On Friday, July 24th., Network Solutions, LLC announced a large data breach of customer’s payment card information. According to Network Solutions, ”it identified unauthorized code on servers supporting some of its ecommerce merchants’ websites. After conducting an analysis with the assistance of outside experts, we determined that the unauthorized code may have been used to transfer data on certain transactions on approximately 4,343 of our more than 10,000 merchant websites to servers outside the company. On July 13, 2009, we were informed by our outside forensic experts that the data being transferred may have included credit card information. The code may have captured transaction data on approximately 573,928 cardholders.” Network solutions has further stated that “assuring the security and reliability of our services to customers is our most important priority. We store credit card data in an encrypted manner and we are PCI compliant. Unfortunately, any company operating in our business could have become a victim of this type of invasion. In this situation, the unauthorized code appears to have transmitted information about credit card transactions as they were being completed; it did not involve a vulnerability in the way we store data in our systems.”
Anyone who processes payment cards should read and re-read the last paragraph. Yes, any company who processes payment cards is vulnerable to this type of attack. While Network Solutions asserts that they are PCI compliant, they do not specify if they were PCI compliant before, at the time of, or after the breach occurred. Even if they were PCI compliant at the time of the breach, PCI compliance does not guarantee that malicious code will not be placed on a server. Unfortunately, it does not seem as if anyone is getting the message that simply being compliant with any type of regulation is enough. Compliance should be viewed as a bare minimum to protect IT systems and information. While the costs associated with responding to breaches is high, the hit to the breached firm’s reputation is likely even more costly.
Management is still not realizing the potential liability that they face when IT systems are not secured well. Certainly there are effective controls that can be put into place to greatly reduce or even eliminate the potential of malicious code being placed into a firm’s IT infrastructure. These controls are almost certainly less expensive then the losses that are incurred by a firm when a breach occurs. I believe that the problem lies in the fact that many C-level executives do not fully comprehend IT and the vital role that it plays in their business success or failure. Given the relative recency of IT playing a vital role in companies, it will take some time before business school curriculum catches up to the current realities that companies face. It will also take time for grads with a firm grasp of the role IT plays in business to reach the upper management ranks. Hopefully, in the meantime, with the rise of greater publicity and costs surrounding breaches, IT will be able to get the attention of management with the message that compliance simply isn’t enough.
No comments:
Post a Comment