As I’ve followed the news of the Home Depot Hack this last week, I keep asking myself whether this is the new normalcy. Home Depot today, JP Morgan Chase before that, Target, PF Chang, where does it all end? It is now September and it appears that Home Depot was actually breached back in April. This is a repeating pattern as we saw the same delays with the Target beach where organizations fail to detect breaches in a timely manner, delaying appropriate response which might have mitigated or limited the amount of substantial harm. The obvious pattern that is evolving here is a detection gap.
The triad of securing any asset is to: (1) Protect, (2) Detect; and (3) Respond. Protection, and its close cousin prevention, can only carry us so far as there are no guarantees that an organization will not be hacked. Rather, it is essentially a guarantee that any organization will be hacked and the only question remaining is the question of “when?” Response on the other hand, cannot commence until the organization first recognizes the breach. The detection gap is far too long.
While organizations such as Home Depot and Target appear to have appropriately responded to the breach, there are still serious shortcomings evident by their delayed detection and discovery. Consumers are generally protected from fraudulent charges and liability, although the inconvenience can be huge.
We often see the financial impact to the breached firm in the news; but what about the collective impact to consumers? Most consumers have endured this drill at least once, if not many times where the card issuer simply sends us a fraud alert and advises that they are sending a new card. This actually happened to me this last week while traveling internationally and fortunately, my existing card was still honored for a few weeks allowing me to arrive home without inconvenience to receive and activate the new card. After receiving a replacement card is when the real aggravation begins for most consumers.
Many of us, and this is particularly true for small business owners as well, have setup recurring charges on our credit cards. While it is a relief to be held not liable for fraudulent charges when our card information is stolen, there is a real cost in terms of time and inconvenience when we need to contact each merchant where we have setup recurring charges, or have our account information on file for future purchases, in order to change the account information to the newly issued card. Worse, should we forget one, we may face a nasty late payment penalty or disruption of service on a recurring charge when the next monthly payment is rejected due to no fault of our own. Yet, the hidden costs borne by consumers and small business is essentially not reported.
Home Depot has not yet released the number of cardholders affected. However, the Target breach last December is estimated to have impacted 40 million accounts. Even at a modest figure of assuming the aggravation to each consumer cost only $100 in lost time and fees would still mean a $4 billion dollar impact on consumers and the economy. The financial impact to Target was estimated at $3.6 billion dollars and it is estimated that the breach cost banks and card issuers another $200 million dollars. It becomes crystal clear that a significant share, over 50%, of the cost impact of ineffective security is borne by consumers and small business.
Organizations need to do some serious soul searching and determine if they are investing in the right information security solutions. Particular attention needs to be paid to shrinking the detection gap between breach and response. In the meantime, what can consumers and small businesses do to facilitate their own responses when these breaches occur?
- Use separate cards for recurring charges and daily expenditures.
- When traveling, carry a backup card for emergencies
- Keep a list of all merchants where recurring charges are setup. This way, in the event of a breach, all of the contact data is readily available to minimize the cost and frustration of responding to the breach
- Inquire at every place where we do business as to what protection and processes are in place to quickly detect and respond to potential breaches. You may not get a straight answer, or perhaps a canned answer, but if enough customers raise the issue, companies may start to listen and take action to close the detection gap