Fraud and Data Breach Trends: Interview with Kevin Prince, Chief Architect, Perimeter eSecurity
Perimeter eSecurity recently conducted a study of financial institution data breaches. Kevin Prince, Chief Architect of Perimeter eSecurity, discusses that study, offering insights on:
A well known expert in the security industry, Prince regularly trains Federal Examiners at the National Credit Union Administration (NCUA) and the Federal Financial Institutions Examination Council (FFIEC) on such topics as firewall security, remote access, virtual private networks, intrusion detection and prevention systems, and on what the examiners should look for when they examine a financial institution.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. The topic today is fraud and data breaches, and we are speaking with Kevin Prince, Chief Architect of Perimeter E Security. Kevin, thanks so much for joining me to talk about this topic today.
KEVIN PRINCE: My pleasure, Tom, thank you for having me.
FIELD: Now, Kevin, you've just completed a study of financial institution data breaches. What did you find most compelling?
PRINCE: Well, there're a couple of things that I really stood out from the study. The first one was still how many companies do or don't report data breaches, or the information when a data breach occurs. For example, only 11% of companies that had data breaches actually reported them, according to one part of the survey. And of those 11% that in fact did, about 25% of them did not disclose how many records were compromised in it. So, we're still, when we do breaches of this type, we are looking at these small slivers of data, and the amazing thing is, those small slivers of data still encompass millions and millions and millions of compromised end-user personal information. So, a lot to work with, but yet, still we know there's a whole lot more out there. Another thing I thought stood out was that IT administrators are about 58 times more likely to kind of cause, or be associated with the data security breach -- not necessarily because they are malicious, but perhaps due to an error, due to a misconfiguration, not doing something that they should, but it certainly seemed like IT administrators were kind of a weak leak in this overall integrity of our data.
FIELD: Interesting. What do you find to be the most common types of breaches?
PRINCE: Well, there's a few that kind of stood out. I mean, hacking accounted for 42% of actual incidences -- this is for data breaches that occurred between 2000 and the end of 2008, and you have to kind of, when you look at data breaches, look at it two ways. There're the number of incidents that occur, and then the number of records that are compromised. And you've got to look at them in both ways, because it doesn't really matter whether you have one record compromised or you have a hundred million compromised; it still is a data security breach, and you still have to follow certain protocols, and you may have to do notifications and deal with a lot of things, regardless of how many records. So, from a hacking standpoint, 42% of incidents were associated with hacking, but it accounted for 55% of records. So, kind of a correlation or certainly some synergies there. But, thefts, on the other hand, I thought, was a very interesting one. Data breaches resulting from theft were 30% of all incidences, but only accounted for 3% of records lost. I think that is really interesting because, you know, again, whether you have just a handful of records or millions of records lost, you still have to disclose this in most cases. I mean, 46 states now have data security notification laws, data breach notification laws of one type or another, and you are going to have to notify your customers that this kind of thing happened. But, although it is a small number of records, a third of the cases are theft, and typically could be easily dealt with. Malicious insiders was another interesting one. Fifteen percent of incidents were associated with malicious insiders, which accounted for 24% of records.
FIELD: Interesting. Given the economic conditions that we are seeing today, there's a lot of speculation that the insider threat is even greater than we've seen before. Do you think that that number, 15%, might creep up in another year?
PRINCE: Oh, I definitely think it will. I wrote an article a few months ago about the top nine security threats for 2009, and malicious insiders I listed as the greatest threat to the organization, primarily because of the downturn in the economy. You know, desperate times bring out the worst in people, and we are going to see, and have already seen, incidents where, you know, these insiders do things that they shouldn't. They will compromise records and try to do things to make a little extra money on the side. Yes, definitely, I believe malicious insiders are going to play a larger and larger part. Especially while we continue to kind of have troubles in the economy.
FIELD: Now, beyond the obvious impact of a data breach, what are some of the real costs of these fraud incidents to institutions of all sizes?
PRINCE: That's a good question, because that's what, really, people want to know, is "If I have some kind of a data breach, what is it really going to cost me?" And, you know, there are some statistics and things that we have been able to put together in order to try to break that down a little bit better. The average cost of a data security breach is about $6.6 million, which is a very significant number. Now, obviously, that's an average, and it is difficult to kind of map that to each individual organization's size and scope and number of customers and client data that they have. So, there is another statistic, which says that about $200 per record compromised. So, if an organization wants to try to figure out what their exposure is to something like this, they can kind of look at how large their data set is, and then they can kind of multiply it by that $200 number, and get, you know, relatively speaking, an idea of what a data breach would cost them. Now, that number -- neither of those numbers includes some of the most significant costs that some companies incur with data breaches, and that is lawsuits. You know, for example, the VA recently settled their data breach that they had for $20 million. This was a class action lawsuit that, I believe, included, like 26 million people. So, it was a large one. But, the reason that is so interesting, about this $20 million number is because, in that particular incident, and this is very similar to other ones, it had to do with theft of a laptop, the laptop was recovered, and it was determined that no data was stolen off it, no fraud cases were reported or occurred as a result of that data breach, and still, the VA had to fork out $20 million to settle this lawsuit. And it came down to what was classified as, essentially, the emotional suffering of people, having to worry about whether their credit was intact, or not.
FIELD: Wow. And you can't even put a price on the reputational hit a company might take if it suffered an incident.
PRINCE: Absolutely. So, the numbers are large, and obviously what companies need to do is avoid these things at all costs.
FIELD: So, let's talk about reducing breaches. What can financial institutions, in particular, be doing to decrease the number of data breaches?
PRINCE: Sure. I think there are several things that they can do. I mean, as I mentioned, 30% of data breaches occur from theft. This is in large parts laptops that get stolen that have sensitive data on them. You know, whether they are at home, or they're in a car, which is most prevalent, or whether they are traveling, in a hotel room, or a plane, or wherever it might be, theft of laptops is a major problem. Now, there are only four states, out of the 46 states that have data breach disclosure laws, that require you to still notify customers if the data was encrypted. So, my first suggestion is, encrypt your data if it is sitting on laptops, at all. And that way, if a laptop does get stolen, because it is incredibly difficult to just keep your laptops from ever being stolen. But if they are, you don't have to worry about the data being compromised that is on it, in the vast majority of cases. So, that is a big one. I think another one is to use a program like remote data backup and recovery solutions. This is where you are doing your backups over the Internet, securely, as opposed to data backup tapes, which then have to be stored offsite. There are a tremendous number of data breaches that occur through either employees having those tapes stolen or lost while they are in transport, offsite, or a third party picks them up and loses them, or something happens to them. If they use a remote data backup service, they don't have to deal with magnetic media at all, and all of the issues around transport, or around the theft of that media, even while it's sitting on the network. So that's kind of a second one. Training internal employees, I think, is a huge one, especially IT. So, anytime you can raise the waterline of all of the employees, and what they are doing, and best practices, and then following policies and procedures, and learning about security, we are going to make fewer mistakes and we're going to be more conscious of security . We're going to be looking out for things, and it's going to result in fewer data breaches. And I think it's kind of a no-brainer. Most financial institutions, in fact, -- well, all financial institutions are required to do that, anyway, but don't do it to the level needed to really reduce data breaches significantly, and that is what they ought to do. I think a fourth thing is strongly enforce policies and procedures. And banks do a fair job of this today,; they write them up, but they don't keep them fresh. And the biggest gap is in making sure that the employees know what these policies and procedures are, and that they follow them, and that the employees know why this is important. For example, putting a policy in place that says, "We don't allow peer to peer software to be loaded on the network and used." Without a description as to why that is important, an employee might say, "Well, I'm going to do it anyway. I want to download this music, or this movie, or something like that." Well, peer to peer software -- we have many data breach incidents that show how peer to peer software was used to completely compromise a network, without the employer individual and user knowing what was happening. So, that will really help. I think a fifth thing is, you know, pushing IT people too hard. Um, and you know, not that they shouldn't work, but so often, we put our IT folks in the position where they are putting out fires all day long, and they're not able to have the time to do the things that they are supposed to do, to follow the procedures they are supposed to. They will take shortcuts, they will do a variety of other things that are not conducive to the best security practices, and those things lead to data breaches. So, making sure that the IT folks are trained, and then give them the time to do their true duties, and stay proactive on things, as opposed to always reactive, I think, is a great thing, too. And then, the last thing I will mention is, really, to outsource to third parties. Not that any third party is a great one to outsource to, but if you pick the right partners, they can take on a lot of the things that the IT people spend a lot of time on without a lot of value that needs to be done. But you can outsource those things to a third party, and then free up the cycles for the IT person to focus on more meaningful core business elements. You know, things that can be outsourced, for example, are 24/7 monitoring of firewalls and intrusion detection and prevention systems, and a variety of other solutions that really can benefit. So, those are some of the things that kind of come top of mind, as to the ways that a financial institution can reduce their exposure to data breaches.
