Poor post-breach communication can cause as much damage to a company's reputation as the cyber-incident itself, says Al Pascual, senior analyst for fraud and security at Javelin Strategy & Research.
That's an important lesson learned in recent breaches, says Pascual, who will offer insights from security incidents at Information Security Media Group's Fraud Summit in Dallas on Nov. 18.
"[It's] one thing to be weak in security, like to have a poor security posture, but it's another to make the situation worse, to make yourself look incompetent or simply look like you don't care," Pascual says in an interview with ISMG. "I think we've seen a bit of that this year, not intentional certainly, but it has happened, and I think that's the bigger mistake. You can remediate the security issues, but your image will remain tarnished."
Businesses and healthcare providers that don't adequately communicate with customers or patients could likely lose them, he says.
"These breaches are not just about remediation cost; it's not just about the cost of notification," Pascual says. "It's about the fact that [some] people are not going to be your customers anymore, so getting that message right is critical."
In this interview, Pascual also discusses new Javelin research that shows that card-not-present fraud in the United States is expected to be nearly 4 times greater than point-of-sale card fraud by 2018. This growth is due primarily to the rise in e-commerce volume, rather than a change in criminal behavior because of the implementation of EMV chip cards for transactions at the point of sale, Pascual says.
Fraudulent E-Commerce Purchases Will Grow Regardless of EMV Adoption
SOURCE: Javelin Strategy & Research
Pascual also touches on:
- How hackers will target businesses that are slow in adopting EMV credit and debit cards, seeing them as easy pickings when compared with larger businesses that are expected to be early chip-card adopters.
- The tendencies by some organizations to drop their defenses after a breach because they don't expect to be hacked again. "Just because ... you were breached once doesn't mean you're inoculated from data breaches."
Pascual leads Javelin's security, risk and fraud practice. He began his career with HSBC during the height of the mortgage boom. While working in HSBC's borrower verification department, Pascual performed enhanced due diligence investigations of high-risk loans. He later joined Goldman Sachs' fixed income, currency and commodities division, serving on its mortgage fraud investigations team. Later he joined Fidelity National Information Services, now FIS Global, to oversee data driven investigations of organized payment fraud groups in the United States. Pascual is a member of the Association of Certified Fraud Examiners and the International Association of Financial Crimes Investigators.