Planet SCM

Today is tax day in the United States. Procrastinators will be spending time wrapping up their returns, either on-line or racing to the local post office.

But, is the information you provide the IRS secure?

According to a recent article in Computerworld, your information is probably not as protected as we'd like to think. "In an audit by the Treasury Inspector General for Tax Administration, found that between January 2, 2003, and June 13, 2006, a 'large number' of laptops were stolen from the vehicles and homes of IRS employees, while 111 were stolen from various agency facilities", according to the story.

A separate test on laptop computers currently in use by employees found 44% contained unencrypted sensitive data, including taxpayer data and employee personnel data. Most disappointing is these findings mirror those found in a similar July 2003 report.

As the report indicated, "the IRS had not taken adequate corrective actions." The article includes a response from IRS Commissioner Mark Everson where he says, "Our systems have extensive protection from outside penetration", but that seems to indicate a failure to recognize the threat of not only laptops theft, but other insider data threats.

The IRS expects a great deal from taxpayers when we prepare our returns. It's time for taxpayers to expect more from the IRS when it comes to protecting our privileged information.

Many companies are still taking a "wait and see" attitude on upgrading their Microsoft desktops and laptops to the Vista operating system. The most heavily touted improvements in Vista are focused around security.

We've all seen the Apple commercial poking fun at the constant security-related questions asked in Vista. So, what is the scoop on Vista security? Is it an improvement? Where does it still have room to improve.

This month's ISSA Journal has the first of a multi-part overview of Windows Vista Security from Edward Ray and E. Eugene Schultz. The first installment focuses on User Account Control (UAC), Windows Defender, and Windows Firewall.

With UAC, Windows Vista provides a method of separating Standard user privileges and tasks from those requiring Administrative access. According to Ray and Schultz, while this feature is not quite as good as simply logging on as a normal user, it is an additional layer of protection previously unavailable in Windows XP or Windows Server 2003.

One drawback to the UAC feature is it requires every interaction involving installation or execution of external code to be approved whether is was initiated by the user or a potentially malicious website. This leads users to face a litany of boxes to click continue or reject. Meanwhile, all other access freezes and the screen darkens until you've completely gone through the series of dialogue boxes. Pretty annoying, especially if you're the user trying to get something installed.

Windows Defender, also available for use with Windows XP or 2003, helps protect against pop-up ads, slow performance, and security threats due to spyware, adware, keyloggers and other unwanted software. Defender monitors in real time protected areas within the Windows Vista operating system that this unwanted intruder software targets, such as the Startup folder and the Autorun entries in the registry. However, in a test using a sample set of 25 spyware and malicious code samples, Defender failed to identify 84% of them. Organizations should in no way consider Windows Defender a substitute for third-party anti-spyware solutions.

Windows Firewall, the third area Ray and Schultz focused on, is configured by default in Vista to help protect user's computers as soon as Windows Vista boots. Unlike Windows XP, the Vista firewall can restrict both inbound and outbound traffic, although outbound filtering needs to be configured manually or using Group Policy. Like Windows Defender, Windows Firewall should be seen as a complement to third-party solutions, not a replacement.

Lisa Vaas has addressed these concerns in articles of the print edition of eWeek. March 5th, in an article entitled "Vista's security called into question", she wrote about how social engineering can derail the effectiveness of the UAC. In the March 19th edition, she addressed all of the security features mentioned in "Will Vista Swat Bugs?" She also touched on the Windows Security Center and BitLocker Drive Encryption.

As Ray and Schultz point out, Microsoft is moving in the right direction with Vista, but there are still questions. The biggest challenge is usability. Will the myriad of security prompts lead users to opt out of having to approve software downloads and other potentially dangerous events?

My hunch is they will...until Microsoft can find a way to distinguish where the request is originating from, so the process isn't such a pain.

Gary Min is the 43 year-old former senior scientist from DuPont who pled guilty to misappropriating $400 million worth of proprietary information. Min was due in court this past Thursday to receive his sentence.

In a Computerworld story, Jaikumar Vijayan identifies six steps to take to mitigate the risks of insider threats and keep track of what's going on inside the firewall.

