Congratulations! You passed your yearly PCI audit or had been selected for a HIPAA audit and passed with flying colors. So now, do you think you can sit back and relax until the next audit rolls around? WRONG! If that is what you are thinking, you best be getting your resume in order in case your organization is hit with a major security breach. Passing your audits means nothing if you are not being vigilant throughout the year about securing your company’s and most importantly, your customer’s credit card or personal data. Nearly all of the major security breaches that occurred during 2015 happened with organizations that were compliant with PCI and HIPAA standards. In Verizon’s 2016 Data Breach Investigations Report, it was reported that 89% of security breaches were perpetrated for financial or spying motives. The 2015 Net Diligence Cyber Claims Study, which tracks cyber liability insurance claims and the real costs from the perspective of insurers, reported these startling statistics:
Damages from hackers were responsible for 31% of claims filed
PII was exposed in 45% of claims filed, PCI in 27% and PHI in 14%
The average claim for a large company was $4.8 million and $1.3 for claims in the Healthcare sector
One of the biggest problems is that too many organizations place way too much focus on maintaining PCI compliance while ignoring potential vulnerabilities that can land on a hacker’s radar. Consider the following recent major high-profile security breaches that shook the public’s trust in recent years.
Biggest Breach in History
The security breach at JPMorgan Chase will go down as one of the biggest and costliest security breaches in history. With the company spending over $250 million on computer security a year, who would have expected that their breach was caused by such a simple vulnerability that could have been prevented by simply installing a security fix on a network server. By upgrading that server to two-factor authentication (2FA), the breach could have been avoided after an employee’s login credentials had been stolen.
The Nightmare Before Christmas
Target may have been PCI compliant, but during the 2013 during one of busiest shopping seasons of the year, Target found that they had been hacked. How did this security breach occur? From malware that entered Target’s system via the company’s point-of-sale network. More than 40 million customers who used credit or debit cards in their stores had their personal information exposed. That was a conservative estimate as within a few weeks the number rose to 70 million and a third-party investigation uncovered the seriousness of the breach with debit card PIN information being breached. It was estimated that the costs attributed to this breach cost Target $200 million. Sales dropped, layoffs ensued and the CIO and CEO were forced out.
Neglecting PII Protection
With all that we know about security breaches, it would make sense that organizations would take the extra step of encrypting Personally Identifiable Information (PII). However, in 2015, insurer Anthem, Inc. experienced a security breach that exposed the PII of 78.8 million people. While financial information and health information was not compromised because that receives extra security to comply with PCI and HIPAA, Anthem was not required by law to encrypt PII.
Don’t Slack Off on Security
The problem is that passing compliance is not going to prevent your organization from becoming the next victim of a major security breach. Hackers are getting smarter and are counting on your lack of vigilance during the rest of the year with your network security. This is where managed security services can help prevent your organization from becoming just another statistic.