Helping companies navigate the treacherous waters surrounding IT security and secure product development
I came across a timely survey that listed the crimes that Americans are most worried about. 69% are worried about stolen credit card numbers, according to a Gallup survey, making it the #1 concern. Not burglaries, not muggings. Credit card data theft is the crime we worry about the most.
Another survey by Creditcards.com suggests that 45% of us will definitely or probably avoid shopping at retailers that experienced a recent data breach.
What’s a consumer to do? Every day you open your web browser and read about data breaches at the likes of Sears, Target, Dairy Queen, PF Changs, Home Depot, Sally Beauty, Neiman Marcus, Staples, Chick-fil-A to name a few. All victims of thieves who stole credit card numbers and customer information from their payment systems.
As we start 2015, should you shop and dine at these stores? Based on all of the bad news that surrounded these companies in the last 12 months that would seem unlikely. But think about it a bit more, and perhaps these are the BEST places to shop. Hear me out.
Many people in the security industry will tell you that there are two types of companies:
Another way of saying that is that it’s not a question of whether a company will be breached, but just when it will happen – and how long it will take the company to discover the breach.
While you may think that’s an alarmist viewpoint, you need look no further than your local newspaper or favorite blogger to see a regular parade of companies who have learned of a breach in their networks and point-of-sale systems. No CEO, CISO or board member wants to get a call or email from Brian Krebs. Ever.
So, should you focus your spending on companies who have not made news yet in the hope that their networks and PoS systems are safe and they will handle your credit/debit cards safely, or should you focus on the companies that have already had their very unpleasant moment-in-the-sun?
While none of us will know exactly what the security posture of any given company is, logic suggests that companies that have recently had a breach and have had teams of forensic investigators digging through their systems and networks are less-likely to be breached currently than any arbitrary company that hasn’t endured a breach.
Now there certainly are good arguments to be made that retailers who haven’t been breached may be in that position because they have invested heavily in security. Their networks are secure. I would be very happy to reward companies that spent appropriately on security, ensuring my data is safe in their hands. But the challenge that all of us face as consumers is this:
How can I tell the truly good from those who are simply lucky? Or worse yet, those who just don’t know they’ve already been breached?
We don’t have a good way to tell who we should trust. Therefore, pragmatism may be our “least-bad” option.
What do you think?
How are you choosing where to spend your hard-earned Dollars, Euros, Yen or Rupees? Who gets your business, and why? Is payment card security something you think about when you go out to shop or dine? Does the way a company handles a data breach affect your willingness to make purchases there in the future? Leave a comment below and share your thoughts.
Photo by Sean MacEntee
Note: I am not affiliated with any of the companies mentioned in this posting, other than as a customer of some.
Thank you for taking the time to read and comment on this post. This blog post also appeared on LinkedIn.