For hackers, large-scale data breaches such as the ones that befell The Home Depot, Neiman Marcus, and Staples in 2014 are gold mines. On the dark Web, where hackers trade the fruits of their labor, credit card numbers can sell for $10 to $25 each. Social Security numbers, especially when paired with other personal information, such as names, addresses, email addresses, employment records, and birth dates, can fetch between $250 and $400 each.

For businesses, keeping that kind of valuable customer data out of the hands of cyber-thieves is a constant battle. Companies need to be right 100 percent of the time, safeguarding against every possible vulnerability across their entire infrastructure. Hackers only have to be right once to get in and do some serious damage.

If those odds don’t sound very promising, it’s because they’re not. The deck is definitely stacked in the hacker’s favor. Unfortunately, this is the world in which we live. 

In 2014, the total number of reported data breaches in the United States hit a record high of 783, averaging about 15 per week, based on information compiled by the Identity Theft Resource Center (ITRC).

The 2014 total, which potentially left hundreds of millions of customer records exposed to hackers, represents a 27.5 percent increase over the number of reported breaches in 2013 and an increase of 18.3 percent over the previous high of 662 breaches in 2010, according to ITRC data.  

“There’s a lot more breach activity going on than companies are aware of,” says Eva Velasquez, president and CEO of the ITRC. “There has been significant growth in the number of breaches. Businesses are constantly being assaulted by hackers.”

Companies, on average, can expect to encounter 17 malicious codes, 12 sustained probes, and 10 unauthorized access incidents each month, according to research from the Ponemon Institute, a provider of independent research on privacy, data protection, and information security policy.

Despite the growing number of attacks, many companies are still not doing nearly enough to secure their customers’ personal and financial information, experts contend. 

“There are tremendous resources that companies could use to protect customer data, but they don’t,” says Thomas Loesser, a former federal cyber-crime prosecutor who is now a partner at Seattle law firm Hagens Berman. “Some companies are making hundreds of millions, if not billions, of dollars, and they spend a paltry amount on data security. There’s no question that there’s much more they could be doing.”

For many companies, the wake-up call only comes after they’ve fallen victim to a large-scale, high-profile breach. “A lot of companies tend to downgrade the risk until it’s too late,” says Larry Ponemon, chairman and founder of the Ponemon Institute. “The general view is that there is a risk, but [business leaders] are not assigning it the appropriate level of importance.”

To make matters worse, a report released by the Ponemon Institute in February uncovered “a lack of resources and a critical disconnect” between chief information security officers (CISOs) and senior leadership that Ponemon’s chairman says is preventing companies from adequately addressing growing cyber-security threats.

In the research, 68 percent of CISOs and IT leaders said their senior corporate executives did not perceive cyber-security as a priority. Fewer than half (47 percent) believe their organizations have sufficient resources to meet their cyber-security requirements.

“The most surprising finding was the slow progress companies are making, even now,” Ponemon says. “A lot of companies are slow-moving on cyber-security and ensuring that their data is handled properly.”

In a similar report released in the fall, Forrester Research noted that outside of banking and national defense, many industries are “woefully immature” when it comes to making the necessary investments in data breach protection, detection, and response.

This prompted Forrester to conclude that most enterprises will not be able to respond to a data breach without undermining their customers’ trust or dragging their own corporate reputations through the mud. 

And once they’re in that kind of mud, it’s very hard for companies to dig themselves out. “The biggest commodity a business loses in a breach is the trust of its customers, and that is very hard for them to win back,” Velasquez says. “If you can’t be trusted to be a good steward of my information, I’m simply going to stop spending money with you.”

A recent Deloitte survey backs this up. According to the research, 59 percent of consumers said that a single data breach would negatively impact their likelihood of buying products from a company. Conversely, eight in 10 said they would be more likely to buy from companies that they believe are taking adequate steps to protect their personal information.

Tied into the issue of trust, Velasquez suggests that companies should be forthcoming with customers as quickly as possible after potential data breaches. It’s far better, from an image standpoint, for customers to hear the bad news directly from the company than for the breach to be exposed by third-party watchdogs or government regulators, she says.

Then companies need to have an incident response and crisis management plan in place. Efficient response to the breach and containment of the damage has been shown to reduce the cost of breaches significantly and goes a long way toward reassuring customers who might have been thrown into a panic. 

