Data breach costs go way beyond chargebacks

In security circles, hype and marketing — and the security complacency they encourage — can be more dangerous than a well-funded cyberthief.

Hacking stealing password data

When it comes to IT security, a guarantee is a very seductive and attractive concept. It's an emotional appeal, trying to send the message "No matter what happens, we'll have your back. You can relax and worry about other things." But in security, it can be as dangerous as it is unrealistic.

The danger lies not in the guarantee directly, but in the relaxed efforts that belief in such a guarantee can cause. What brings this to mind is an otherwise impressive guarantee from a payments security vendor, where a CEO's hyped comments go beyond what is possible and lures in executives who may be quick to believe what they want to believe.

The company is Forter, and the sad part is that if it's public statements simply stuck to what it actually does, it would have a powerful and compelling message. Consider this legitimate pitch from the vendor's boilerplate: "Forter's solution is entirely automated, evaluating every transaction in real-time and providing an instant approval/rejection decision so that genuine customers aren't even aware that they're being examined. The system works with behavioral analytics, cyber intelligence and elastic identity, and uses machine learning and the power of big data, informed and refined by the human understanding of highly trained analysts."

Assuming it's true — and I have no reason at this time to doubt that — it's a good argument. Then the company offers a legitimate guarantee. It will cover the costs of any chargebacks and any associated card brand penalties. So far, so good. Note: This is a clever offer, since it's likely to not cost the vendor very much. First, of course, the vast majority of transactions are legitimate. And any good fraud-detection system will sharply reduce the number of fraudulent charges. Hence, the vendor is likely to be paying back relatively little, especially if it's system is as good as it claims.

The problem comes from Forter CEO Michael Reitblat, who told an audio interviewer last week a few troubling things. First, there was this: "We can’t eliminate fraud altogether, but we can create a completely fraud-free environment for the retailer through which they can make decisions solely based on what’s good for their business." Whoa. How can anyone say something true such as "we can't eliminate fraud altogether" and then follow it up immediately with the ludicrous and contradictory "we can create a completely fraud-free environment for the retailer."

No, they can't. At best, they can eliminate the chargebacks and penalties for fraud. And he continued: "This can be achieved by shifting all of the fraud-related liabilities, damages and operations to us. We handle all of their online transactions and give them real-time yes/no answers. For everything we say 'yes' to, if anything goes wrong, we take the hit financially."

The problem is his saying that his company will be "shifting all of the fraud-related liabilities, damages" to his company. All? Not even close, and that's the issue. When a retailer gets hit with fraud, the chargebacks and direct penalties are the least of that merchant's problems. What about the perception of the customers and prospects who saw those bogus charges through that merchant site? How about the IT and executive time that has to be spent dealing with the security mess? How about the time/costs of contacting customers and flagging the problem? And the media inquiries? And the inevitable lawsuits—both legitimate and bogus—and all of the executive time they eat up, along with the legal costs? And paying for upgraded systems?

Also, this system is, understandably, limited to online transactions only and the guarantee is also so limited. Given that many of the vendor's prospects have both physical and digital operations, this makes the comprehensive comments even more problematic.

Consider phrasing such as the retailer "can make decisions solely based on what’s good for their business" and not for security concerns and — from the vendor's boilerplate — the assertion that the chargeback guarantee is "something that gives online retailers the peace of mind to leave fear behind and make the choices that are best for their business and its growth." This suggests that retailers can kick back and relax their security efforts because chargebacks and penalties handled by this vendor's system will be covered. What about all of those other costs?

If you ask most breached retailers which end of that bargain they'd prefer, you're going to find most saying, "I'll gladly eat the charge reversals and those penalties if you'll absorb the customer perception problems, the loss of executive time and the legal and IT costs, along with the in-store fraud costs."

Clearly, no vendor can take on all of those non-chargeback pains, so saying that they'll have a "completely fraud-free environment" and that the vendor will take on "all of the fraud-related liabilities, damages" is foolish. Well, if it's not foolish, it's calculating and manipulative. The worry here is not for the largest of retailers, but the small and medium-sized merchants.

The apparel boutiques that so desperately want to just worry about the clothing details that is their true expertise are so susceptible to these "we'll take on all of your security worries" sales pitches. They need to remember all of the pains and costs that data breaches bring beyond chargebacks and direct penalties.

Guarantees are something that marketers love, but few bother to respect what the term means. It boils down to "I promise to do X. If I don't, I'll give you Y" as in a double-your-money-back guarantee. Far too often, vendors will offer a "guarantee" but offer nothing if they fail to deliver. My favorite was an ISP who offered a guarantee that their tech support team will answer the phone with a technician within eight rings. I kept asking them "and what happens if they don't?" to which the salesperson robotically and repeatedly replied "They will." *sigh*

That's the sad part here. First, Forter's guarantee seems legitimate, in that it's an actual guarantee with a clean "this is what we'll give you if we don't deliver" answer. Secondly, the underlying technology and methodology also appears to be legitimate and compelling. If the CEO hadn't hyped it beyond the facts, it would have been a powerful pitch.

In security circles, hype and marketing — and the security complacency they encourage — can be more dangerous than a well-funded cyberthief.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon