Skip to main content

Why Wait for a Security Breach?

August 13, 2014

Headline-making security breaches have hardly faded away since the beginning of the year. Looking back on statements Neiman Marcus made to journalist Brian Krebs following their January 2014 breach might provide an answer as to why.

Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorised payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.

We informed federal law enforcement agencies and are working actively with the U.S. Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence and risk management firm, and a leading forensic firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result.

We have begun to contain the intrusion and have taken significant steps to further enhance information security.

The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store.

Let’s focus on this statement in particular:

We have … taken significant steps to further enhance information security.

Why do companies wait for a disaster to occur before making improvements that could have prevented the incident – saving the organization and its customers untold hours of lost productivity?

  1. They don’t think it will happen to them. Often, an organization eyes a peer that suffered a breach and thinks, their security and operations are sloppy, and they had it coming. But alas, those in an organization who think their security and operations are not sloppy are probably not familiar with their security and operations. In most organizations, security and systems are just barely good enough to get by. That’s human nature.
  2. Security costs too much. To them I say, “If you think prevention is expensive, have you priced incident response lately?”
  3. We’ll fix things later. Sure – only if someone is holding it over your head (like a payment processor pushing a merchant or service provider towards PCI compliance). That particular form of “later” never comes. Kicking the can down the road doesn’t solve the problem.

It is human nature to believe that another’s misfortunes can’t happen to us. Until it does.


    Peter Gregory

By: Peter Gregory

Director, Information Security

See More

Related Blogs

March 07, 2018

PCI Compliance Every Day – Requirement 4

In this latest post of my Payment Card Industry Data Security Standard (PCI DSS) compliance blog series, we will explore Requirement 4 of the standard...

See Details

December 08, 2017

PCI Requirement Changes Coming in 2018

The end of 2017 is quickly approaching, and we thought we should remind you of the PCI requirement changes that are coming next year. Some of these de...

See Details

November 20, 2017

PCI Compliance Every Day – Requirement 5

In this latest post of my PCI compliance blog series, we will explore Requirement 5, which has four distinct requirements that imply they need to be a...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

March 16, 2017

OCC Updated Guidance on Third-Party Risk

Recently, the Office of the Comptroller of the Currency (OCC), released updated guidance for bank examiners as they scrutinize third-party risk progra...

See Details

June 14, 2017

Incident Management Plan Development

We have the experience and knowledge required to help your organization develop a strong incident management plan.

See Details

May 09, 2013

How Managed Security Services (MSS) Is A Win-Win-Win

For Information Security professionals in Small and Midsize Business (SMB) organizations, it often feels like you and your team (if you’re lucky enoug...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.