There has been a lot of news recently highlighting a vendor’s loss of cardholder data despite being PCI compliant. eWeek ran a good article yesterday looking at this trend and focusing on the fact that PCI compliance is only the start of security. It is important for companies to really get in this mindset that PCI compliance is a means to an end, not the end itself. Don’t get caught driving toward checkbox compliance where the only goal is passing the audit every year. The ultimate goal of PCI compliance is to protect your customers personal data and ultimately protect your business. For small and medium businesses (SMBs), Software as a Service (SaaS) based security offers a highly effective and affordable option for both establishing PCI compliance and protecting your customer data.
The cost of a data breach to any size company is significant, but for a small or medium size business it can be fatal. The eWeek article quoted the following as the cost of a data breach:
“Those consequences can be costly. Earlier this year, a survey performed by the Ponemon Institute found that the average cost of a data breach—from detection to notification and response—increased to $202 per record in 2008 from $197 a year earlier. Then there is the cost of lost business and a damaged reputation.”
Using these numbers a mere loss of 1,000 customer records can cost your business hundreds of thousands of dollars and a loss of more than 5,000 can cost your company millions.
So with incentives like these, why do companies continue to experience data breaches even when they are PCI compliant? The bottom line is that security is a process not an event. Companies must establish not only the technology to defend against attack, they must establish and adhere to a rigorous set of security processes that detect vulnerabilities, protect against attack, and review security data to ensure that a breach hasn’t occurred. Establishing these processes will go a long way toward providing real protection to highly sensitive cardholder data.
For SMBs, the problem isn’t that they don’t understand the stakes of establishing strong security, it’s that the cost of making security a strong and continuous process can be prohibitive. Most companies are dealing with a significant manpower and expertise gap preventing them from securing their data appropriately.
SaaS security is a powerful tool to meet these resource gaps. Services, like those provided by Alert Logic, offer benefits across the board, from the elimination of capital expenditures & software maintenance fees, flexible storage, and certified analysts to provide continuous security monitoring. Additionally, because we offer SaaS and are not a managed service provider, you don’t give up your ability to access and monitor your own security information. If you are an SMB subject to PCI requirements it is in your best interest to look at SaaS security to both reduce costs and improve security.
{ 1 trackback }
{ 6 comments… read them below or add one }
I think that’s the toughest part in selling security programs; distinguishing between security and compliance. Compliance, regardless of PCI, HIPPA, SOX, et al., should always be the minimal standard of security. Security begins where compliance ends. The bad guys know about compliance. They know what to expect, even when they don’t get it.
The most unfortunate trend that I’ve seen in information security during my career is that many organizations tend to look at security and compliance as “nice to haves.” Until they get audited or they have a compelling event. Then the collateral damage becomes a great motivator as stakeholders raise their eyebrows at the costs and ask tough pointed questions. The difficult one to explain away is “you knew and didn’t do anything?” The CISOs that I know spend too much of their time justifying their security programs instead of being allowed to fulfill their charter-protecting data. When the business stops viewing information security as optional and organizations bake it into every process — that’s when we’ll see significant changes in breach statistics.
Steve – I think you miss the point. What makes you think SMBs want to move beyond compliance. We can site all of the facts and figures we have and throw as much FUD as we want, but at the end of the day they won’t do it because they don’t think it will happen to them. This is the fundamental problem with security today. Our best customers are those who have already had something happen to them! I have written more about this on my blog >here
The take-away should be that PCI compliance, along with Information Security in general, is an ongoing process.
PCI compliance alone isn’t enough to ensure full security but full security isn’t possible without PCI compliance (despite its numerous critics, PCI compliance makes good sense).
A combination of PCI compliance and comprehensive information security is the best combination, with vigilance the key to both. If you’re interested in testing your PCI Compliance knowledge, you can do so with our PCI Compliance Quiz Widget, a fun and informative quiz that is also fully portable. Feel free to cut and paste the script and host it at your blog or website.
Alan, I think you both have good points, but it seems you are both disagreeing on intent and consensus. I think the point Alan makes is we need to educate the audiences. Regardless of their intent, I’m sure there are a surprising number of SMBs do wish to be secure, no one wants to lose money. I think most just don’t understand that being secure can save them money. A big part of security that we often miss, is that most of us are here to keep the lights on. We don’t work for security companies, we are paid with the money that another business generates. Therefore, that business needs to be educated to the services we perform. Therefore, MSSPs should not only sell their products and services, they also have a duty to educate (without FUD) the meaning of both compliance, and being secure.
Thanks to everyone for contributing to a good discussion and especially for providing some alternative points of view. Alan, I think that you are right that there are of companies that are SMBs whose goal is to get past PCI compliance and check that box. It has been our experience, though, that in general the people who are responsible for security, even at small to medium sized businesses, are often very aware and concerned about the security threats they face and take protecting the card holder data regulated by PCI compliance very seriously. Certainly companies are much more motivated to move to stronger security after they have been compromised, but a large number of companies want to avoid these incidents all together.
The challenges for a medium-sized business is not that they aren’t aware or concerned about the consequences of a security breach, but rather they don’t have appropriate resources and expertise to implement regular security processes. The point I was trying to make is that a managed service, whether provided by SaaS security, or an MSSP like your own company, can help them achieve a more continual, rigorous and accountable process that is difficult to impossible to achieve for a smaller company.
The intent of the original post was to make companies aware that they can improve their security and go beyond checkbox compliance without breaking their budget.