Can good come from bad news?
Despite the bullishness around information security planning we're still seeing big breaches.
As the bad news keeps coming for Target after its breach, industry research suggests that overall support for information security programs among companies in the U.S. and Europe are booming. But, is this support for IT security rightly placed, sustainable and providing the best results?
In our annual “Guarding Against a Data Breach” survey, which is covered by Associate Editor Teri Robinson in this edition, almost 90 percent of the 916 respondents from our readers in the U.S. and U.K. say that their companies are taking steps to prevent critical data from being stolen, exposed or lost.
A key driver according to our survey, which is in it seventh year, is compliance. Some 69 percent of respondents say regulatory mandates push initiatives at their companies to better safeguard data from being stolen, exposed or lost. Executive board demand, possible profit loss and still other factors also spur on information security investments.
But, possible negative impact to the corporate brand/reputation is still tops with SC Magazine readers responding to the survey. Almost three quarters, in fact, say that negative impact to their brand keeps information security needs a priority at their organizations.
Meanwhile, the latest Information Security Study from TheInfoPro, a service of 451 Research, showed that security budgets for medium to large organizations in North America and Europe are seeing increases. According to Dan Kennedy, TheInfoPro's research director for information security and networking, 38 percent of the 207 pros queried for its survey are seeing increases in their budgets “specifically to deal with compliance projects.” Indeed, this same number stated that compliance was the most common way for IT security-related projects to get started in the first place.
Despite the bullishness around information security planning and budgeting seen in the results of our survey or other industry research, however, we're still seeing breaches like those experienced by Target – one of the largest retailers out there with the money and means to invest in robust security planning, knowledgeable pros and supportive technologies and processes.
Even with PCI standards, Target seemed far from complying with these as reports indicate that three-digit CVV security codes were compromised and, so, were apparently being stored – a longtime no-no according to card brands and PCI. So, while compliance remains a driver behind security spend, it seems pretty ineffectual in helping organizations actually secure the sensitive data it strives to protect.
The same could be said of those fears about negative impacts, though. After all, most companies that have seen crucial data breached have seen no real ill effect on their brands or bottom lines… until now, that is. Target's recent fourth-quarter earnings report showed the stores' sales suffered in the weeks following its disclosure of the breach, with its net income falling from $961 million to $520 million. And, only just this month did we learn that Target's customer traffic both online and in stores during January hit its dreariest in some three years, dropping to 33 percent of U.S. households shopping at the store compared to 43 percent during the same month last year.
So, while compliance can continue to be a motivating factor for organizations attempting to get serious about security, it seems that it's only in the customer reactions and subsequent monetary impacts to profits because of a breach that real action might be taken. Maybe a positive result from Target's endless heartaches, then, will be real change in how diligently organizations of all stripes pursue their information security initiatives.