Cybervillains are everywhere. Companies and individuals alike must stay alert
Cyber Security Cybercrime is a major issue these days: Google and McAfee estimates there are 2,000 cyberattacks every day costing the global economy about £300 billion a year.
The problem cannot be overestimated and is becoming increasingly widespread. "We’ve been providing data security standards since we launched in 2006 to keep track of payment card data online,” says Jeremy King, International Director of the PCI Security Standards Council, which was formed as a global body to tackle payment security issues that surround the area of cybercrime. “We are dealing with globally organised criminal gangs operating on a massive scale. Thieves are trying to steal any data they can, governments are looking to see what can be done to tackle the problem and over one billion records are stolen every year. At the annual Infosec security event it was reported that 90 per cent of large organisations suffered at least one security breach and on average they reported 14 security breaches a year.”
We are dealing with globally organised criminal gangs operating on a massive scale
Many organisations, unfortunately, have been in denial about the scale of the problem, especially those which are not actually involved in sales, King believes. However, boards are beginning to take it more seriously, accepting that this is not just an IT threat and are gradually becoming aware that there are four major types of cyber threat, starting with compromised credentials. “The main aim when protecting cardholder data is that you don’t store it if you don’t need to but if you do keep it then encrypt it,” says King.
Another type of attack involves ransomware. “The criminals insert malware, encrypt everything and then, for example, say, give us a certain amount in bitcoins and we’ll unlock your information,” says King. “Some US hospitals have been the victim of that. Or there can be a denial of services attack where so many requests are put into a system at once it can’t cope and runs slowly or shuts down. These types of attacks can have a massive impact: for example, if betting firms were targeted during the Grand National.”
Cybercriminals also use spyware and keyloggers to get in to a system and the most common way here is via a phishing attack. Some of these are obvious; some, say, in the form of requests for bill payments, are a lot less so. Keyloggers, meanwhile, log every key stroke, thus revealing valuable credit card information and have in the past come to light when companies have spotted cleaners behaving suspiciously. Training staff is more crucial than ever. “Some companies have asked for a friendly phishing attack in order to test staff awareness and something like 25 per cent of employees fail,” King continues. “When that happens, typically a notice will pop up on screen saying, ‘You’ve failed, apply to personnel for further training.’ But it’s worse at board level where 33 per cent fail.”
Some companies have asked for a friendly phishing attack in order to test staff awareness and something like 25% of employees fail
Another issue stems from the fact that an increasing number of domestic appliances such as fridges and kettles are now connected to the internet, but while this may be convenient for the householder, white goods manufacturers do not understand security and risk broadcasting wifi security details everywhere.
Small merchants, too, have problems, with 1.3 million in the UK not having any IT services department. The Government is trying to address this, publishing 10 Steps to Cyber Security, using deliberately non-technical language to help. At PCI we have had a task force developing our own guide, this will be released in June.
Another growth area is Card Not Present – CNP – fraud, which PWC predicts will grow from $2.9 billion in 2014 to $6.4 billion in 2019. “The UK Cards Association monitors and reports fraud figures and has seen a 26 per cent increase across all fraud, with the majority in CNP via internet purchases,” says King. The European Central Bank is taking action: it is introducing further requirements on businesses and there will be hefty fines imposed if they don’t protect their customers’ data properly.
Adds King, “Improving security practices to identify and detect attacks quickly with the PCI Data Security Standard, and establishing an incidence response plan need to be top priorities for organisations in 2016.”