C-level Execs Lack Confidence, Bear Blame For Data Breaches

Cause and effect anyone?

A new study conducted by Dimension Research on behalf of Tripwire has revealed how executives view cybersecurity risks as well as their preparedness and confidence towards dealing with a security breach if or when it should occur.

The study, which solicited the views of 200 business executives and 200 security professionals, revealed how C-level executives considered themselves to be “cybersecurity literate,” with 100% of the respondents claiming to be so, despite the number of data breaches and other high profile attacks we’ve seen recently.

Interestingly though, IT security literacy does not translate into confidence.

Even though the number of non-C-level executives claiming a good level of understanding of security issues was a ‘mere’ 84%, C-level executives were found to be less confident (68%) than non C-level executives (80%) that briefings presented to the board accurately represented the urgency and intensity of the cyberthreats targeting their organisations.

Additionally, C-level executives (65%) were less confident than non C-level executives and IT executives (87% and 78% respectively) in the accuracy of the tools their organisation uses to present cybersecurity risks to the board.

As for why C-level execs are seemingly less confident than others in how risks are handled, Tripwire’s Dwayne Melancon had this to say:

The reality is that an extremely secure business may not operate as well as an extremely innovative business. This means executives and boards have to collaborate on an acceptable risk threshold that may need adjustment as the business grows and changes.

The good news is that this study signals that conversations are beginning to happen at all levels of the organization. This is a critical step in changing the culture of business to better manage the ongoing and rapid changes in cybersecurity risks.

While the results of the Tripwire study indicate an increased preparedness on the part of IT professionals, they expose the uncertainty at the C-level and point toward the need to increase literacy in cybersecurity and its attendant risks in the near-term, the study said.

I’m not surprised that C-level executives are less confident than their boards or IT executive staff. That lack of confidence comes, in large part, from the networking and informal benchmarking that takes place among C-level executives at the peer level.

There is a lot of ‘comparing notes’ that happens between C-level peers. When this happens, you are able to get a more informed view of where you are in your overall cyber risk preparedness. This is in direct contrast to IT professionals who generally have a more insulated view of their own cyber risk, which can lead to a false sense of security.

That difference in perspective – internal inputs vs. external inputs — may very well explain the confidence gap this survey highlights.

There could of course be another reason why C-level executives lack confidence – the blame game.

In another piece of research from Tripwire, conducted at the recent RSA and BSidesSF conferences, 250 respondents gave their opinion on who should shoulder the blame in the event of a data breach.

Chief executive officers and the company board appear to get off lightly in the view of those who took the survey, with only 28% and 10% respectively thinking the buck should stop with them following an incident.

By way of contrast, 41% of the survey’s respondents said “CIO, CISO or CSO” when asked “Who would be held responsible in the wake of a data breach on critical infrastructure in your organization”.

As for who should be left carrying the breach blame when the music stops, a similar number (35%) plumped for the C-level once again.

Tripwire’s Ken Westlin said:

Cyber security liability is difficult to assign because you have to determine who knew about the risks, and then you have to figure out what they did, or did not do about them.

If the CEO is made aware that of security risks and does not provide the resources or plans to fix them, they own some of the responsibility. On the other hand, if the CISO does not share information about risk in a format that the CEO can understand, or fails to deploy the security controls and monitoring necessary to identify potential risks, then a greater share of the responsibility falls on her.

However, cyber security is a team sport that requires active support across the organization and from all levels of the executive team.

I personally think Westlin’s observation that infosec is a team game is key and I also know from years of experience in other industries that playing the blame game tends to break that togetherness and often ends in a lose-lose situation for all concerned.

So, instead of flinging blame and identifying a scapegoat, perhaps organisations would be better served by placing an emphasis on better sharing of intelligence and, heaven forbid, better communication between everyone within the business, as well as taking a fresh look at ‘cyber literacy’ and what exactly that means to everyone and, indeed, whether it truly is an applicable label to apply to their level of knowledge.