1. Get a handle on the data
2. Monitor content in motion
3. Keep an eye on databases
4. Limit user privileges
5. Cover those endpoints
6. Centralize your intellectual property data

Clearly, a list like this simplifies the real challenge each point represents, but it does remind us that we need to know what we have for data, when it changes, who can access it, and where it's located. All of this requires constant visibility into your enterprise, down to the configuration level.

In the case of Min, it is now known that he downloaded and accessed more than 15 times as many documents as the next most active user of the system. Information like this can and should be tracked far sooner than it was in the DuPont's case. Min's activities were not discovered until he was already working for a rival company.

Read Vijayan's article and see how well you're doing following his six points...and how many more you might add to his list!

A research paper due to be released this summer predicts that the two billionth data loss will take place by the end of 2007. In a story posted on ScienceDaily.com, Phil Howard, an Associate Professor of Communications at the University of Washington states that "electronic records in the United States are bleeding at the rate of 6 million a month in 2007, up some 200,000 a month from last year."

Howard, along with Kris Erickson, a UW doctoral candidate in geography, will have their work published in the July edition of the Journal of Computer-Mediated Communication.

Howard and Erickson don't place the blame for the escalation in data loss on hackers though; they put the blame on the shoulders of corporate America, citing research studies showing three out of every five data losses involving personal information are tied to corporate malfeasance.

A couple things to note. The numbers cited in the study were compiled from media stories. As Erickson indicates, this probably means their numbers are conservative. It certainly doesn't cover unreported data loss or smaller incidents that may not have made headline news. Also, Erickson also acknowledges the role the California Notice of Security Breach law has played in increasing the number of breaches that have been publicized in the last couple years. That appears to be clearly indicated by the increase between their 2006 and 2007 numbers.

With these ominous statistics, it won't be long before everyone in America has had their personal information compromised at least once. 

Yesterday I called out the lack of action the Federal Trade Commission has taken against company's who suffered a breach, in part due to gaps in the security controls in their infrastructure.

Seems only fair that I would give the FTC their due when warranted. A few weeks ago, the agency released a 24 page book entitled "Protecting Personal Information: A Guide for Business." According to a post by Rebecca Herold, the free guide focuses on the following five themes:

"TAKE STOCK. Know what personal information you have in your files and on your computers.

SCALE DOWN. Keep only what you need for business.

LOCK IT. Protect the information you keep.

PITCH IT. Properly dispose of what you no longer need.

PLAN AHEAD. Create a plan to respond to security incidents."

As Herold indicates, "this is a very good PII(personally identifiable information) protection primer."

Mike Rothman also highlighted the guidance the guide gives to help organizations be pro-active about preparing for potential security incidents.

The FTC has come up with a beneficial free (using taxpayer money) tool that will give you some clear, basic guidance related to information security. A great start for anyone new to information security and a reasonable baseline for more experienced infosec professionals to cross-check their efforts against.

If you want an eye-opening look at what happens to stolen data, check out Evan Schuman's story on the breaking news out of Florida that an $8M gift card scam has been linked directly to the TJX breach. In fact, it's probably this scam that tipped TJX off that they had a problem. It really gives you a glimpse into just how easily stolen data can be used to create authentic looking credit cards and leveraged to turn data into cash.

It should really give anyone involved in security reason to pause as you consider how many people are actively looking for ways to take advantage of your organization. Sad, really.

Winslow, Maine is not the first spot you'd think a hacker would look to swipe credit card data, but that's exactly what happened recently.

According to a report in the Kennebec Journal, approximately 11,500 customer records were hacked from the website of Johnny's Selected Seeds. Already, at least 20 fraudulent incidents have been reported using the hacked data.

Two interesting things in this story. One, the hackers actually hacked the internal servers of the company's offices in Winslow to gain appropriate access rights to infiltrate the company's web servers, which are hosted in Kentucky. The site had hacker-safe software installed, which was of no consequence in this case, because the perpetrators had a acquired appropriate credentials.

The second item of interest is that Johnny's Selected Seeds is neither an overly large on-line retailer, nor are they located anywhere where you'd expect them to be a target.

This is a strong reminder that protecting data is not just a problem for big name companies like TJX or any of the other well-publicized breaches. Whether you fall under a compliance regulation requiring data protection or not, your data is vulnerable and somebody wants it.

Even if you're in Winslow, Maine.

Last week, IT Security named the top 59 most influential voices blogging on information security today.

