.

In many ways, the focus on IT security in a corporate environment mirrors and evolves along with the idea of security in general. The role of security professionals, whether that is in the IT world or physical world has changed with the evolution of the threat itself.

40 years ago a country could secure its borders, build a strong military, and be relatively safe and isolated from outside threats. Vigilance was reactive and often restricted to military, government, and police agencies within the country. The security of a corporate environment and communications was also a much simpler and more preventative effort.  A locked briefcase, locked doors, and secure passwords on rudimentary communication systems were generally enough to thwart attacks which were often limited to one-off rewards.

The landscape has changed and as security professionals providing security services in today’s market, our roles have evolved to include those of educators, innovators, as well as defenders. We have been shown, quite regrettably and dramatically, that in the modern world, a strong military, a great border defence program, and advanced counter espionage programs are not enough to guarantee indemnity from threats. Dedicated and organised attackers will find ways around those defences and will strike at the hearts of our most vulnerable systems and sites.

This also holds true for the modern corporation. Firewalls, authentication systems, communications monitoring, UTM appliances and software controls are all good and necessary preventative measures, but it is the ongoing vigilance, proactive posture, and prepared response plans that will ultimately provide the best security for our clients.

What does this mean for us in the security provider world?

It means a heightened responsibility and a mandated goal to stay ahead of the curve in combating threats. The challenge for us is understanding our clients and their tendencies. 

It also means we have a great opportunity. We have the opportunity to be critically integrated into the organisms which are our clients’ corporate environments. Having a defensive responsibility that stretches from the server, to the endpoints, and to the cloud, means there is an abundance of opportunities for us to be creative, inventive, vigilant and consistent in our approach to protecting our clients from the threats that exist and evolve daily.

The concept of security in 2011 is constantly changing and is just as dynamic as the world around us. The notion of “not if – but when”, offers us a unique chance to truly act as trusted advisors and as mission critical resources to our clients. Despite all of our efforts, the adversary is organized, relentless, and in many cases unpredictable due to non-specificity. Hackers will often repeatedly attack multiple targets looking for weakness that may or may not exist until, at some point, they eventually succeed at finding a way past the defences.

The key to our value is not how we stop all breaches of security; we cannot do that. The key is how we help our clients minimize that risk through deployment of  best-of-breed preparations  and a strong response plan that spells out how we will react organizationally, from CEO to end-user, when the risk confronts us as a reality. A corporation that accepts responsibility for ‘response’ along with the obligatory risk management tasks will improve overall security and reduce losses and damages in the long run.

Our role and enduring professional mission is to help our clients and our industry evolve our collective thinking in line with these goals. This presents both a great challenge and a fantastic opportunity, which makes the security industry an exciting place to work and live.

Paul Robbins


The Human Element of Information Security

With all of these security breaches making the news headlines on a weekly (sometimes daily) basis, one can imagine that there is (or should be) a renewed focus on how organizations secure their information assets.

There are many products available on the market which can assist with this task – newer application-based firewalls, Intrusion Detection and Prevention devices, Internet access gateways, Security Information and Event Management (SIEM) and the list goes on.  However, these products will not adequately protect the environment unless they are paid attention to by an information security professional.

In the absense of human attention the symptoms become apparent; Unpatched systems, security breaches going unnoticed, misconfigured access control lists and a lack of documentation are just a few issues resulting from the lack of human oversight.  When a breach occurs, it is often revealed to be simple enough that even a novice security person could have identified them as a potential issue.  It becomes obvious that sufficient resources were not available to properly review these systems or pay attention to the overall security posture of their environment.

It’s hard to believe this bit of common sense is so often overlooked, however I firmly believe the biggest threats to security today are not deficiencies in  electronic security countermeasures but shrinking IT budgets, with the acquisition of additional security personnel required to ensure the security of the organizations assets falling by the wayside. 

In the public sector, a perception exists that investing in information security offers no value to the business.  However, this mindset has been rigorously tested over the last year with company reputations being (perhaps irreparably) damaged when a security breach occurs, a cost which far exceeds the amount that could have been spent on properly securing their environment.