Yes, this has been a common title for articles of late. I attempted to come up with something a bit cleverer but was stumped on how to define the content of this article. Let’s get into this topic a little deeper, and see if something more enlightening presents itself.
We had a watershed year of major data breaches in 2013. The two largest were experienced by Home Depot and Target. In each case, tens of millions of records were acknowledged to have been breached, and the media and vendor communities raced to their keyboards to hammer out article after blog on the damaging nature of the breaches, and how companies needed to invest millions in new and improved defensive technology. The most common remedy proposed for the individual consumer was a year of free credit monitoring. If your family is like mine, you now have multiple credit monitoring services running on your behalf.
In addition to business media, the information security community was busy salivating about burgeoning opportunities coming our way. Every vendor and consultancy firm ensured breach detection and response services were touted at the top of their list of offerings. The entire information security industry turned on a dime from prevention and defense to digital forensics and incident response (DFIR). By Jove, if we can’t stop it, we’ll be there to perform the cleanup on Aisle 6!
Certainly, the last three years has seen a monumental increase in the demand for DFIR services and technology. The ever-unfolding reports of new data breaches have undoubtedly driven new business, especially in retail, medical insurance companies, and healthcare providers. The drumbeat of data breach news, however, has also had a predictable after-effect; namely, growing public apathy.
It should be obvious to security professionals the public at large will inevitably start to consider what detrimental effects these breaches have on their daily lives. Business leaders look to see the impact on stock prices. So far, the effect on the general public and Wall Street has been negligible. One study showed the breach of Target cost them over $170 million in one year. In the same period, just one quarter’s revenue for Target was north of $2 billion – with a B.
A key component of the Crying Wolf Brigade is writers and journalists looking for eyeballs who conflate credit card data with personal financial data. The risk of having your credit card number and CVV code used illicitly requires only the diligent review of one’s credit card activity and a call to the issuer in the case of fraudulent transactions. The issuer assumes all the risk in most cases. That’s a far cry from having someone who purloins the data needed to wipe out your bank accounts.
Many technology writers and bloggers have recently bewailed growing public indifference as filtering back to boardrooms and executive suites as decision-makers are supposedly now returning to the pre-breach mode of business. I am not sure if these extrapolations are accurate. What I have seen is certainly increased awareness for cybersecurity issues from the boardroom. What I haven’t seen are panicky, hair-on-fire, spill-open-the-coffers reactions. People are still shopping at Home Depot and Target. The mess gets mopped up, and business continues. There are far broader security and privacy issues at stake, of course, but when it comes to credit card breaches, I guess the existing title of this article will have to stand.