FIELD: Kevin, I read your study, and one of the topics that you discuss is the Heartland Payment Systems data breach. What is it about this incident that gives it such significance in the industry now?
PRINCE: Well, I think that has a big spotlight on it is the number of records that are likely associated with this breach. They have not told us the exact number, but they, from being able to kind of say, "Okay, we process over 100 million transactions every month." We believe that the breach went on for enough time that this is likely going to be the largest data breach in the history of the United States, perhaps the world, that's why, I think, it is getting the attention it is. But even beyond that, there are some elements to it that are making it a very interesting one to study and watch. First of all, the use of malware in this -- a very sophisticated attack that was used to kind of extract the sensitive data that was ultimately used; the number of financial institutions that have already reported customer compromises is over 600. You know, they were, in fact, PCI compliant, that is, the Payment Card Industries data security standard, what merchants have to do in order to be compliant for accepting credit cards, and it's kind of interesting, because Heartland is trying to hide a little bit behind that PCI certification that they have, but then, just this week, Visa revoked that; they took them off of the approved list, or the PCI-certified list. So, there's some things going on, which I'm glad to see, because it's allowing Visa to step up and put some teeth into PCI, which is going to really help the overall industry keep their consumer data a whole lot more private.
FIELD: So, let's look ahead a little bit, Kevin. Given what you've seen in the past year, what trends do you foresee throughout 2009, in terms of, (1) the types of fraud that we will see, and (2) ways institutions can be preventing this fraud from taking reach?
PRINCE: Sure. I think we are going to see a lot more of, and we've seen these in the past, but they seem to be the growing, the preferred ways these criminals have, of doing this. One is the use of malware. You know, we have Heartland based on that. We have the Hannaford breach associated, and they used malware on that. And we're going to see more and more of this. And the reason that is significant, and we're going to see more of it is using malware is essentially having the inside computers almost compromised themselves if a user, an employee on a network goes out to a website that is malicious, a website that has been compromised. They can have a Trojan horse software or other malware get installed on their system, and they can be completely compromised without them even knowing. And these users, these employees that are doing this, you know, all they're doing is going out to Google and typing in something and clicking on a link. There could be search engine manipulation that is occurring that is leading them to these false websites as well as compromise websites. In 2008, we had walmart.com, history.com, msnbc.com, cbs.com, and literally hundreds and hundreds of other highly used, legitimate websites get compromised. And if your users went out to that website on that day, they could be compromised. And then, those systems are the ones used to perpetrate this fraud and capture the sensitive data. So, I believe that malware is going to continue to explode in its use, because it is so effective. It completely bypasses the traditional edge-based security systems, like firewalls and intrusion detection systems. It can be very effective in just getting right around those things. So, I think we're going to see a lot more of that. The other thing I think we are going to see more of is there was a very interesting breach not too long ago that occurred from RBS WorldPay. I don't know if you've heard about that one or not. But there was $9 million stolen in a very short period of time, a couple of hours. They used a hundred cloned credit cards that they had captured from a data breach. It was in 49 cities, and in a short period of time, a few hours, they took $9 million. And so, this, you know, kind of just going to an ATM and getting the money and walking away, that's where the rubber hits the road for these criminals. You know, a lot of people think it's about selling identities and this and that, and certainly there is a lot of that happening. But in this particular case, just taking money right out of people's accounts is a trend that I believe we're going to continue to see more of. So, it's tough when, you know, a processor ... You know, you asked "How can financial institutions kind of protect themselves, in general?" And you know, in the case of Heartland, it's actually who many financial institutions use in order to process the credit cards, and they had a data security breach. So, it's tough when that happens to kind of protect against it. But there're a lot of things that financial institutions can do to make sure their data is not compromised and that their systems are not breached. A layered security model, you know -- there's no one solution that's going to do it. There's no silver bullet. And everybody's heard that before, but it's so true. You've got to kind of do a risk analysis and figure out where your strengths and weaknesses are, and then shore up those areas and those gaps in your security program that need some attention and some work. Again, I mention those policies and procedures, and I mention training. Those are great ways to do it. So, the combination of documents, training, and then technologies and solutions that are put in an effective program, are really what financial institutions need to do, to stay safe.
FIELD: Kevin, that's great insight. I appreciate you taking time to talk about this study, and to give us some thoughts on what financial institutions will see, and can do, going forward.
PRINCE: No problem. Thank you so much, Tom.
FIELD: We've been talking with Kevin Prince, Chief Architect with Perimeter E Security. For Information Security Media Group, I'm Tom Field. Thank you very much.