Children From 94 Schools Across Ireland Receive Anti-Bullying Award At Facebook’s Dublin HQ

A new initiative from Facebook has seen the social network engage with children in an attempt to tackle online bullying.

The social network, which has its European headquarters in Dublin, has often been criticised for an apparent lack of interest in getting to grips with a problem that has arguably plagued its website for many years.

Now, however, the company appears to be taking a more proactive approach with the news that it invited schoolchildren to its HQ to receive recognition for their work in combating bullying.

Kids from 94 schools across Ireland were recognised with the Diana Award, set up in the memory of Princess Diana, joining over 1,000 other young people who have already been trained as Anti-Bullying Ambassadors.

As part of the initiative, Ireland Live heard from a number of students who had elected to stand up to bullying, including Elliot Davis from Newbridge, who took the novel approach of furnishing every student with some positive feedback:

We set up a confidential email monitored by ambassadors and teachers. We’re here for anyone no matter what their query might be. They can get through to us and have someone to talk to in a few clicks.

One day we took on the monstrous task of writing 900 sticky notes with compliments on them. We stuck one on every single person’s locker. It’s something as simple as that which can change someone’s day.

Speaking to the BBC, Zoe Taylor said it was good to be involved, adding that “It’s made quite a lot of difference because it means everyone has someone to come to if they feel like they are getting bullied”.

Reminding us all how bullying has evolved in the digital age, Jade Taff said she had been approached by younger children who had experienced cyber bullying:

They’re just nasty, it’s hard to think people would say something like that.

It is cyber bullying so people keep it hidden. But they can show us the messages and if it’s serious we can take it to the year head and get it sorted straight away.

During the course of the event, Facebook launched its new “Stay Safe on Facebook” resource, a series of short videos aimed at informing children and teachers how to deal with bullying and make simple account changes to deal with trolls and bolster privacy.

Tessy Ojo, CEO of the Diana Awards, was understandably chuffed with the award winners and equally pleased to be working with Facebook:

We are incredibly proud to be celebrating the work that young people in Ireland are doing to make their communities safer and delighted to be partnering with Facebook. We believe that young people are key to changing their communities.

Julie de Bailliencourt, Facebook’s safety policy manager, countered the view that the social network had been slow to respond to concerns over cyber bullying, saying that the company cared deeply about the issue and had launched a number of initiatives in many different countries, adding that:

We do not allow bullying on Facebook, we just want to make sure we have the right tools and policies in place so that our community and teens in particular really feel safe interacting on Facebook.

The social network’s involvement with the Diana Award comes hot on the heels of new anti-bullying legislation designed to combat online trolls. The new laws could see web-based bullies hit with fines of up to €5,000 in addition to custodial sentences of up to 12 months.

Insecure Employees And Their Brainwaves

Here at BH Consulting we often talk about how all the security in the world could be for nought if your employees themselves are not cyber aware and sufficiently well trained to avoid the generalised and socially engineered threats that come their way.

The solution, we think, is to tackle the lack of security knowledge head on, engaging with staff in such a way that they will wish to buy into a culture of security.

But wouldn’t it be great if there was another way to ensure the security of your business, not by enhancing the nature and skills of your workforce, but by only employing those who are less susceptible to being tricked or otherwise duped into insecure activity in the first place?

Well, according to research from Iowa State University, that may be a possibility.

Three researchers from the educational establishment have hypothesised that less secure personnel can be identified based on their brainwaves.

The Ames Tribune reports how Qing Hu, Union Pacific Professor in information systems, assistant professor of marketing Laura Smarandescu and Robert West, professor in psychology, tested subjects’ brain activity.

What they discovered was that the test subjects with the lowest levels of self-control were those most likely to give away company secrets.

Depending on which publications you read, you are likely aware that anywhere up to a reported 59% of security incidents are attributed to human action, be that accidental, uninformed or malicious in nature.

