Bad Customer Service vs. Data Breaches: Competing for "Best Way to Lose Customers" Award

So which is worse: bad customer service or a data breach? Well, when it comes to brand reputation and customer loss rate, they may be equivalent.

Customer service has always been a sticking point for brands. After all, a bad in-store or phone experience with a company can send customers heading for the door, never to be heard from again. Environmental disasters also still rank high on the list of reasons customers may consider discontinuing their loyalty to a brand or company (think Exxon Mobile or BP). Yet, according to a recent study by the Ponemon Institute, customers now rate data breaches right along with customer service and environmental disasters as a major reason to ditch a company and run into the loving arms of its competitors.

It was really bound to happen, if you think about it. With the increase of very highly publicized data breaches in recent years (think Target a few months ago and eBay getting headlines today), customers are beginning to sit up and take notice. After all, the threat of identity theft promises much worse consequences than a bad experience with a rude customer service rep, and it hits much closer to home than an oil spill hundreds of miles away.

The average American consumer understands the long-lasting and potentially devastating effects of a breach of their personal information. According to the study, “prior to having their personal information lost or stolen, 24 percent of respondents (customers) said they were extremely or very concerned about becoming a victim of identity theft. Following the data breach, this concern increased to 45 percent, Ponemon says. Almost half of respondents feel their identity is at risk for years or forever.”

Data Breach Costs Rise 9% in 2013

The 2013 statistics are in from the Ponemon Institute.

So just how much money did companies lose last year to data breaches? Which industries are most at risk? Let’s break down the facts for 2013:

• Average cost of a data breach to US companies: $5.4 million
• Average cost per lost record: $201
• Industries with highest breach costs (in this order):
• Healthcare
• Transportation
• Energy 
• Financial services 
• Communications 
• Pharmaceuticals
• Manufacturing

While 2013 did not reach 2011’s high ($214 per lost record), this information still represents a 9% rise in data breach costs from last year’s $188 loss per lost record—and they think this may be due to loss of customers. A 15% “churn rate” (or tendency for customers to abandon a company) based on a data breach represented a steep increase from prior years. Folks are getting wise to companies that don't make securing their sensitive information a priority.

Will this rising cost trend cause companies to sharpen their security behaviors and stay on top of the dangers? We hope so. After all, security is our business. 

Maybe your company in that high-rilibrary of security courses, security awareness campaigns, or even social engineering consulting and penetration testing. These first steps can go a long way towards ratcheting those costs down and keeping customers feeling safe and satisfied. 

sk list. Maybe you are a small company with limited resources that still feels the pressure of social engineering and identity theft. Or maybe you just need more ideas about how to secure your own company’s assets. Consider Sight Training’s

More About Corporate Security

Oh the Humanity: Picture of a Thief

In order to improve security awareness among staff, the first step is to change each employee’s mental picture of what it means to be a thief. Every social engineer who calls will not be an easy-to-spot gentleman with an oily voice and diabolical laugh. Awareness cannot be based on preconceived notions about gender, personality, and level of authority.

In order to be successful, social engineers will go to any lengths, will play on your employees’ weaknesses, and will find ways to get in their heads.  For many men, that weakness is a friendly girl.

For some folks, it might be a helpless old lady. Here’s another story that illustrates one of the two main problems with employee-based security.

New "Smishing" Scam has Tampa Bay banks on alert

Just last week, several Tampa Bay area banks reported a new “smishing” scam (SMS phishing, or phishing texts sent to mobile devices) in which mobile users are informed by “bank personnel” that their debit card has been flagged. The text then encourages mobile users to contact a fraudulent number and provide personal financial information.

Phishing through text messages are further proof that attacks continue to come from every angle at once, and are getting more and more clever.

Why is it so hard to practice safe surfing on a mobile device? Why do otherwise intelligent Internet users take actions on their phones that they would never take on a home desktop or laptop computer?

Are Deceptive Pen Testing Methods Always the Wrong Way to Go?

It’s been interesting to watch all the articles and stories fly about the Army phishing attack carried out by an internal commander, and which was finally shut down last week.

Words like “panic,” disaster,” and “terrible’ and “irresponsible” are being thrown around like confetti.

Do I agree with the commanding officer’s decision to take matters into his own hands? No. He was one man acting on his own intuition, rather than one part of a concerted effort with proper executive notification. In an organization as large as the US military, no test should be completed without a lot of feedback and forethought.

It was also unfair to include the Thrift Savings Plan in an attack they knew nothing about—and then leave them to clean up the messy backlash.

