Simply Security - News, Views, and Opinions from Trend Micro

Posted on September 17th, 2012 in Cybercrime by Simply Security | 1 Comment | Tags: cybercrime

Online businesses face an increasing number of threats from cyber criminals. In response, many have turned to managed security services, but this strategy can create additional risk.

Considering the fact that online marketplaces are a frequent target for cybercriminals, one would naturally assume Internet retailers have data security at the front of their minds. Ecommerce is a valuable target due to the payload of potentially thousands of credit card numbers and other financial information. Yet despite the growing threat, online retailers aren't as scrupulous in their data security practices as they should be.

The scope of a single breach can expand well beyond what many organizations expect, making lax data security practices rather expensive, as Amy Dusto, associate editor for Internet Retailer, recently pointed out. The average cost of a breach in 2011 was $5.5 million – taking into account compliance fines, in-house investigations, lost sales due to reputational damage and other factors. In addition, hackers typically acquire between 4,500 and 98,000 sensitive records in the process.

"The difficulty in the data security world is that there’s not a playbook that any regulatory agency has put out with respect to security,” Lisa Sotto, a partner at law firm Hutton & Williams, told Internet Retailer. "There are many, many different standards and the question is which to follow."

Sotto also said many organizations default to following standards outlined by the International Security Organization (ISO). However, the problem with following ISO's or any other guidelines is that they are static in nature, while cybercriminals are dynamic. Just as quickly as new best practices are established, hackers develop ways of bypassing them. Therefore, it is important for organizations to be continually aware of new threats and be able to proactively respond to them. This may mean hiring a cybersecurity expert to supplement the knowledge of the existing IT department.

Are managed security services an option?
Many organizations are turning to managed security services to alleviate some of the burden of keeping up with new malware, guidelines and a constantly evolving threat landscapes, as evidenced by Gartner's forecast of the worldwide security service market, released last year. Overall security spending was on pace to hit $35.1 million in 2011 and is expected to reach $49.1 billion by 2015. According to Lawrence Pingree, research director at Gartner, managed security services are a significant factor driving that growth.

Although this solution provides significant benefits in the form of consulting and extra IT management capabilities, it can also open organizations up to additional risk. As Dusto pointed out, it is especially important for retailers to be careful they are not providing too much access to sensitive information by leveraging third-party services.

"[V]endors sometimes have access to personal data and, in some cases, are the ones criminals attack," Dusto wrote. "When that happens, it is the retailer’s reputation on the line because it, not the vendor, must notify all compromised customers. And unless a retailer has a prior agreement with the vendor, it bears all the associated legal, communications, public relations and other costs."

Data Security News from SimplySecurity.com by Trend Micro