I was pleased to see a number of my favorites on the list. Congratulations to Alan Shimel and Mike Rothman for their designations as "Chief Blogging Officers", coming in at #2 and #7 on the list. Another contemporary whose site I follow regularly is Michael Dahn, who was recognized in the 17th position for his efforts to bring light to the need for improved security for credit card data.

Not only should you check out each of these three blogs regularly, but the list proves that there are a lot of other blogs I need to check out!

Well done, Alan, Mike, and Michael. Keep bringing us posts that challenge our thinking on information security!

I'm sure you caught the headlines around the security breach at 6 Stop n' Shop supermarkets in Massachusetts and Rhode Island. In just a matter of moments (seconds really), the perpetrators were able to trade out encrypted PIN pads for ones that would process the transaction, while harvesting critical card information.

Sarah Scalet had a very interesting post which included comments from CISO John Kirkwood. Kirkwood shared the company was, for all intents, compliant with the PCI Data Security Standard, using encrypted PIN pads and not storing card data on-site. But, as he said, "You don’t think that people are going to come in and, in a concerted, gang-like way, target PIN pad machines.”

The point that Kirkwood makes that really stood out was how to approach security...and it's not just making sure you pass a compliance audit.

“Do it from the way a hacker would think. It’s not following the rules of PCI; it’s thinking out of the box and going backward and going sideways. You don’t follow the rules when you’re trying to break into something.”

Well said.

My world usually is focused on how technology can aid IT with securing data and the infrastructure surrounding it. However, I am all too aware that improving security begins with a commitment at the top to move from talking about security policies and standards to actually enforcing them.

In Jaime Chanaga's recent post, he shared a February 28th AP story that Texas A&M University forced 96,000 computer system users to change their passwords.  The University took this action when a monitoring system detected someone attempting to access the computer server files containing the encrypted passwords for university users.

I'm sure there are plenty of other organizations who detect inappropriate access on a regular basis, but how many have the discipline to mandate 96,000 people to change passwords? Somewhere in the upper levels of leadership at Texas A&M, somebody, or more likely several somebodies, gets it. They are walking the talk on the importance of security.

As Jaime shares, have you changed your passwords recently?  Have you used strong passwords for your on-line banking, e-mail, and websites you frequent?

It's time to let your actions show just how committed you really are to securing your infrastructure. 

Now we are learning that the TJX security breach went as far back as 2003. See a great article in InformationWeek We are in 2007!  What were they thinking? Was this a case of knowing and not disclosing? Or not knowing? I think not knowing. Amazingly, a post on the F. Curtis Berry & Company blog says Gartner analysts estimate less than 50% of Level 1 merchants are compliant with PCI. Maybe it's not knowing and not caring.

The question in the end will be, who really paid the price for the TJX data breach?  Well, it's not the credit card company. They're protected. The banks who have to pay $30 for every replacement card certainly think they're a victim - hence the line of lawyers lurking outside some courthouse near TJX headquarters in Massachusetts.

Evan Schuman makes an interesting point on who is the REAL victim in his StorefrontBacktalk post.

What do you think of all this?

Now we are learning that the TJX security breach went as far back as 2003. See a great article in InformationWeek We are in 2007!  What were they thinking? Was this a case of knowing and not disclosing? Or not knowing? I think not knowing. Amazingly, a post on the F. Curtis Berry & Company blog says Gartner analysts estimate less than 50% of Level 1 merchants are compliant with PCI. Maybe it's not knowing and not caring.

The question in the end will be, who really paid the price for the TJX data breach?  Well, it's not the credit card company. They're protected. The banks who have to pay $30 for every replacement card certainly think they're a victim - hence the line of lawyers lurking outside some courthouse near TJX headquarters in Massachusetts.

Evan Schuman makes an interesting point on who is the REAL victim in his StorefrontBacktalk post.

What do you think of all this?

In Desire Athow's blog February 8th, she shared information from a recent study by the U.S. Secret Service and Carnegie Mellon University’s Software Engineering Institute CERT Program which analyzed insider cyber crimes.

The study found the majority of the people who sabotaged IT systems were terminated employees who infiltrated systems with VPNs using old passwords that had never been terminated. Most of the remainder were still active employees!

This study screams for two things - greater communication between Human Resources and IT and increased visibility into access controls.