Hu, who said the actual figures may be much higher due to the age old problem of businesses under reporting security incidents, has been studying the subject for more than ten years, searching for a way to predict which employees are likely to pose the largest threat:

In the past, we’ve used surveys for research like this. But people don’t necessarily tell them their true thinking and ideas, sometimes for social desirability.

Sometimes people want to show themselves as better than they are. So that causes bias issues in surveying.

To achieve better results Hu joined forces with the other two researchers and together they studied 350 Iowa State University undergraduates.

Taking the 20 students with the highest levels of self control, plus the 20 with the lowest, the team then ran a second set of tests which measured their brainwaves. Robin West explains:

We asked them to think about whether they would violate a company’s assets or security policy.

We told them to imagine they were an employee asked by a friend to share a client or user list. We set that scenario up and asked them how likely they would do this, and we captured that specific response.

The research revealed how the students with the highest levels of self-control took longest to respond which, the researchers say, suggests a longer cognitive process as they weighed up the pros and cons of their decision.

Hu noted how the cost of testing may be prohibitive to all but the largest of businesses but said simple screening processes could be implemented to identify candidates with the lowest levels of self-control and, hence, the largest propensity to engage in insecure practices such as opening phishing emails and passing data on to unauthorised parties.

While I personally don’t think brainwave testing should suddenly become commonplace off the back of one study, it could be a useful metric in the future and one that many businesses may well be interested in should the field develop.

Meanwhile, Hu warned against dismissing the notion of employing people with low self-control altogether, saying:

Everyone has talents and everyone has weaknesses. Businesses should use the right people with the right talents for the right job.

People with low self-control should not be put onto positions that would have access to confidential digital assets. But those people could be very productive in other areas of the business, they’re just not suitable for those kinds of conditions.

What do you think?

Could brainwaves provide key intelligence when interviewing new candidates for your organisation? Is the research relevant? Or is it a load of mumbo jumbo?

What Can A Dope Dealer Teach Your Organisation About Information Security?

Irrespective of the type of business your organisation conducts, the protection of its assets is vitally important.

That’s why traditional brick and mortar stores employ physical controls such as alarms, restricted access and guards, and why companies looking to protect information employ technical measures and security professionals.

But all of the above may be for nought if someone within the organisation decides to say more than they should.

Take, for instance, Dominic Marshall, a 20-year-old man from Manchester.

Marshall’s business was a little out of the ordinary, operating in a market most of us are not familiar with – the sale of cannabis.

Given the sensitive nature of such work, and the attention it rightfully attracts from the constabulary, it should go without saying that discretion is a valuable characteristic for any self-respecting drug dealer.

Alas, for Marshall at least, discretion was not one of his strong points.

In a bid to increase sales he took to Facebook to boast of how he had Ganja for sale, informing his 2.737 friends and, due to a lack of privacy awareness and correct settings on the social network, anyone else who happened upon his page too.

Even when his clued up friends warned him that he was a ‘walking charge sheet’ he continued to use the site to boast of how he had ‘bud’ for sale.

Police – and it’s not known whether they were trawling Facebook or had been tipped off – soon paid him a visit, arriving on 3 October at which point they discovered his father Phillip in possession of 33 bags of the drug.

Marshall subsequently received a 12-month community order as well as a period of supervision and drug rehabilitation after admitting offering to supply class B drugs while his father picked up a fine for possession.

In passing sentence, Judge Hilary Manley stated the obvious as she said:

You’re hardly a sophisticated drug dealer given the nature of the Facebook messages you publicised.

John Kennerley, in attempting to defend Marshall, said “It must be an immature person who acted in the way he did by putting on Facebook the fact he had cannabis which he was offering for sale – not the actions of a sophisticated, hardened criminal.”

Even so, it takes neither a fool nor a criminal to put your information-based assets at risk through poor decision making.

While technical controls and security expertise certainly have their place, and will go a long way in mitigating risk, there is always that other ever-present danger: the human element.

