Yes, I see the challenges we face in Online Security as a battle. The industry takes a step to protect customers, and the bad guys come up with a way to get past our defenses. We all equate this fight as an arms race, but let’s take a broader view…

This is a war that, in my opinion, has 3 fronts.
• Customer Education
• Fraudster Value Chain Disruption
• Customer Information Protection

Customer Education is a continuous front, and we can’t let up. As consumers become more educated, they become deputies in protecting their own information. An educated customer is more likely to notice a fraudulent attempt to gain personal information or financial access than we are in many cases. They protect their information zealously, which limits their likelihood of becoming a victim in the first place. They are more careful of what they post in the online / social network environments, and they understand their role in protecting themselves. Too many institutions are worried about letting customers know they are vulnerable. But education can be liberating. Letting the customers know about the threats now is better than having them find out on the backend. Does your company do all it can to educate its customers about how to interact safely in an ecommerce world?

Fraudster Value Chain Disruption is a fancy way of saying offense. A good defense is great for the individual institution, but a good offense is vital to the industry and community as a whole. Unfortunately, it’s not one organization that gets attacked every time. If one organization’s defense changes, the bad guys just probe the other institutions. It would be nice to think that malware like Zeus only targeted one institution, but have you seen the most recent config for Zeus? Yeah, it’s pretty much everyone. So, how can we attack? One of the key areas is at the cashout point, or money mule. There is a reason that all of the compromised identities and accounts haven’t been drained… the funnel tightens at the point where the dollars become real. What if all banks and ecommerce sites shared a common list of money mules and re-shippers? What if law enforcement prosecuted money mules and re-shippers, regardless if they were “conned” or not? Here is where industry cooperation has to drive the attack.

Customer Information Protection is the 3rd front that contains the concepts of network security, data breach protection, customer authentication, etc. It’s like the Russian front of WWII in many ways. It’s also where so much of the defense in the industry has rested, and made quite a few vendors very rich. Diversity in solutions at the organization level is good here. Each organization is different in how it protects its information, which makes the bad guys work. However, it takes diligence at each organization to keep track of what’s happening around them. Don’t ever let yourself be the “second victim” of a vulnerability. If you see a partner with a vulnerability, let them know. Finally, make sure you know your “true perimeter.” How many organizations get “shot” at a 3rd party vendor, or worse – one of your 3rd party’s 3rd party!

Bottom line… Everyone should ensure customer education is a top priority. If you aren’t telling your customers how to protect themselves, you are wrong. Cooperation between organizations is critical for Offense – without it each company will come up with great ideas that never reach full potential. And finally, differentiation in defense is good, but help and learn from the guy in the foxhole next to you.

Author:  Kimberly Getgen Bargero

Reading Time:  2 Minutes

I live in San Francisco and really enjoy partaking in all things tourist-related. It was during this year’s RSA Conference that I uncovered a new hidden tourist attraction – the San Francisco Cable Car Museum – a real gem that could teach us a lesson about selling data protection strategies to business managers.

Anyone who has visited or has the good fortune to live in San Francisco will tell you that it’s the cable car that single-handedly puts San Francisco on the map (well, that and the occasional earthquake).  If you’ve visited, you’ve probably had the opportunity to ride up and down the vast hills of the city on one of these cable cars.

According to the legend, the idea for the cable car was brought to San Francisco by Andrew Smith Hallidie back in 1869 after witnessing horses being whipped while they struggled on the wet cobblestones. The horses slipped and were dragged to their death inspiring Smith Hallidie to improve this horse-drawn system of transport.  While this treatment of horses may have seemed inhumane, it alone was not enough for the idea of the cable car to really take off.  What was the real advantage?  Eradicating the smell of the horses, hay and manure that was littering city.  Removing the smell – and not necessarily saving the horses – turned out to be a key selling feature of the cable car.

Later in this century the expense of the cable car was challenged and an argument was made to discontinue it for the more cost-effective bus system. In response, a public campaign showed the value of cable cars to San Francisco was far greater than their operational cost.  The value of the cable car won and today remains the world’s last permanently operational manually-operated cable car system.

Keep this example in mind the next time you need to sell your data protection strategy to your management.  I encourage you to think about what will “smell the most” when you fail to protect data. What will be the tipping point to sell your data security strategy? Cost of a data breach? Lost business from destroyed customer trust? The key selling point will most likely be different for different organizations — and could be something unique to your business.  Be sure to include an analysis of the potential costs of a breach and lost business from destroyed customer trust (the real smell that gets management’s attention).  To help you get started, we’ve created some worksheets that are available in our Data Breach Prep Kit.

At the end of the day, its up to us to sell the value of data protection and build the business case to show the value of protecting customers is far greater than the operational cost of protecting data.  By the way, the operational costs of data breach are growing, so now more than ever it makes sense to protect customer data.  If you’ve been discouraged from past discussions with your management, I encourage to take another look at the costs again.  And, if you want a “cheat sheet” for building a case for data protection, here is a recent webcast I did for ISC2 that you can watch at your convenience.  Best of luck!