In university social science classes around the country, students are
taught research methods, or statistics for social sciences. In most
cases, professors will teach their students how to use statistics and
field research in order to prove, or disprove, a hypothesis. Some
professors, however, might take a different approach. They will
teach their students how statistics should not be used. In these
instances, students may be fortunate enough to be assigned a text
entitled How to Lie with Statistics by Darrell Huff. Huff, whose
premise is “there is terror in numbers,” writes that many people
blindly accept the myriad of graphs and numbers that are often
presented in support of a particular statement or set of beliefs.
The text teaches readers to search out potential sources of bias or
incomplete information in order to become more discerning about what
statistics they chose to believe. This is a lesson that some in the
payment card industry can take to heart. It is easy to become
discouraged by the statistics that are often published regarding the
state of security in the industry.
According to the Privacy Rights Clearinghouse, as of April 28, 2006
there had been over 60 publicly reported data security breaches that
resulted in the exposure of millions of customer records.
ChoicePoint, arguably the poster child of data security breaches, has
compiled its own statistics regarding the types and frequencies of
data breaches. ChoicePoint tallies over 80 publicly disclosed data
breaches in the first 4 months of 2006, which affected more than 4.9
million customers. This number suggests, at first glance, a dramatic
increase in the number of breaches recorded in 2005, which topped out
at 152. If the breaches occur at the same rate for the rest of 2006
as they have in the first four months then one can expect over 240
breaches to be reported in 2006. The study further suggests that the
majority (30%) of breaches derive from educational institutions,
while banking, credit, or financial institutions account for only 9%
of the publicly disclosed breaches. There are a number of
conclusions that can be drawn from such statistics.
The first conclusion, though perhaps erroneous, is that the rate of
breaches is growing at an unprecedented rate. The data seem to
suggest this fact. However, one must also be aware of recent
legislation that has made such disclosures a requirement. Over 20
states have passed security breach notification laws. This is not to
suggest that the rate at which breaches are occurring has remained
static over the years, rather it is to propose that the frequency of
breaches is not occurring at the rate that seems to be indicated by
the statistics cited above.
Additional factors that must be considered in conjunction with these
statistics are the advances in technology that allow companies to
detect with more accuracy when they are being compromised. The
statistics are simply a collection of data on breaches that have been
reported. However, the real question lies in the number of breaches
that were never detected in previous years because the technology was
not adequate to indicate that a compromise was occurring. As the
technology advances, the number of reported breaches will increase
accordingly. This does not suggest
that more breaches are occurring this year than in previous years,
but it simply suggests that more breaches are being detected than
have been in previous years.
Another conclusion that can be drawn is that, while educational
institutions continue to suffer the highest rate of breaches, the
percentage of the breaches as a total appears to be on the decline.
As of May 1, 2006, estimates of educational breaches place the
percentage at about 30% of the total number of breaches. In 2005,
breaches at educational institutions comprise more than 46% of
reported breaches. About 16% of 2005 breaches were in the financial
or banking industries. The first four months of this year seem to
indicate that that breaches in this sector are also on the decline.
Yet another conclusion that may erroneously be drawn from the data
compromise statistics is that the millions of exposed accounts result
in millions of identity theft victims. The identity risk management
company, ID Analytics recently completed a comprehensive study of
data breaches to determine the percentage of stolen accounts that
actually result in identity theft. In this study, ID Analytics
considered the most serious type of data theft in which names and
social security numbers were stolen. Even with this information, the
company’s research found that .098% of accounts were actually
misused. This is less than 1% of the accounts stolen.
This again illustrates the pitfalls of presenting only partial
statistical pictures. In this case, only presenting the statistics on
the numbers of compromises leads one to assume that each compromise
leads directly to identity theft. The addition of the research by ID
Analytics provides a more complete picture that demonstrates that
while compromise does lead to identity theft, those cases are not as
common as some would portray.
Those in the security industry are just as culpable when it comes to
fostering the notion that no progress has been made with regard to
the security posture in the industry as a whole. As an example, in
what other industry would the CEO of a company stand next to a hacker
at a major information security convention to indict the industry for
not adequately protecting data? Such tactics serve only to project
fear into the industry, as opposed to educating the industry and
enabling greater security. But a shift is on here as well. There is
a growing trend among the security firms associated with the industry
to educate their customers, rather than simply “checking the boxes”
for a compliance assessment. In speaking with a number of assessors
in the industry, it becomes obvious that their customers are no
longer looking for someone to simply come in and solve their security
issues. Rather, more and more companies are expected to be educated
about security issues so that they can take a more proactive approach
to the protection of their sensitive data.
The evolution of security in the payment card industry was in
evidence at the recent Electronic Transaction Association Annual
Event & Expo in Las Vegas. The focus on security at the event was
laudable, and one can see the trend of increased focus on security
over the past several years. The pre-event seminar, Compliance Day,
in which representatives of the card brands discussed issues
surrounding PCI compliance, was sold out, demonstrating again the
growing awareness of security and compliance in the industry. Many
of the break-out sessions also included discussions, directly and
indirectly, on security issues facing the industry.
Three years ago, it was not uncommon to hear of retailers and even
processors that didn’t have firewalls, considered among the most
basic of security controls. The card associations stepped into the
breach (no pun intended) to address this lack of awareness and it
appears to have had a dramatic impact on the way in which business is
conceived and conducted. At the recent ETA event, there were a
number of quite lengthy conversations regarding the use of
compensating controls, or methods through which service providers
could help merchants minimize the amount of card data stored and
thereby decrease their overall risk of compromise. These
conversations are extremely telling, as they demonstrate that
compliance and security is no longer the domain of the IT group or
the compliance officer. Security is, in many cases, a company- wide
initiative or even a competitive differentiator.
The industry has begun to evolve beyond the “security for the sake of
compliance” mentality. While this approach was useful three years
ago, it leaves much to be desired in today’s environment. With the
attention of federal and state regulators, as well as the public at
large, concentrated on the security of consumer data, companies must
prove not just that they are meeting the minimum standards, but that
they are going above and beyond in the protection of data. While
meeting minimum standards may be enough to satisfy regulators, a
company that loses data will still face the censure of a jaded public.
The purpose of this article is not to suggest that the industry rest
on its laurels. A great deal of progress has been made, but there is
still quite some distance to travel. The majority of companies are
still using compensating controls rather than encrypting data. There
is still much confusion surrounding compliance with the PCI standards
and many companies are still trying to minimize the effort and
resources required to secure their infrastructures. The intent of
this article is twofold. First, it is important to retain a healthy
skepticism with regard to statistics that are offered to the industry
relative to data security. Secondly, the article is intended to
commend those that have become proactive in their security missions
and to encourage companies to continue on their path towards greater
security. 
|