While we hope your employees are not dopes, the truth is they are fallible.

Have you planned for that with your security procedures? Are your staff aware of your social media policy? Do they know that loose talk anywhere on the web can put your business at risk and their jobs in jeopardy?

If not, you have some work to do and may wish to consider training your employees and sprinkling in some security awareness so they are aware of what they should and, more importantly, should not say on Facebook and other social networking sites.

Clickety Click: Everyone Is A Potential Security Weakspot

If you work in the infosec profession you most likely know that humans are the widely accepted weak point in any security setup, but a new report from Proofpoint has reiterated how attackers employ psychology to improve the chances of their attacks succeeding.

The company’s Human Factor Report (sign-up required) provides in-depth analysis of how humans can be exploited by targeted attacks, and reveals just how many dodgy emailed links are clicked by unthinking fingers.

While the overall gist of the report is much as expected, some of the figures are interesting to say the least.

Take, for instance, the number of malicious email links that are clicked on. Personally I would have said that an organisation that does little to educate its staff might be horrified if one percent of the phishing links it receives are given any kind of attention.

In companies that provide training and security awareness, I would expect that figure to be much lower.

But the reality, according to Proofpoint’s research, is that around 4% of malicious links are clicked on by users.

That’s shocking!

The report reveals how the volume of phishing emails has little bearing on the proportion that are opened and not one organisation had a zero click-through rate.

Unsurprisingly, malicious emails are non-discriminating, finding their way into firms in all industries. But, as you may already suspect, sectors such as banking and finance receive more than their fair share, getting 41% more that the average for all industries.

Where emails are sent to named individuals or departments they most likely end up in the inboxes of sales, finance or procurement who receive them 50-80% more often that other groups within the company.

Members of the management team are also most likely to be on the receiving end of a phishing campaign which may be because Proofpoint discovered they are twice as likely to click than executives, a situation that has deteriorated significantly since the company completed a similar study last year.

As for the lures that are working, Proofpoint says message alerts, social media invites and order confirmation emails are all popular, as are messages employing infected attachments rather than embedded URLs.

What are the attackers after?


Proofpoint specifies the usual suspects – bank account and user account information – but also points out how credit card data, health records and even intellectual property are becoming of interest to online thieves. Moral of the story here: if something has value, someone will want it.

How to stop such an attack?

The report notes how the time between a phishing email being received and acted upon is relatively short with the majority of clicks happening on the day of receipt. Of all malicious links that were clicked, 96% were tapped on within a week of being received.

So, to protect your business you need to act relatively quickly.

That means technical controls to limit the amount of such email that reaches your employees in the first place but it also means having a workforce that knows the risks of clicking on phishing links and, indeed, how to spot such messages in the first place.

Kevin Epstein, Proofpoint’s vice president of Advanced Security & Governance, says:

The only effective defense is a layered defense, a defense that acknowledges and plans for the fact that some threats will penetrate the perimeter. Someone always clicks, which means that threats will reach users.

Here at BH Consulting we suggest security awareness training as the appropriate counter as it can be used to inform your staff of what to look out for and how to, ultimately, protect your business (and the lessons they learn can ultimately be put use to protect themselves away from the work environment too of course).

Fitness Freaks Can Save Cash On Insurance Premiums – But At What Cost?

You knew this was coming right?

In an age of FitBit, Apple Health, Smart This and Smart That, we’ve known for a long time that insurers would love to get their hands on, well, everything really.

When setting premiums, underwriters pore over a pile of statistical data to assess the risk you present vs. the return the company will receive via your monthly contributions to their coffers.

While it is science honed over many years, it relies heavily upon on data averaged from hundreds, thousands or even millions of other “average” people of similar ages, body types and with the same medical conditions that you have declared on your application.

So… there could be some variance between you and Joe average that could mean you present a lower or higher risk in terms of the returns the insurance company could hope to obtain from your custom.

How could the insurance firm ensure that it stacks things further in its favour then?

