Security is expensive. We all know that. I see the battles my clients continually face ? particularly the small and medium-sized businesses (SMBs) ? as they try to spread their limited security dollars across dedicated salaries (for the fortunate ones), toolsets, appliances, training, and consulting (maybe we don't need to include the last one?). The underlying belief that many SMBs seem to receive some relief from: "I'm the small guy. Surely I won't be targeted when there are banks and multinational retailers to be hacked." Mr. Angelastri says as much in this Wall Street Journal article.
While this assumption may have been relatively safe to make in the not too distant past, I have a feeling statistics shared in the article and again for you here are going to be a source of angst for many SMBs, particularly and for the moment, those that process credit cards.
- In 2010, the U.S. Secret Service and Verizon Communications Inc.'s forensic analysis unit, which investigates attacks, responded to a combined 761 data breaches, up from 141 in 2009. Of those, 482, or 63%, were at companies with 100 employees or fewer.
- Visa Inc. estimates about 95% of the credit-card data breaches it discovers are on its smallest business customers.
The questions that enter my mind are, ?How do we as security professionals respond to this apparent trend to better protect our clients within their resource constraints?' and ?How is the Payment Card Industry going to respond to this shifting risk profile?'
I have some immediate thoughts on those topics (dial-out terminal, tokenization, end-to-end encryption, validation shifting strategies) that I will discuss in future posts, but in the mean time, I'm curious to hear how you personally are responding to this shift.