Better still, companies need to prevent data breaches from ever happening in the first place. That is the clear mandate from customers, privacy advocates, and industry experts.

“Protecting customer information is the most important thing for companies today,” says Bob Siegel, founder and CEO of Privacy Ref, a Boynton Beach, FL–based provider of privacy consulting services.

The first step toward that goal is having a high-level company executive who is responsible for data security. Ideally, this should be someone with a CISO title.

Also key to addressing information security is first understanding what customer information is stored in company databases. “Do a data inventory and determine what data is sensitive,” Ponemon says. “Then segment out the sensitive and nonsensitive data.”

“Systematically purge the data that you no longer need,” Loesser adds. “Hackers can’t steal data that you don’t have.”

But even after doing that, companies will still have a lot of data about their customers, and that is not likely to change. All that data has to be protected, which isn’t easy, given all of the vulnerabilities. 

Data security can be complicated, but it’s not impossible, and there are even a number of low-cost measures that companies can take to reasonably protect their customer data.

A Push for PCI Compliance

“PCI compliance is a good starting point,” Ponemon advises.

The Payment Card Industry Data Security Standards (PCI-DSS) are a multifaceted set of security protocols that include guidelines for building and maintaining secure data networks, protecting cardholder data, controlling access to the data, monitoring and testing networks, and ensuring that information security policies are maintained and enforced.

Among the standards, PCI recommends that companies first take an inventory of all of their IT assets and business processes and analyze them for vulnerabilities that could expose cardholder data. The next step, of course, would be to fix those vulnerabilities. 

“There are dozens of companies that you can hire to find those vulnerabilities,” Loesser says.

In fact, a whole industry has cropped up around just that need. The term “white hat” refers to an ethical computer hacker or computer security expert who specializes in data systems penetration testing and exposing weaknesses in organizations’ information systems.  

Some companies might try to do these assessments on their own, but Siegel and other experts advise against this. “It’s best to have an outside, third party come in and do [the security assessment],” Siegel says, “because he’s not looking at anything with rose-colored glasses.”

This assessment, Siegel suggests, should be performed at least once a year.

“And it should look at how the company’s [data security] program is meeting industry best practices, government regulations, and the company’s business objectives,” he adds.

Additionally, the PCI standards require that companies encrypt cardholder data being transmitted across open, public networks, and never send payment card information over an unencrypted medium, such as chat, text messaging, or email. Encryption, though not foolproof, can be very effective. Loesser calls it “the touchstone of any reasonable approach to protecting personal information.” Encryption, he adds, “creates a substantial roadblock, especially for the low-level hacker.” 

And while it might slow down the availability of the data by a few seconds, that’s a small price to pay for the added level of protection, according to Loesser.

The PCI standards also mandate that companies only store payment card data when absolutely necessary for legal, regulatory, and business purposes, and then have a disposal procedure in place. Once cardholder data is no longer required, it must be securely deleted, the standards dictate.

Beyond that, it’s also crucial for companies to segment data so that a breach in one file does not open other data streams, Loesser says. “You don’t want one small breach resulting in a larger breach,” with thieves taking information gained from one system to go elsewhere in the company records.

Experts also suggest that companies use Internet firewalls at all times, keep their operating systems and other business software up to date, and install and maintain antivirus and anti-spyware programs. Because many companies allow employees to use their own mobile devices, including smartphones, tablets, and laptops, for business, these devices should be protected in the same way.

“Many people are not securing their phones, not treating them like the powerful computers that they are,” Velasquez says.

And like computers, mobile devices are continually at risk. In fact, Alcatel-Lucent’s Motive Security Labs in February released figures showing that security threats to mobile devices rose 25 percent in 2014, following a 20 percent increase in 2013. It estimates that 16 million mobile devices worldwide were infected by malware that could be used by cyber-criminals for corporate espionage, information theft, denial of service attacks, and fraud.

“As a business, you want to limit some [company] apps and data so that employees can’t access them from unsecured mobile devices,” Ponemon says.

It’s also crucial that companies limit data access to those employees who need it. “If you have sensitive customer information in your CRM system, you need to limit who it’s available to,” Siegel says. “The shipping department does not need access to credit card data.”