Human Resources is the first to know not only who is leaving, but who is moving to a different department. This information needs to immediately be communicated to IT. IT needs to be able to generate reports that validate to HR the changes have been made. As importantly, they need to provide documentation ensuring that all Admin privileges, NTFS permissions to shared systems and folders, Users & Group membership, Active Directory Groups are changed whenever an employee changes positions and changes their access requirements.

Yesterday, I talked about the need to tighten up user name and passwords to reduce the external threat; this is an important to address to limit your exposure to a breach internally.

I'm still catching up from the blur that was RSA. Just came across a great article by Liam Lahey about a study conducted by Michel Cukier, a Clark School assistant professor of mechanical engineering and affiliate of the A. James Clark School's Center for Risk and Reliability and Institute for Systems Research in College Park, Md.

The study profiled the behavior of what Cukier called "brute force hackers" -- hackers that use simple software-aided techniques to randomly attack large numbers of computers.

Cukier's findings concluded that computers are attacked an average of 2244 times a day, or once every 39 seconds.

Most of the attacks were looking to exploit basic user names and passwords. Among the common user names attempted were "root" and "admin", as they would provide broad access to the computers files, if successful. The most common password attempted was the user name plus "123".

Cukier's research is not just a reminder of how often systems and computers are under attack, but reinforce that one of the greatest security threats is as simple as the user name and password we choose to use.

If your organization hasn't done so already, ensure your users avoid generic or default usernames and passwords and choose longer, more difficult and less obvious passwords with combinations of upper and lowercase letters and numbers that are not open to brute-force dictionary attacks. Make sure passwords are changed every thirty days to further decrease the risk of a hacker successfully gaining access to a system, server, or desktop.

Finally, employ an automated reporting tool that can validate password policies are being followed, including length and frequency they should be updated. As important, make sure all temporary or terminated employees' access is disabled immediately so their log-on information doesn't become an unnoticed route into your system.

As a holder of thousands of retail stores worldwide, what is the worst possible part of your IT infrastructure to have a breach? The systems that hold your customer's credit card and other transaction data.

What would be the worst time to have a breach? The height of the holiday shopping season.

That's the nightmare that the Framingham, Massachusetts based TJX Companies, Inc. had to disclose this past week.

According to a press release issued this past Wednesday, an intruder accessed TJX's computer systems that process and store information related to customer transactions for its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada. The company has also expressed concern that the breach might affect customers of its T.K. Maxx brand in the U.K. and Ireland as well as Bob's Stores in the U.S. The information stolen may include credit and debit card sales transaction data from 2003 as well as data from mid-May through Dec. 2, 2006.

According to the Privacy Rights ClearingHouse, this brings the number of customer records that have been lost or stolen since the February 2005 ChoicePoint data theft to more than 100 million.

An article on informationweek.com acknowledged that while the company has identified some customer information that has been stolen from its systems, the full extent of the theft and affected customers isn't yet known.

While there is still a lot yet to be learned about this specific breach, there are some initial observations that can be made.

1. The timing of the attack - Hacking has turned into a professional enterprise. The timing of the attack was at the height of the retail shopping season when the greatest amount of fresh data would be available and the exact system was pinpointed to extract that data. Recent media reports indicate some hackers are even targeting attacks based on specific roles within an organization.

2. The delay in public announcement - According to the press release, the breach was discovered in mid-December, yet it went undisclosed at the request of law enforcement officials. The frustration is that gives hackers 30 additional days to sell the information or use the card for some other fraudulent means creates additional losses for credit card companies like Visa and Mastercard and a hassle for consumers to straighten out.

3. The consequences - In addition to the loss of consumer trust, the Ponemon Institute estimates 20% of consumers stop doing business with an organization following a data breach and another 40% consider it, you can be sure Visa, Mastercard and the TJX Companies' auditors will all be lining up to investigate the information security controls to see if any lax IT practices led to the hacker's ability to exploit the systems involved.

4. Internal vs. external security - A lot of organizations have placed the majority of their information security emphasis on external vulnerabilities. As hackers become more sophisticated, information security must be multi-layered. Most analyst surveys in recent years show the majority of breaches actually come from internal threats - untouched by external security efforts.

It is yet to be determined what steps TJX might have taken to further secure their information, but it is doubtful that they had simply left this data unprotected. This breach should be a call for even greater vigilence in ensuring the protection of privileged data. The hackers are certainly not letting up in their efforts, we can't either.

The latest issue of CSO magazine just crossed my desk. This edition is full of lists - security and non-security-related. Did you know that Italian workers average 43 vacation days a year? That's more than three times the average vacation time in the US. Can you say arrivederci? Seriously, there are some really interesting lists the editors have included. Lists for your first hundred days on the job as CSO, takeaways from earning an MBA, and four things to steal from Six Sigma.

The one that caught my eye the most was submitted by Nish Bhalia, founder of Security Compass.

Bhalia offers four search strings you can use to help identify potential security gaps you can discover using Google. Just substitute your URL for yourcompany.com in each of the strings below.

1. inurl:yourcompany.com -www
What you're looking for: registered domains
This search lets you look for any domains other than your main website which may be publicly available. Perhaps you have a staging server that is searchable that you hadn't intended. This server may not have the protection around it that the main web server has in place.

2. "http://*.*@www.yourcompany.com"
What you're looking for: passwords
The protocol for a user name and password is "username:password'. Using the string "*.*" allows you to look for any data that fits this format that has been posted either inadvertently on your own website or maliciously elsewhere on the Web. Be warned, this search does reveal a number of false positives.

3. intitle:"Apache Tomcat" "error report" site:yourcompany.com
What you're looking for: technologies used
Your company may be inadvertently exposing your company's technologies for hackers to exploit. For example, a misconfigured Apache Web server commonly produces a page with "Apache Tomcat" in the title and "error report" in the text. Once a hacker knows your company is running an Apache Web server, they can run targeted searches. For instance, Apache also produces error messages that begin with "access denied for user" and "using password" which may reveal user names and passwords. Perform similar searches for any Web server or application server in your environment using phrases from some of the common error messages they generate.

4. intitle:Remote.Desktop.Web.Connection site:yourcompany.com
What you're looking for: log-in portals
Remote Desktop is one type of software used by IT admins to gain remote access to computers. Hackers can use these portals to gain back door access to try user names and passwords. If you're using other remote technologies, alter the search string accordingly.

I didn't discover any unexpected problems when i used these search strings on our domain. I was excited to discover how useful (and fast) Google was for providing this type of security information. Try it on your domain and let me know if you discover any surprises.

Do you have any tips on how to improve the security of your enterprise using a commonly-used resource like Google? I'd love to share your idea here.

Compliance has had a stranglehold on the minds of corporate and IT executives over the last several years. But, is all the money spent on compliance actually making information more secure? An AMR Research report stating that "compliance spending in 2006 will reach $27.3 billion and spending will climb even higher in 2007, with companies devoting $28 billion to compliance initiatives," But, according to senior analyst Kark Khalid with Forrester Research, security spending is actually decreasing as firms redirect monies from security to meet compliance obligations.

According to Khark, "to be both compliant and secure, organizations need to shift their thinking from responding to tactical IT security issues like firewalls, intrusion detection systems, viruses and worms, system hardening, and encryption to addressing information risk and more strategic business concerns, such as protecting intellectual property, ensuring regulatory compliance, preventing insider abuse, and safeguarding customer privacy."

A recent story on Informationweek.com indicates a change in how security dollars are spent will have a positive effect on both security and compliance. "Organizations are better served spending their security dollars on hardware and software such as configuration and change management applications, antivirus, user-access control systems, and reporting tools, which facilitate more frequent audits, rather than spending the money to hire more contractors and outside services. Organizations with the fewest compliance problems are spending 9% more to automate audit functions and 11% less on contractors and outside services", according to the author.

This is a good wake-up call reminding us that the real purpose behind compliance is security, not just satisfying the auditor. We'll see if the lawmakers get this message if they reconsider Sarbanes-Oxley in the next session!

Holiday shopping is in full swing now that Black Friday and Cyber Monday have past. Initial figures showed sales up 3.4% over the weekend. According to ComScore, an Internet research firm, online sales are expected to increase 24% over last year.

However,  evidence of a declining confidence in the Internet could hold back that kind of on-line growth. According to the Consumer Internet Barometer, in the first quarter of 2006, respondent's trust ranked at just 25 percent. Webwatch reports that 80 percent of Americans said they are concerned that their identities could be stolen from personal information on the Internet.

