Most businesses are making it incredibly easy for organised criminals to steal critical data, according a new report from Verizon Business.
While organised crime is getting more and more innovative about online crime, many businesses seem to be going backwards and failing to comply with even the basic security standards.
The reasons seem to be a combination of ignorance, laziness and a surprising reluctance to invest in securing customer and company data.
Organised Crime is Coming to Get You
The Verizon report found that 285 million records were compromised last year (2008), and that 91% of the attacks were by organized criminals.
That is, security breaches are no longer the domain of teenage hackers just looking to make a name for themselves. Your data is now a major target of organised crime, which is investing considerable time, money and resources to get at your sensitive information.
Some of the report highlights are:
• 91% of all compromised records were attributed to organised criminal groups
• 99.6% of records were compromised from servers and applications
• 74% resulted from external sources
• 69% were discovered by a 3rd party
• 67% were aided by significant errors
• 32% implicated business partners
You can download the full report here along with actions to take to protect your data.
Raise Your Security Standards
In a nutshell you need to comply with all the essential protection measure and then move towards implementing the very best protection methods.
Criminals always look for the easiest option, so making things as difficult as possible is the best strategy.
Of course, it is impossible to make sensitive data completely secure, but what is clear from the report is that all organisations need to adopt a security conscious culture and be permanently vigilant for possible security breaches.
Most banks and credit card issuers have a standard that they require their merchants to comply with, but according to the report 81% of those who suffered security breaches were not compliant.
While that means that 19% who were compliant still suffered some form of breach, it still shows the alarming reluctance of many companies to implement proper security processes.
Twelve Steps to Protect Yourself
The financial institutions’ PCI DSS standard, is based around the following 12 core principles:
Build and Maintain a Secure Network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
– Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Requirement 3: Protect stored cardholder data
– Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Requirement 5: Use and regularly update anti-virus software
– Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Requirement 7: Restrict access to cardholder data by business need-to-know
– Requirement 8: Assign a unique ID to each person with computer access
– Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
– Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security
You can download the specification here.
Further Reading:
OECD Directorate for Science, Technology and Industry paper on
Great article. I’ll have to pass it to some clients who don’t security seriously. It’s really getting a big issue. May be not now, but for sure later