Positioning your institution's response in the face of data breach

Data breaches are going to happen. The important part, says ACI Worldwide's Seth Ruden, is how an association chooses to handle them

Unless you're been living under a rock in North America, it's pretty hard to have missed news of recent high profile data breaches.

[Incident response matters]

I'd venture to say these stories have made their way into the wider, global purview (note: as I write this, another report regarding a massive data breach in South Korea affecting 20 million cardholders was released). While the number of retailers and account holders impacted by these events continues to increase and make headlines, issuers and merchants alike must address ways to instill confidence in their customers in short order.

Upon hearing this type of news, cardholders immediately think "Was I impacted? What do I need to do? Will my account be closed? Will I get a new account number and new debit or credit card?" These and many more questions likely flood the support lines as customers want to understand their real-life implications and steps they need to take to protect themselves.

When associations, banks, issuers and retailers identify significant and/or high profile data breaches, they must first identify the nature of the problem, recognize the potential impact, and then develop the correct course of action for their institution. Following this, they need to best determine how to communicate with their impacted customers.

When financial institutions have a well-coordinated strategy (i.e. email, SMS, voice, mobile app, etc.) in making their customers aware of the institution's vigilance, posture and plan, they win. It goes beyond just reassuring a customer; it is an opportunity to assert a distinctive leadership role in the marketplace.

In instances where a mass block and reissue event is warranted, proactive communication -- identifying the problem, how it's going to impact your customer and what you're doing to put it right -- can be an opportunity to stand out as a financial institution, distinguished in your customer relationships. When a breach is made public, the ability to keep your customers informed via multiple channels can be a true differentiator in customer satisfaction and speed to response. For banks and processors who are solely evaluating high profile breaches through the lens of a risk or security response, this can be a segmentation opportunity.

[CSO's guide to the Target data breach]

An unfortunate reality of being in the payments business is fraud. Most in the industry accept that these events can and do happen. A lot. I would estimate that there were many hundreds (if not well into the thousands) of data breaches last year of varying size, some of which were never reported, some which were reported and then intentionally buried.

In fact, a recent Infosec study suggested that 57% of malware self-detected in business was not reported. Further, law enforcement believes they only have visibility to a fraction of these breaches. These incidents happen to businesses of all sizes, in many geographic locations and when you are in the trenches of fraud monitoring, these are constant issues that may require your attention. They're exhausting and so common; recently "breach fatigue" was coined to describe the condition.

The expectation that breach fatigue is something new, however, shouldn't be. One of the most sound things said over the last few weeks came from a sage veteran law-enforcement officer who now only consults for banks...and we've heard this before; the working assumption should be that all cards may already or at any time be breached, at risk and carry the potential for fraud.

[Understanding incident response: 5 tips to make IR work for you]

Using this as a baseline assumption, and then utilizing another industry standard of layered security/controls, issuers should be able to assume the posture to manage this situation effectively. The position is this: that the financial services industry can set controls that are tied to this specific breach, as well as controls that are tied to the one that came before it and finally create controls that will protect us from the next one. Deploying a risk-based, compromise-centric and layered framework is one way to prevent data breaches from stunning us in the future.

Coupling that with a proactive customer communication management plan is paramount and elevates that framework. This combined path best positions the institution in support of its customers and against the fraudsters who are trying to exploit the system. Breaches are now quite common, but the response to them is what makes an institution uncommon in the environment.

Seth Ruden is a senior fraud consultant for ACI Worldwide.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata breach

More about ACI WorldwideCSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Seth Ruden

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts