Hopefully those responsible for their companies’ data security enjoyed their summer vacations because they have some work to do. According to Verizon’s 2017 Payment Security Report, nearly half of retailers, restaurants, hotels and other business that take credit card payments are STILL failing to maintain PCI DSS compliance from year to year. While being compliant with PCI DSS does not guarantee security, is does represent a baseline that all organizations should be able to meet if they are taking their responsibility to protect their cutomers’ data seriously.
All is not doom and gloom, as Larry Dignan reports in this ZDNet article. “According to the Verizon 2017 Payment Security Report, 55.4 percent of organizations complied with PCI when validated in 2016, up from 48.4 percent in 2015.” However, as Dignan points out, the fact that 44.6 percent were non-compliant is cause for concern. “That lack of compliance is notable because of all of the payment card data breaches investigated by Verizon no organizations were fully compliant at the time of the breach. Simply put, PCI DSS compliance is directly linked to data breaches.”
PCI DSS compliance rates differed by industry, as pointed out in this article in PYMNTS.com. “IT did the best with full PCI DSS compliance, with 61.3 percent fully compliant during interim validation. Financial services came up in a close second, with 59.1 percent of financial services organizations fully compliant. Retailers looked notably weaker at 50 percent, and hospitality organizers didn’t even manage to break into majority territory with only 42.9 percent of hospitality organizations showing as compliant.”
In one recorded example, as cited by John Leyden’s article in The Register, “A hotel was found to be storing almost a decade’s worth of receipts containing full, unmasked card numbers next to its laundry room. Security hardening, protecting data in transit and physical security are all issues for the hospitality industry in general.”
While the information provided in the Verizon Payment Security Report may be useful for some, Jeremy Kirk warns in this article in Bank Info Security that readers may not want to rely too heavily on carefully staged data that leads to predictable conclusions. “Studies performed by vendors are invariably done for one purpose: driving their own business case,” writes Kirk. “That doesn’t necessarily mean the conclusions are invalid or should be dismissed outright. But a close look at Verizon’s report reveals the company makes suspect logical stretches.”
What are your thoughts on the Verizon Payment Security Report? We would love to hear from you. In the meantime, here’s a roundup of other top data security stories making headlines or providing insights for the week ending Sept. 1, 2017:
“Attacks, Regs Driving Security Spending,” by George Leopold in EnterpriseTech: Reflecting growing cyber security threats, global spending on information security products is expected to rise by 7 percent this year, according to a new forecast from Gartner, which pegs the global market for information security products and services at $86.4 billion this year, predicting it will rise in parallel with cyber threats to an estimated $93 billion in 2018.
“Hackers Will Take Advantage of Outdated Software,” by Sue Marquette Poremba in ITBusinessEdge: Ransomware attacks like Wannacry and Petya targeted Windows XP and other outdated operating systems, taking advantage of their vulnerabilities. In fact, according to Fortinet’s Q2 2017 Global Threat Landscape report, 90 percent of organizations recorded exploits against vulnerabilities that were three or more years old. And 60 percent of firms experienced successful attacks targeting devices for which a patch had been available for ten or more years!
“Two Million Customer Records Pillaged in IT Souk CeX Hack Attack,” by Iain Thomson in The Register: Second-hand electronics dealership CeX says two million customers may have had their personal information swiped by hackers, including first name, surname, address, email address and phone number. In some cases passwords were also stolen. The company says these were hashed, but warns – correctly – that weak passwords could still be cracked, so if you have reused one it’s time to make some changes.
“Companies Face Legion of Security Operations Challenges,” by Jon Oltsik in CSO Online: A recent Enterprise Strategy Group (ESG) research survey of 412 cybersecurity and IT professionals identified some of the biggest security analytics and operations challenges, including total cost of ownership; spending too much time on emergencies and not enough on strategy and process improvement; lack of tools and processes to operationalize threat intelligence; lack of staff with appropriate skills; an inability to keep up with the increased number of network hosts, applications and/or users.
“Employees Open Companies to Security Risks by Working Remotely,” by Emma Bordessa in IT Governance: Research from T-Systems shows a third of employees use free Wi-Fi at locations such as airports, hotels, coffee shops and bars, despite these being unsecure and open to communication interception by cyber criminals. Couple this with the widespread practice of employees emailing documents to their private email on their own devices, where security is invariably lower, and you open your organization to potential attacks.
“Major League Lacrosse Exposes Personal Information of Every Player,” by Tom Ley in Deadspin: Major League Lacrosse just sent an email to every player currently in its player pool—this includes inactive players—alerting them to the fact that the league accidentally exposed their personal information, including their full name, address, telephone number, email address, Social Security number, citizenship, date of birth, height, weight, position, college, graduation year, team, and non-MLL occupation.
What was your favorite data security story this week?