Simple – by collecting more data and, specifically, by collecting your data.

Those of you who track how many sit-ups you’re doing each day, how far you are running, how often you take the bike out and even how often you get “lucky” have much to offer the insurance industry and it is very keen to learn.

In fact, KSL.com reported over the weekend how the US now has its first insurer basing quotes off individual empirical data, obtained via fitness tracking technology.

John Hancock insurance company is offering a discount to customers who are prepared to share their health data, with the alpha males and females among its clientele eligible for a cut of up to 15% in their premiums.

But whoa betide any fitness freaks who slack off for too long – data is continuously monitored and premiums could creep back up when health levels are deemed to have dipped too far.

But if you are dedicated, and fancy being labelled a platinum level fitness freak it’s all good, right?

I don’t think so.

Let’s think about this logically – what are you trading for that small monthly saving on your insurance costs?

Well here’s a short list off the top of my head:

  • your health data
  • your motivational levels
  • your location, which will likely make pinpointing your home a breeze
  • your financial situation – fitness trackers are typically owned by the more affluent members of society
  • your privacy – your insurer will know where you go, when, and possibly even who you meet if they wear a tracker
  • your security – where is your data stored and who by; what security measures are in place to keep it safe?

And, perhaps, your morals too.

After all, insurance companies, like any other type of business, are in it for the money. If they are offering discounts to some customers how are they going to pay for it?

Sure, having better data may cut the costs somewhat but there is also a darker side here in my opinion – what happens to those people who cannot afford fitness trackers, choose not to own one, or have one and are chronically unfit either through choice or due to an accident or via disability from birth?

Though there is no word from John Hancock, I can imagine premiums for those who are not handing their data over could well rise faster that normal to compensate for the loss of profit brought about by offering premium discounts and other incentives to the fitter members of society.

Putting aside the multitude of security concerns, is that the future we want from our insurance industry?

I don’t, but I suspect we’ll see similar schemes on offer from UK insurers in the not-too-distant future. Hopefully when, in the future, it becomes mandatory to wear one (I know, I like a good conspiracy theory), they’ll come in black so they match the boxes we’ll be forced to have in our cars which, you know, also cut our insurance premiums.

Excited By The Extension Of Chrome Support For Windows XP? You Really Shouldn’t Be…

I can just imagine millions of voices crying out in extreme pleasure in response to the news that Google has extended support for Chrome on Windows XP through to the end of the year (it was previously due to end later this month).

The only problem with that, however, is that fact that it implies there are still a large number of users on Microsoft’s now aging operating system (industry experts suggest anywhere between 10 and 20 percent of all machines still use XP).

While Windows XP was pretty darn good back in the day, and a huge improvement on its successor(!), it is, as Monty Python may say, deceased, dead and long since ceased to be.

Alas, many millions of users are still dicing with antiquity on a daily basis, continuing to run the operating system that refuses to pass on, despite the fact that Microsoft stopped supporting the consumer edition in 2009 and the enterprise version back in April 2014.

That lack of ongoing support means anyone continuing to use Windows XP has problems. Unless you run a company of some fair size and have handed over a large stack of cash to Microsoft in return for special treatment – and why would you throw your organisation’s money away thus – you will be up the swanny in terms of getting any kind of protection against new strains of malware and viruses, or any other kind of support.

As Mark Larson, Director of Engineering, Google Chrome, says in a post announcing the extension of support for Chrome:

Computers running Windows XP haven’t received security patches in over a year and are facing a number of critical security vulnerabilities. At the operating system level, computers running XP are inherently in danger of being infected by malware and viruses, making it increasingly difficult for Chrome to provide a secure browsing environment. That’s why we strongly encourage everyone to update to a supported, secure operating system.

Sage advice indeed.

And something you would be well advised to take on board.

As Larson says, not everyone can afford to upgrade to a newer operating system on a regular basis and Chrome wants to keep Windows XP users as safe as possible, but there will come a time when that becomes impossible, given the financial costs of further development for something that should already be defunct.

