Cybersecurity 2015: Are We Near End of Big Retail Hacks? by Ben Dipietro Wall Street Journal

01/01/2015 13:07

Cybersecurity emerged as a much bigger risk for companies in 2014, and is likely to be a hot topic again in 2015. Given the importance of the subject—readers in our year-end compliance poll said cybersecurity would be the top compliance issue in 2015—we asked some top cybersecurity and data privacy experts to look ahead and tell us what they see. Two top trends: companies now “get” the need for cybersecurity and new payment systems could bring an end to big retail data breaches.

Rick Dakin, chief executive, data security firm Coalfire:

What is the biggest change that started in 2014 that will carry over into 2015?

Mr. Dakin: The age of evangelism is coming to an end and the age of reality is upon us…companies finally are getting it, that data security is important and a key part of the business. The evangelist in the technology trenches has been asking their bosses ‘Can you please pay attention to what I’m doing, listen to the risks I’m identifying’ and the connection has been made. Businesses are treating cyber risk as a key part of their business management.

How will the threat landscape change in 2015? Who is most susceptible?

Mr. Dakin: Threats are getting much worse, are much broader. Some of the most devastating attacks had nothing to do with credit cards, they had to do with intellectual property, health data. Business disruption is having a devastating impact on businesses, from the Sony attack–where the business impacts are much broader than stealing a debit or credit card—to risks now showing up in health companies and other companies that have intellectual property to protect.

The other thing is on return on investment. It used to be the discussion was ‘I only paid $100,000 for this system, now I’ve got to pay $50,000 to protect that system?’ What companies finally are recognizing is they are paying $50,000 to protect their business and all the data on their systems. It’s not a percentage of IT spend, it’s a percentage of risk of the company at large. We are seeing year-over-year spending rising on cyber risks and a wild uptake in cyber insurance, which matches the business connection to risk and not just the technology connection.

Anything positive happening?

Mr. Dakin: The hopefulness in innovative new solutions that are coming out and are inherently more secure. Take a look at Apple Pay, what a revolution! Everyone is looking at Apple Pay as if it is another wallet, but to the contrary, Apple Pay is a new form of two-factor authentication. It’s the same technology we see in health care and government interactions. With the ability to two-factor uniquely ID ourselves, the amount of identifiable data will go down in retail. We will see a wide range of point-to-point encryption take all that toxic data out of the system. Innovative encryption technologies are a breath of fresh air and will make the DNA of doing transactions more secure.

Kimberly Little Sutherland, senior director of market planning for identity management, LexisNexis Risk Solutions:

What do you see for security and payment systems?

Ms. Sutherland: There is always a balance between security and our individual privacy and convenience—it’s been the same balancing act for years—but people get more concerned when bad things happen and think more about the security piece of it. The consumer wants more convenience and the retailers are going to have to decide what type of risk they are willing to assume. Right now there is separation between the device and the individual. There is a linkage, we can make a lot of inferences, but I can allow other people to use my device so as a result my device is not truly my identity although I use that device regularly. Retailers are going to have to make that decision, is it OK to rely solely on what I can know about an individual based on their device or will they need more information to allow a buyer to make different types of purchasing choices?

Right now retailers are focused on reducing friction, they want to allow customers to make purchases or to find out more about their company with the least amount of friction possible. I think 2015 will be interesting to watch how willing retailers will be to assume more risk. I expect that more companies are going to focus on ensuring that they figure out how to match a person’s mobile device to their unique identity.

Mike Donovan, focus group leader for cyber and technology insurance, Beazley Insurance Services:

What do companies take away from all the data breaches that occurred in 2014?

Mr. Donovan: There were quite a number of breaches but what is clear is companies can do quite a bit to reduce their chance of being a target. A few of the breaches we’ve seen have involved vendor management and user access, segregation of databases–these are things companies can invest some of their resources in and really improve their position in cybersecurity. We are seeing a lot more investment being made in those areas, which is good. But part of the problem is it takes time. Some companies were behind in their investments, in changing systems, and this takes time and effort and so they ended up not being able to stop an attack.

Another thing, it used to be years ago if you had a firewall, some virus software you pretty much were protected. But that’s just not the case at all any more. Most people who are in the security business know there is almost nothing you can do to completely prevent someone from getting into a system. That means detecting it and making it hard for a perpetrator to work their way through a system is becoming more and more important. If I can slow them down, have good detection, there is a good chance I can find it and stop it before any real damage is done.

What are the trends for cybersecurity insurance?

Mr. Donovan: There is a lot more interest in insuring for cyber. The value of having cyber insurance has become much more recognized over the last year, the interest level has increased significantly. I think that over the next year you will see the purchase of cyber insurance as more and more a standard companies employ as part of their overall management of exposures. For companies it’s not so much that their policy is changing, but larger companies are buying more cyber, the amount and  limits they are looking for have increased, that is the main thing we see.

Write to Ben DiPietro at, and follow him on Twitter @BenDiPietro1.