In early June, an Australian teenager named Joshua Rogers found a serious flaw in PayPal’s two-step authentication process, according to Ars Technica. If malicious hackers could get their hands on eBay and PayPal login credentials, it was possible to create a cookie that made PayPal believe a user had already logged in, voiding the need for two-factor authentication. The flaw drew public ire — especially given the two months it took PayPal to address the issue — but it also raises a question: Are digital security costs now too high for even massive retailers to afford? Is praying rather than paying the new standard?
The Price of Lost Data
PayPal’s two-factor authentication system isn’t mandatory; only users who opted in and use a mobile phone code to access their account were affected. What’s more, the company says no actual beach has taken place and all accounts remain secure. However, not every company is so lucky.
A recent report from Ponemon Institute found that the average cost of a data breach in the United States is $3.5 million, up 15 percent from last year. Survey respondents indicated that they’d like to see average security budgets doubled from an estimated $7 million per year up to $14 million, but for chief executive officers (CEOs) and chief information officers, this is a tough pill to swallow.
Think of it like this: Spend the average amount ($7 million), deal with two breaches per year, and a company breaks even. Shelling out $14 million with no guarantee of complete protection often has C-suite executives hiding their checkbooks and hoping information technology (IT) can find a more cost-effective way. But is there one?
Low-Cost Options
As it turns out, there are several lower-cost options companies can use to deal with retail cybersecurity challenges. The first is security awareness. It’s easy to dismiss the idea of employee education since employees aren’t machines and will periodically make mistakes. Given that even sophisticated and costly security programs still get tripped up by zero-day exploits, however, personnel training is probably worth a look.
In a CSO Online piece, author Ira Winkler recounts several “success stories” in which well-trained employees prevented costly security breaches. In one example, the employee uncovered an international spy. In another, employees prevented an attack that coincided with a legitimate penetration test: The hackers were attempting to use the test as cover, but well-trained staff saved the day. As a result, awareness should always be a retailer’s first stop on the road to better security. And the best part? It’s far less expensive than any other method.
Entrepreneur points out another area for improvement: communication. According to a survey of IT professionals asked about digital security, upper management just doesn’t “get it.” For their part, C-suite executives argue that IT administrators aren’t good at describing security concerns, effectively making small problems seem massive and big breaches seem like no big deal. The result? It’s possible to improve retail security with a redesign of the security conversation. IT professionals need to know that their concerns are being heard and understood, while CEOs and other board members need a clear understanding of potential threats. Again, this is minimal investment for significant return.
What a Feeling
Of course, this is just the tip of the iceberg when it comes to digital security costs. Eventually, companies need to commit to a solution and spend enough money to keep their assets secure. But how much is too much, and how can organizations be sure they’re getting the best deal?
According to a Dark Reading article, increasing value starts by lowering emotion. Security professionals are well aware of how much a breach could cost the company and individuals who are affected if data is made public. As a result, they tend to advocate for “whatever it takes” when it comes to keeping their organization secure. They make this claim at conferences, repeat it to employees and bring it into the boardroom. The problem? CEOs don’t want to spend that much on security — and even if they did, it wouldn’t solve the problem. Therefore, digital security needs to follow the same cost-benefit analysis model as any other IT purchase: Is the technology necessary, what does it cost and how much will it potentially save in the long term?
Digital Security Costs: What to Look For
However, agreeing on a budget doesn’t guarantee the ideal purchase since it’s possible to eat up an entire year’s worth of IT dollars and still have gaping security holes.
As an Aug. 15 article from ZDNet points out, one key factor in digital security effectiveness is usability. While it’s true that too much usability makes IT functions vulnerable — Heartbleed made that perfectly clear — too little usability means, no surprise, that employees won’t use the system. Instead, they’ll look for ways to bypass existing controls and get their jobs done, unwittingly exposing the company to risk. Hand in hand with usability is specificity. Cloud-based security measures have made the concept of “one size fits all” obsolete and are also helping to reduce the up-front cost of many security measures. Retail companies deal with a host of potential threat vectors, from POS machines to e-commerce networks and secure mobile apps. A generic security solution may come with lower costs, but there is a much higher price for failure.
Digital security costs are increasing. Even cutting-edge organizations like PayPal struggle to respond in a timely fashion when breaches are reported, leaving many IT admins wondering whether it’s better to pray that existing systems will hold fast rather than paying to upgrade. Ultimately, however, effective digital security requires at least some IT spend, and awareness, communication and analysis can help keep this number reasonable.