Shoring up cybersecurity tied to bottom-line losses, experts say

Many businesses put off implementing IT safeguards until it is too late


May 22--SAN JOSE -- Despite a torrent of high-profile data breaches -- most recently at eBay -- many security experts fear businesses and consumers will continue doing little to bolster their protections against cybercrooks until they feel it in their pocketbooks.

This week, the San Jose e-commerce company revealed that a database containing customers' names, passwords, phone numbers, dates of birth, email and home addresses was compromised. But as with most other recent hacks, eBay said it had no evidence anyone's money was stolen. And that -- ironically -- is the problem.

Unless such attacks result in widespread financial losses, experts say, the threat won't be taken seriously.

"Until it hits them at home, it won't matter much," said Scott Goldman, CEO of security firm TextPower, based in San Juan Capistrano. "The very fact that people are becoming numb to the constant stream of breaches indicates the pathetic level of security provided by most online services."

Like many individuals, businesses often balk at the cost of cybersecurity, figuring it's not worth the benefit.

"Most companies are focused on revenues and profits; unfortunately, security doesn't drive either of those two priorities," said Eric Chiu, president of Mountain View security company HyTrust. "Instead, they view investment in security as insurance which they can put off until something bad happens, which is too late."

The problem with that approach, he added, is that it can wind up backfiring.

"As we have seen from Target," he said, referring to the retailer's disclosure in January that thieves stole payment card and other information from at least 40 million of its customers, "the potential costs of not putting customer data as a top priority are brand damage, loss of customer trust and ultimately major business impact."

Target's breach reportedly has cost it close to $1 billion and prompted the May 5 resignation of its CEO.

To bolster customer security, Target has said it plans to spend $100 million to adopt so-called chip-and-PIN payment cards that are harder for crooks to counterfeit and use. Other retailers reportedly are considering doing the same, though researchers warn that the advanced cards also have vulnerabilities.

"Less than halfway through 2014 and we're already beginning to lose count of the number of big-name companies fallen victim to attacks like this," said Alan Keller, CEO of San Jose security company Vormetric.

Besides Target, U.S. authorities on Monday charged five Chinese military officials with hacking into U.S. corporations to steal trade secrets.

And in April they said they were investigating the criminal sale of Social Security numbers, bank account data and other personal information for up to 200 million U.S. citizens, after a breach at Court Ventures, a Southern California subsidiary of credit-reporting giant Experian. Moreover, the recently discovered Heartbleed bug has endangered data on innumerable websites.

Given such revelations, some companies are taking steps to shore up their security, though experts say it's not enough.

"The recent uptick in data breaches is helping shift companies from a 'it will never happen to us' mentality to a 'we now have to budget for better security' one," added Jean Taggart of San Jose-based Malwarebytes. Nonetheless, he said, "there are of course still many examples of startups that simply don't factor in security in the rush to build a user base."

Mark Bower of Cupertino-based Voltage Security added that "what's missing in this data-driven business trend is consideration for data security and privacy from the beginning -- and it should not be an afterthought, given the massive risks to business and consumers alike."

Among other safeguards, experts say companies should require two means of identification for accessing their websites and case-sensitive passwords that have no fewer than eight characters, including numbers or punctuation marks. They also recommend limiting the number of employees who can see sensitive data, encrypting the information and putting it on separate computer networks that aren't linked to the Internet.

This content continues onto the next page...