So, if you are running Microsoft’s old operating system at home, start saving for something newer (it looks like Windows 10 may be relatively cheap or even free for some users), or explore some of the free operating systems, such as Linux, which will keep you far safer from harm.

And, if you are running Windows XP machines in a corporate environment, now is a pretty darn good time to go have a word with whoever controls the purse strings in your firm because such an ancient operating system has no place in a world where malware, data breaches and other threats are far more common than any of us care to think about.

Heading to RSA

RSA-Conference-2015The bags are not bagged but I will be leaving on a jet plane next week to attend the annual information security Mecca of conferences that is RSA Conference

While I am there I will be doing a book signings of the book “CSA Guide to Cloud Computing: Implementing Cloud Privacy and Security” I wrote with Jim Reavis and Raj Samani. One signing will be at 15:00 at the CSA booth on Tuesday and the other will be at 11:30 at the book shop on Wednesday.

I am also taking part in the panel discussion “Breach 360: How Top Attacks Impact Tomorrow’s Laws, Litigation, Security” which is on at 10:20 on Wednesday morning.

If you are going to RSA it would be great to meet up. So feel free to contact me so we can grab a coffee or simply have a chat

Hope to see some of you there


Why Is A Lack Of Infosec Skills Still A Problem For Business?

The latest State of Cybersecurity report from ISACA and RSA Conference has yet again revealed that one of the biggest challenges faced by businesses looking to improve information security is the dearth of suitable talent.

With 82.51% of the surveyed organisations saying they think the likelihood of being attacked during 2015 is either likely or very likely, the race to acquire the talent required to mitigate the risk is on, but finding suitable staff is proving to be quite a challenge.

More than a third of enterprises are finding it impossible to fill open positions with candidates of the required quality at a time when we are continually hearing about new attacks, external breaches and even the threat posed by internal employees.

The survey, which took on the views of 649 managers and practitioners within the infosec and more general IT fields, showed that 77% had experienced an increase in attacks during 2014, with familiar threats such as phishing, malware and loss of mobile devices proving to be among the most problematic issues.

While we all know that such threats can be mitigated to a fair degree through security awareness, monitoring processes and BYOD policies, the fact is that many organisations simply cannot recruit suitable talent to put processes and procedures into place.

The study reveals the depth of the problem, citing a large number of unqualified applicants as being of particular concern – over half of the survey respondents said that less than a quarter of applicants had the required qualifications for the role they were applying for.


As for why applicants were not suitable, the findings make interesting reading.

Traditionally, the infosec industry has been synonymous with communication problems and, while that may still be so to a degree, it is not the biggest challenge faced by organisations.

Nor is a lack of technical skills – I’ve been told several times that they can be taught to the right candidate if they have at least some aptitude and a passion for the subject.

The biggest issue is actually one that has been receiving more and more commentary over the last few months – a lack of understanding when it comes to business issues.

This makes sense of course – the  days of infosec being presented as a drain on company budgets that offers nothing tangible in return are well and truly over – the modern professional need to be able to see how the function can be a business enabler and present a case for how the huge cost can offer some form of return on investment.

And knowing what you are meant to be protecting is never a bad idea either, eh?

skills gap

Even so, the pool of candidates seems to be unaware, or unwilling, to adapt, even in the short term, as companies report open positions and lengthy searches as they seek out new talent.

And this comes at a time when infosec is finally beginning to be taken seriously by boards and senior managers, as evidenced by the survey’s findings that:

  • 79% report a board that takes an interest in security
  • Just under a third of respondents now report directly to the CEO or other board director
  • Over half of the surveyed organisations employ the services of a CISO
  • 56% of respondents reported that their organisation has upped the security budget for 2012 and a little under two-thirds are, surprisingly, content with the funding available to them

So, with the report revealing how there is still a dearth of talent, and suggesting that formal education, practical experience and certifications are a great starting point for new infosec professionals, where is change needed?

