$19 Million for Cybersecurity Complacency
What is the real cost of cybersecurity complacency? More than you might think. Case in point, most recently Home Depot just ponied up $19 Million to settle a case for a late 2013 credit card breach. But many companies still feel it’s “ok” to understaff their cybersecurity team (if it exists at all) and to simply push an antivirus app out to their employee’s laptops and configure a firewall. But for some of these companies they learn that a lax security presence can be very costly with the average cost of data breaches in the US at around $3.8 million according to a 2015 IBM/Ponemon Institute study.
Cybersecurity complacency is all around us. Although IT leadership is well aware of threats like malicious insiders, DDOS, Phishing and Botnets, the problem may very well lie in their ability to persuade the CEO and board to invest a little less in R&D, advertising or management bonuses and move funds where they are desperately needed for Information security. According the Stephen Pace, Managing Partner of Pace Morgan Executive Recruiters who specialize in cybersecurity placements,
One of the major frustrations we hear from accomplished IT executives is managements’ inability to properly fund appropriate and required cybersecurity programs”
The Home Depot breach was one of the largest ever and exposed the credit card information of about 56 million Home Depot customers by hackers seeking a substantial payday. It’s important to note this breach occurred at a time when it was widely publicized that business systems were being compromised. Management should have been ready – the signs were there.
The risk was known in advance; at the time when Home Depot was hacked, there were more than 1,500 data breaches worldwide in 2014, up nearly 50 percent from 2013. The attack of Home Depot data was quite similar to a security breach at retail giant Target in 2013 that exposed the credit card data of 40 million Target customers and along with it, the personal information of 70 million customers costing around $10 million in a class-action lawsuit. It didn’t end there, from Michaels Stores, to Neiman Marcus, and even P.F. Chang’s many similar breaches were (and still are) aimed at stealing customers’ credit card information.
Like so many others, the home improvement retailer will set up a multi-million dollar fund to reimburse shoppers and spend at least another $6.5 toward funding identity protection services for cardholders, according to Reuters. According to court papers lawyer fees were high as well, Home Depot spent legal fees and costs could top $8.7 million. Additionally, Home Depot agreed to improve its data security over the next two years and hire a CISO (chief information security officer) to oversee the program. And with all the bad press, the PR experts have to work overtime to create palatable public statements. In this case, just as many others, Home Depot spokesman Stephen Holmes said “We wanted to put the litigation behind us, and this was the most expeditious path,” “Customers were never responsible for any fraudulent charges.”
Could this information breach have been stopped beforehand with an active and progressive security stance? There is no way to know for sure, but most likely it could have. Forensic investigations found that the hacker/intruder used a vendor’s user name and password in order to infiltrate Home Depot’s computer network. Once in the system (much like the hack at Target before) malware was then used to access the payment information of shoppers.
Maybe in the end, IT should listen to the Boy Scouts when presenting to management for much needed cybersecurity funding. “Be Prepared!” Otherwise our PR firm will have to write some strong statements to sweep new problems under the rug and our legal fees might reach into the millions.