Your customer’s data – are your partners as careful with it as you are?
The consensus across the security industry is that C-level executives are starting to wake up to the current cybersecurity reality. Enterprise leaders are beginning to see the necessity and value of protecting their customer’s data and are prioritizing the security of customer information while – simultaneously – making larger investments in security personnel and insurance in the event of security incidents.
Why are executives suddenly so much more interested in security sensitive data about their companies and their customers? The simple answer is that security breaches have become too frequent to ignore. And studies are estimating the cost of a breach as too high to simply brush under the rug.
According to IBM and the Ponemon Institute’s, “2015 Cost of Data Breach Study: Global Analysis,” the average total cost of a data breach is now estimated at $3.79 million. According to the study:
“The average cost paid for each lost or stolen record containing sensitive and confidential information increased 6 percent, jumping from $145 in 2014 to $154 in 2015. The lowest cost per lost or stolen record is in the transportation industry, at $121, and the public sector, at $68. On the other hand, the retail industry’s average cost increased dramatically, from $105 last year to $165.
You’ll notice that the cost per stolen record for retail is particularly high. This is troublesome since retail and hospitality are among the most frequently targeted industries by data thieves. They’re also industries that have been the victim of some of the largest, most memorable data breaches – from Target to TJX Companies.
Retail companies have enough to worry about already, securing their own networks and systems from attacks by data thieves looking to steal customer payment data. Unfortunately, there’s something else that they need to worry about that may not necessarily be under their own control – the networks and systems of their key partners.
Last week, stories began surfacing about a possible data breach at a company called PNI Digital Media, which was recently acquired by Staples – a company with its own history of cybersecurity challenges. PNI Digital Media is a company that partners with major retailers to handle their online and kiosk photo printing services.
The retailers that PNI Digital Media has relationships with include some of the world’s largest, including CVS, Walmart Canada, Rite Aid and Costco. Many of the online photo printing services for those companies were taken offline in the past week due to the breach, which apparently only impacted online customers and not those that utilized in-store, kiosk services. The breach led CVS to shut down its online photo center and release the following statement:
“We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised. As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services. We apologize for the inconvenience. Customers who provided credit card information for transactions on CVSPhoto.com are advised to check their credit card statements for any fraudulent or suspicious activity and to call their bank or financial institution to report anything of concern.”
The current threat landscape facing retailers is challenging enough. The news is filled with stories of major retailers being compromised, seemingly on a weekly or even daily basis. These attacks do more than just cost the company money in credit monitoring and class-action lawsuits, they send customer business to large competitors – ones that have been more responsible and trustworthy with their personal information.
With so much riding on keeping sensitive customer information safe, it’s essential a retailer’s networks be secure. And it’s equally essential that the networks of their trusted retail partners be secure as well. Ultimately, the additional services they can offer customers, or the costs savings they generate by partnering with these companies will be lost should that company expose the personally identifiable information (PII) of their partner’s customer base.
It’s for this reason that companies need to do more than strengthen their network security and implement authentication controls that ensure all customers, employees and partners that log into any part of their network are who they say they are. They also need to ensure that their partners are doing the same.
Also, in light of the recent breach, now would be the perfect time for these companies whose customers had PII stolen through PNI to embrace multifactor authentication for their own online services. Companies like CVS, Costco and others have their own online services where customers can log-in, make purchases and manage accounts. With so many customers reusing passwords, credentials stolen through PNI could lead to additional customer accounts being compromised – including their accounts with PNI partners.
Companies are waking up to the harsh reality of today’s treacherous cyber landscape. However, it’s not enough for them to just secure their own systems anymore. Any system or network that customers may interact with while doing business with a company – including those of their partners – needs to be secure to ensure that customer PII is always guarded and no brand and bottom-line damaging data breaches can be attributed to them.