Many retailers are making significant investments in managing their information security risks, such as denial-of-service attacks, identity theft, and unauthorized alteration of data, but mostly to satisfy regulatory compliance requirements or in the name of good corporate governance.

According to Richard Starnes, UK Director for Information Systems Security Association, the statistics mentioned above point out a greater reason for information security management - customer confidence.

"Consumers would certainly be more likely to purchase products if they were aware that their prospective vendor was taking steps to ensure the safety of their personal data. A marketing campaign surrounding the company's information security program would not only enhance the reputation of the brand but add to the bottom line", said Starnes.

While you have to be cautious to market this in a way that makes your point without declaring yourself an appealing conquest for some hacker, this marketing message could provide a real competitive advantage, especially in the height of the busiest shopping period of the year. As Starnes closed, "Be proactive about marketing your security program to your customers - because it you don't seize the opportunity, your competition will."

I spend a lot of time working with companies to protect credit card information, not only to comply with the PCI Data Security Standard, but, more importantly, to maintain your trust as a customer.

This weekend marks the official beginning of the holiday shopping season.  By the conclusion of the weekend, 100 million consumers will have made at least one transaction using a credit card, based on research conducted by MasterCard. The influx of credit card activity will reach a peak on Christmas Eve, the "real" busiest shopping day of the year.

Knowing the volume of activity that will be taking place in stores, on phones, and through Internet connections, you can guarantee that a multitude of individuals are preparing for the next few days with the same excitement as your kids are when they put their gift list together.

Knowing that we're all consumers at the end of the day, here are some timely reminders from the American Bankers Association for preventing identity theft:

1. Order copies of your credit report once a year to ensure they are accurate. You can call each of the three national credit-reporting agencies because each may contain different aspects of your credit history, or you can contact the Annual Credit Report Service for one free credit report each year.

2. Keep an eye on your accounts throughout the year by reading your monthly/periodic statements thoroughly.

3. Tear up or shred pre-approved credit offers, receipts and other personal information that link your name to account numbers. Don't leave your ATM or credit card receipt in public trash cans.

4. If your credit card or other bills are more than two weeks late, you should do three things: First, contact the Postal Service to see if someone has forwarded your mail to another address. Second, contact your bank to ask if the statement or card has been mailed. Third, contact the businesses that send you bills.

5. When you pay bills, don't put them in your mailbox with the red flag up. Use a locked mailbox or the post office.

6. Protect your account information. Don't write your personal identification number (PIN) on your ATM or debit card. Don't write your social security number or credit card account number on a check. Cover your hand when you are entering your PIN number at an ATM.

7. Don't carry your Social Security card, passport or birth certificate unless you need it that day. Take all but one or two credit cards out of your wallet, and keep a list at home of your account information and customer service telephone numbers. That way, if your wallet is lost or stolen, you'll only have to notify a few of your creditors and the information will be handy.

8. Never provide personal or credit card information over the phone, unless you initiated the call.

As organizations work to secure their IT infrastructure by automating regulatory compliance and IT Best Practices reporting, make sure you do your part by following these important guidelines...and have a wonderful, secure holiday shopping season.

The rash of data loss headlines over the past few years has ignited a firestorm of federal, state and local laws requiring notification to anyone whose personal information may have been compromised.

The potential costs of notifying potentially tens or hundreds of thousands of individuals should cause most companies to sit up and take notice. However, the recently released results of a survey by the Ponemon Institute raise the negative backlash of a data breach to alarming proportions.

According to an article in Processor, the cost to comply with breach laws is rising, with an average cost per company per breach of $14 million – or $140 on average in recovery costs per customer record breached. But that’s just the beginning…

The long-term consequences are significant and potentially far more severe. The survey found 20% of customers terminate relationships with a company after a security breach and a full 58% of customers believe the breach notification decreased their sense of trust and confidence in the notifying company.

According to Ponemon Institute founder, Dr. Larry Ponemon, “This permanent loss of customer trust and confidence can translate into hundreds (or even thousands) of dollars in lost future economic value per customer or perspective customer.”

If you don’t have the ability to identify on the detailed configuration settings that control the security of every part of your infrastructure that interacts with your critical data, you are at great risk. Are you prepared to risk losing 20% or more of your customer base?

There is an automated solution that will significantly reduce your risk of exposure to a breach. Believe me, the expense is negligible in the light of these costs!