“Make sure you have significant data logging in place, with alarms for when something happens out of the ordinary,” Loesser adds, “so you can know when someone is doing something [with the data] that does not coincide with his job description.”

This also addresses a major vulnerability that many companies today face—their contact center agents.

Contact Center Contamination

One of the first entry points for many hackers is the contact center, according to Siegel. “The contact center is a definite point of weakness,” he states. 

Each month, the typical midsized contact center could receive more than 1,000 fraudulent calls. In fact, one out of every 2,900 calls to the average financial institution’s contact center is fraudulent, according to Greg Adams, vice president of product management at Pindrop Security, a provider of caller authentication and fraud detection technology for contact centers.

Fraudsters sometimes use interactive voice response (IVR) systems for surveillance and data-gathering as a precursor to phishing schemes with agents, who are unwittingly coaxed into giving out sensitive information to unauthorized callers.

In most cases, the call center agent is tricked by skilled fraudsters who use a variety of social engineering techniques to get her to break normal security procedures.

“Social engineering is a real problem,” Loesser says. “The only real defense is proper training and protocols.”

Training should also address the careless things that employees do on their own that could put customer data at risk.

“A lot of breaches start with negligent employees,” Ponemon cautions. He calls these employees “the dangerous insiders,” noting that many are “innocent people doing stupid things.”

Siegel estimates that as many as 35 percent of data breaches have started with basic human error, such as sending an email with personal information to the wrong person or storing company files on laptops or tablets that were lost or stolen.

The Inside Job

Even worse than careless employees or outside hackers, though, are the contact center agents who knowingly engage in illegal activities, using their jobs to gain access to information that they can sell or use on their own.

The temptation is great. In a call center, customers willingly hand over credit card numbers, security codes, and expiration dates to agents. Agents could skim this information with a recording device or scribble it down on a note pad. Moreover, almost all call centers today use some kind of call recording software that is capable of capturing and storing all of this sensitive consumer data so it can be accessed later. 

“A lot of companies have not paid attention to the fact that their employees could be the most dangerous people,” warns Bruce Pollock, vice president of strategic growth and planning at West Interactive, a provider of contact center solutions. “Their own employees could be coming to work for them every day, stealing information, and selling it.”

To help contact centers deal with this threat, call center technology can completely prevent skimming by agents. At the point in the transaction where the agent needs to collect the credit card information, systems can automatically pause recordings. With other solutions, the call can be transferred to an IVR system. Agent-assisted solutions can allow agents to collect credit card information without ever seeing or hearing it. The agent remains on the phone and customers enter their credit card information directly into the system using their phones’ keypads. The standard dual-tone multifrequency tones are converted to monotones so the agent cannot recognize them and they cannot be recorded. 

This “tokenization” process is very high on security experts’ list of priorities. It’s also a key component of the Eckoh CallGuard solution, sold in the United States by West Interactive. CallGuard can remove credit card information, Social Security numbers, birth dates, account numbers, private healthcare information, or any other sensitive numeric data from all areas of the contact center.  

“When the customer goes to key in his credit card number, the audio tones are muted so the agent can’t copy the number and use it,” Pollock explains. “The information is keyed in automatically, and all the agent sees on the screen is a number of Xs. The Web screen masks the digits.”

In this environment, contact center managers and other employees need to be trained to spot at-risk employee behaviors. Training alone, though, is not enough. Ponemon and others stress that in today’s high-risk cyber-business arena, employees need to know that there will be serious repercussions for violations of company practices and security protocols.

Companies need to have a clearly defined formal policy “so that employees know if they violate it, there are consequences that they will have to face,” Siegel says.

Data security, therefore, has to be a business-wide endeavor. IT professionals, company executives, and employees at every level must work together to protect critical data assets from internal and external threats. Companies need to foster a security-aware culture in which protecting data is a normal and natural part of everyone’s job.

Data security is also a constant game of what-ifs. The only certainty is that cyber-criminals will never stop learning and sharing information that will help them get into high-profile targets. They will never stop trying to break into corporate databases; the information is just too valuable on the black market.  

“You need to understand that hacking is a crime of opportunity,” Loesser says.

The key (pun intended) is making sure that you’re not leaving the front door open for hackers to get in. 

News Editor Leonard Klie can be reached at lklie@infotoday.com.