But let’s get to the brass tacks here: we can’t necessarily call the commander’s actions “irresponsible” just because some folks got panicked or felt like guinea pigs.

It Could Happen to You: The Value of Small Biz to Attackers

Read this little article yesterday and thought it might make a nice follow-up to last week’s interview with Naoki Hiroshima. Quick update on that story: @N has been restored to its rightful owner.

Unfortunately, though, that was not an isolated incident. In fact, according to this recent article on The Verge, small and mid-range companies should be especially alert to these kinds of attacks.

”Stories like Meetup's are less surprising to companies in the business of DDoS mitigation — like Cloudflare, which is currently helping the site recover. CEO Matthew Prince says they're most commonly launched against gambling sites or midrange e-commerce sites, as in this example from 2012. They're businesses with enough success to suffer from a few days of downtime, but often not enough foresight to invest in DDoS protection.”

When Ego Gets in the Way: Infosec at the Top

So, I try to be pretty fair when it comes to information security issues. I mean, everyone’s human, right? Everyone makes mistakes. And often, for the average Joe in an office, mistakes are the result of poor security awareness training or a general lack of knowledge about the threats of social engineering, phishing, or the danger-of-the-week (you name it).

But then there are those folks that just let their egos get in the way of security. According to a recent study by Sroz Friedberg, senior managers may be the worst when it comes to protecting sensitive information.

Review these disturbing statistics:

• 9 in ten senior managers upload work files to personal accounts 
• 58% of the managers studied accidentally sent sensitive information to the wrong person. 
• 51% took files containing sensitive information with them after leaving a job. 

The study goes on to suggest that people in management positions are more likely to flout the rules regarding information security because they’re under pressure, because they’re super busy—and because some have a serious attitude problem.

Risk, Recrimination, and Reporting: Detecting and Handling Breaches

I read Ericka Chickowski’s article on empowering employees to detect outside attacks earlier this month and I made some notes that have finally found their way into a blog…three weeks later.

Well, better late than never—especially when it comes to the importance of teaching effective employee behaviors. There is always something good to say about it. Here’s my sum-up of this article: Chickowski is 100% right, and she has some particularly notable quotes here.

Wasted Energy: How Info Purges and a Third-Party Test Could Have Helped the DOE

There’s been a lot of online chatter this week about last summer’s Department of Energy breach—and rightly so. 150,000 affected employees is nothing to sneeze at. The worst part? All the affected employees may not even know yet.

The Real Cost of Data Breach Cleanup

In our experience, there is not a deep enough respect in the market for how difficult and expensive the notification requirements for data breaches can be. Not only can this cause public embarrassment, but it can also put the organization at serious legal and financial risk. Many organizations are mostly worried mostly about the intrinsic dangers of losing the actual data but do not demonstrate fear or motivation to invest in preventing the process of notification and remediation.

Picture Yourself Secure: Passwords, Phrases, and the Future

In 1492, Columbus sailed the ocean blue…

Every Good Boy Does Fine….

Thirty days hath September….

Ah yes…mnemonic devices. Those performance-enhancing tools used successfully by middle schoolers and beginner-level music students all over the country for…well, for forever, it seems.

Enter any 7th grade classroom on test day and you’ll see small, strained faces searching their memory banks for that rhyme or song that will bring to mind the order of taxonomy (“King Phillip Opens Five Green Snakes”) or the five Great Lakes (HOMES).

Depending on your college degree, you might have carried this technique into college. But most of us probably gave up these memory aids along with No-Doze and an actual Spring Break after tossing our grad cap in the air.

But why? The human brain loves association and repetition at any age and for any reason—and that’s why researchers at Carnegie Mellon think we should keep it up when it comes to security.

Phishing Infographic: Don't Get Hooked!

By now, most folks are aware of phishing emails—or at the very least, that social engineers use email to steal average people's sensitive information. Yet, we are continually surprised that the how and why of phishing still eludes many average folks. What do phishing emails look like? How would someone get information from me through an email? What could a social engineer do with that information?

Some folks just respond better to pictures and diagrams. So...voila! Our first foray into the world of infographics, and what is hopefully the first of many.

Share this Image On Your Site

<p><strong>Please include attribution to SightTraining.com with this graphic.</strong><br /> <br /> <a href='http://sighttraining.com/Training/Infographic.aspx'><img src='http://sighttraining.com/portals/0/phishing_email.jpg' alt='Don't Get Hooked' width='660px' border='0' /></a></p>

Employee Training: Out of the Box

As a training company, this is just one more way for Sight Training to encourage folks to do their homework—and by homework, we mean doing a little extra checking before you hand over sensitive information through a phishing email. Your credit card number, SSN, and bank information are yours and no one else's. Guard them at all cost. 

And remember: emails are just digital versions of the in-the-flesh thieves who are behind them. They can dress up and look impressive. They can be cool, casual, and persuasive. And they can pull off an official posture with approved logos and embedded links that mimic real websites. Here are a few more tips:

1. Remember: stranger danger! Don't know who sent it? Don't open it.
2. Be wary of attachments. 
3. Ignore commands and requests for action—no matter how urgent they may seem.
4. Use the phone. Try contacting the sender by telephone. If the email is from your “bank,” then you should be able to get the truth pretty quickly. And if you cannot get in touch with the sender, then delete the email and forget about it.

Slow down, take a deep breath, and think about what you are doing before you offer it up to a social engineer on a silver platter.

More About Phishing

Open Letter to IT Departments: People are Important to Your Security Plan.

Read a Dark Reading article this morning that I really enjoyed. First of all, any article on information security that can work in the zombie apocalypse is A-OK in my book. Nicely done, Glenn Phillips.

And you know, the comparison works surprisingly well. Way too many businesses focus on just a few security dangers (for example, amassing weapons to blow away those pesky zombies) without addressing the whole picture of security (forgetting to stockpile water so you don’t…well…die).

Another problem? Letting an IT team dictate what works and what doesn’t without really considering what Phillips calls “the human component.”

I especially identified with Phillips’ example of the IT department requiring new impossible-to-remember password every 60 days. I’ve worked in places like that, where IT made those sorts of demands with a sort-of “Do it or else” attitude. This was ineffective. Those demands were usually 1) ignored and 2) laughed at.

Oh, the Humanity! Train Employees to Say "No" to Social Engineers

Let’s set the scene for the third social engineering tale in our story series “Oh, the Humanity.” A Fortune 100 company asked us to test their defenses against pretext calling, email phishing, and physical security. The best part? They pretty much just gave us carte blanche and asked us to figure out how a social engineer would develop an attack.

After making a few phone calls and obtaining a few seemingly innocuous pieces of information (we call them “building blocks”), we decided to make an attempt to obtain VPN access to their network. Through their audit, we had already obtained the Cisco VPN client and had numerous usernames and passwords. All we needed was a host name.

Oh, The Humanity! Another Pretexting Success Story.

And welcome back to our social engineering success story series: "Oh, The Humanity!" Storytelling can be a very effective tool in the fight to raise awareness about information security and effective training—and our firsthand experience with pretexting, phishing, proximity attacks, and more have provided us with ample ammunition. And now, on to our next story...

A while back, a large and pretty well known financial institution (name changed to protect the innocent) hired us to measure whether or not their call center was properly safeguarding the sensitive information in its customer accounts.

Here were the ground rules:

Rule #1: We only called on test accounts, or fake customers placed in the system by the company for penetration testing purposes only. This precaution was for everyone’s security.

Rule #2: We were only provided with the most basic fake-customer information: name and address. These pieces of information pretty well represent what a social engineer can get publicly on the Internet.

Information Security in 2013: Are Passwords Really Dead?

According to Heather Adkins, Google’s information security manager, “the game is over” if your company is still relying on passwords as a primary form of information security protection.

Adkins laid it all out when speaking at a recent tech panel. Apparently, Google’s done with passwords and we should be too. She went on to describe a new means of authentication that could require physical tokens embedded in clothing. And who’s behind this world changing, space-age technology? You guessed it—Google.

Why Medical Identity Theft Might Be The Next Big Thing

By now you’ve heard of identity theft – we get it…we shouldn’t share our bank account number with the Minister of Finance from Nigeria. But how many of you have heard of medical identity theft? According to surveys, very few…but the number of medical identity theft incidents are rising at an alarming rate.

So What Does the Dropbox Hack Mean for You?

So, a couple of months ago, two developers decided to hack Dropbox. Just because. You know what this world needs less of? VOLUNTEER hackers.

Mobile Device Security: More than Software

When it comes to mobile security, everyone is still a little bit in the dark. After all, everyone and their grandma has a Smartphone or tablet right now, but the general public’s information about the true threats to their devices is probably limited to computer viruses or bugs—little things that are automatically corrected with anti-virus software.

Confidential Data and Mobile Devices

According to a recent article at CIO.com, “more than half of employees admit to storing, sharing and working on corporate documents on their personal devices—and this number is growing.”

This is concerning for a number of reasons, not the least of which is the fact that confidential work information is being stored on devices where far fewer security measures are available and that receive much less security attention.