Robert E Stroud, international president of ISACA and vice president of strategy and innovation at CA Technologies, said:

If there is any silver lining to this looming crisis, it is the opportunities for college graduates and professionals seeking a career change. Cybersecurity professionals are responsible for protecting an organization’s most valuable information assets, and those who are good at it can map out a highly rewarding career path.

Stroud makes a good point but he doesn’t answer the question I believe many recruiters are asking – why is the talent not coming through educational system in the first place?

Is it because infosec is not a sexy enough career choice, it’s inability to appeal to women, or a question of salary levels?

I think not myself, and agree with Jitender Arora who, at IP Expo last year, said the problem lies with the type of education being provided – it’s not necessarily offering what businesses want.

My view, therefore, is that we probably need better links and understanding between businesses and univerities and other educational establishments so that the next generation of potential recruits have skills that are both sufficient and relevant.

Do you agree?

Twenty-Five Million Plus Two Reasons Not To Ignore The Data Breach Risk

A few years ago data breaches weren’t all that common or, if they were, they certainly weren’t being reported with quite the same regularity that they are now.

Nowadays, it seems like another big company is getting hit just about every week – but let us not forget that smaller breaches are also a regular occurrence too.

So what are you doing to mitigate the risk of a breach affecting your organisation?


Hmmm…in that case, this post is for you then as I detail just two incidents from the last week that really ought to have you sitting bolt upright, considering the various costs associated with becoming the next data breach casualty.


Firstly, there was the news that one of the biggest mobile carriers in the US – AT&T – had been slapped hard by the Federal Communications Commission (FCC).

Between 2013 and 2014 a series of breaches at call centres in Mexico, Colombia and the Philippines led to the unauthorised disclosure of personal data, including names and Social Security numbers, of some 280,000 US customers.

The FCC’s investigation revealed that over 40 call centre employees had collectively accessed the records so that third parties could submit handset unlocking requests through AT&T’s online portal. According to an FCC official, many of the handsets in question appeared to have been stolen.

As a result of the breach the carrier – which is the second largest in the US – was ordered to hand over $25 million, the largest civil penalty ever handed out in respect of privacy and data security enforcement action.

AT&T was also ordered to file regular compliance reports to the FCC and the company also voluntarily took on the added expense of notifying all impacted customers as well as offering them a year of free credit monitoring.

But it’s not just large settlements that large companies should fear in the wake of a data breach – reputational damage can be an equally big issue.

White Lodging Services

Take White Lodging Services, for example.

The Indiana-based company provides hotel management services across 14 properties, putting it on an altogether different scale to AT&T, but its business may have been damaged just as much by the news that it has suffered a payment card breach.

Can you imagine how prospective customers must feel, knowing that the company’s point-of-sale systems were compromised between 20 March, 2013 and 16 December of the same year?

Not great, I bet, though the relatively small size of the company may have kept it out of the largest news circles.

Unfortunately for White Lodging Services, some things in the past refuse to stay there, as its systems were again compromised on 27 January this year.

The company says the latest attack is not related to the previous one and it’s hard to tell whether customers should be reassured or increasingly worried about that to be honest.

That the company’s POS systems could be compromised once is worrying but perhaps not entirely surprising, given how the likes of Target, Home Depot and Neiman Marcus have all suffered a similar fate in the recent past.

But twice?

Something is going on here and, in the absence of further information from the company or comment from law enforcement, it’s hard to say what.

In any event, I would suspect that potential customers of White Lodging Services may well have heard the news by now and may be considering their next moves and whether they may be better off staying elsewhere.

That’s not to say that the company has done anything wrong – it may just have been the unfortunate victim of a very skilled attacker (twice, no less) – but the consequences may ultimately be no less damaging than the penalty handed to AT&T.

So, again, the question is, what are you doing to mitigate the risk of a data breach – a crime not limited to the United States – affecting your firm? And do you have an incident response prepared in case the worst does happen?