The words “data breach” are often met by a clamor whenever they make headlines. Home Depot, Target, Ashley Madison, Heartland, Citibank, the list goes on and on. These breaches spent time in the limelight because of their magnitude; they affected hundreds of thousands – in some cases millions – of cardholders.
But the reality is data breaches are far more common than large headline events like these would have us believe. According to a report published by the Identity Theft Resource Center, there have been at least 538 data breaches this year alone (through July 19th), exposing nearly 13,000,000 records!
The result? Besides opening customers to financial vulnerabilities, the sheer number of these data breaches has jaded consumers and business alike. The recent Wendy’s data breach, for example, despite its serious implications, hasn’t received as much attention as one might think.
Simply accepting the possibility of a data breach as a fact of business is a dangerous mistake. Wendy’s is undoubtedly suffering reputational damage – hackers had extended access to customer names, card numbers, security verifications, and more.
Even though the breach didn’t receive any significant media attention until recently, Wendy’s admitted to its cyberattacks in October of last year affecting 300 of its franchisee-owned locations. The problem was however that hackers continued to access data undetected at more than 1,000 franchisee-owned locations for over a year. It wasn’t until banks and credit unions and others disputed the size of the problem that Wendy’s was forced to reopen their investigations and uncover the full extent of the breach. As we discussed in last Wednesday’s webinar, “How to Integrate Governance Areas,” the corporation tried to distance itself from the breaches by pointing out that no company-owned stores had been affected.
This isn’t just a story of failed cybersecurity. It’s also a story of failed vendor and third-party management. Like we wrote regarding the recent CRF listeria outbreak, organizations are responsible for performing their own vendor assessments. This applies as much to franchisees as it does to suppliers and other third parties. There’s a reason no company-owned stores suffered a breach, while more than 1,000 franchised locations were affected. Wendy’s maintained its own cybersecurity processes. What it failed to do was ensure that all locations maintained the same standards.
Too often, companies react by purchasing a point of sale solution – effectively a Band-Aid. Instead they should be ramping up risk assessments to identify potential future issues and identify the root causes of the problem. More than 63% of data breaches are caused by weak passwords. Billions of dollars are spent on Band-Aid-types of mitigation while the real risk is left unmitigated. This is a classic problem solved with ERM at a fraction of the cost.
Not only would ERM have prevented the breach, for a situation like Wendy’s vendor risk management would also prevent costly litigation claims for negligence that Wendy’s is now subject to.
Wendy’s now subject to costly litigation claims, and to make matters worse, the industry trend amongst insurers is to not pick-up the tab for claims of negligence due to the fact that cyber threats are often exploited through third party networks. The courts have ruled in favor of the insurers in these cases and the third parties are being held liable for the transaction costs, leaving long term brand damage to the entire supply chain. The implications go far beyond credit card data, ransomware, and traditional personal information to any information a company has that supports its customers.
The questions to ask yourself are, “Does my organization rely on their parties? Do any of our vendors? Is there a possibility that our vendors are operating with lower standards than we are?” If the answer to any of those questions is yes, it’s imperative that your organization has an ERM system with robust IT risk management, policy risk management as well as vendor risk management capabilities to ensure consistency, this is also sometimes called enterprise governance risk and compliance.
To learn about how your organization can stay ahead the rising data-breach tide, read our blog post, “Risk-Based Cybersecurity Prevents Cyber Attacks and Data Breaches.” Also download our free Annotated Guide to SEC Cybersecurity.