twitter facebook rss

It’s time to ditch compliance because most companies simply ignore it

Posted by on December 11, 2014.

Many security experts worry that compliance is driving security rather than the other way round. Being compliant doesn’t mean being secure. But faced with the choice between the minimum to be compliant rather than the minimum to be secure, companies tend to choose the former.

That, at least, is current received opinion. And it just makes the statistics released today by Sophos all the more disturbing.

According to Sophos, 72% of those firms surveyed are not ‘cyber secure’. Part of the reason is that 77% of these firms rely solely on perimeter-based protection such as firewalls, and 33% on anti-virus – and it should be evident to everyone that these defences alone will not keep the hackers out.

James Lyne

James Lyne, Global Head of Research, Sophos

Being more specific, the 72% insecure firms are insecure because they have not implemented basic encryption to secure company and customer data. And the firms themselves are retailers. As such, they are subject to both PCI and Data Protection Act regulations.

I asked James Lyne, global head of research at Sophos, if that means that 72% of British retailers are de facto non-conformant with PCI and Data Protection requirements. He replied, “DPA and PCI state that retailers should have basic encryption in place so the survey results would indicate that this is the case.”

This is a shocking situation on many levels:

  • if firms are not allowed to process card data (which is somewhat necessary in the retail trade) without complying with PCI DSS, what use is PCI if it allows firms to do so without a fundamental requirement (encryption) of its own rules?
  • how can the information commissioner’s office (ICO), which is specifically charged with upholding the data protection act, fail to notice and act on a 72% failure to comply with the Data Protection Act (DPA)?
  • why hasn’t the government instigated some sort of awareness campaign to ensure that retailers are aware of their obligations under law and to their customers?

A further question we should all ask is whether ‘compliance’ is actually the source of this insecurity. Large companies use risk management principles to guide their spend on security; small companies do similar without thinking. Risk management implies that you spend most where it hurts most. The light touch delivered by the ICO makes the risk of non- or minimal-compliance with the DPA barely perceptible – in other words, being caught out being non-compliant is not as expensive as paying for compliance.

But if firms can get away without implementing what is required by law with no comeback, where is the incentive to implement any security that is not required by law?

Given the high volume of US retailer breaches with RAM scraping malware installed on physical payment terminals, I asked James Lyne if the Sophos survey differentiated between high street and online retailers. His response is a shocking indictment on the security of British retailers:

The survey covers both types of retailer and the issues described certainly apply to both. There have been a number of demonstrations of the inadequacies of common PoS systems, allowing details to be scraped from memory (indeed, there is even a Metasploit module that can be used on a target system to look for credit card data!). Weak credentials, poor vendor security standards and patching failures have all been implicated in the recent spate of failures. Online merchants have also had challenges, perhaps to an even greater degree. It is common to see payment pages infected with malicious code to scrape details as they are provided to legitimate, but vulnerable sites. Equally, online database security has demonstrated time and time again to use weak data protection which allows reversal (if the data was ever encrypted) of sensitive data. In short, quite a substantial number of systems are vulnerable, although online retailers are on average an easier target for attackers. There have been a larger number of mass thefts of details in the US where the archaic card standards have made PoS systems more interesting to cyber criminals — but to a large degree we are all equally vulnerable online.

It is time for firms to shift from implementing (or ignoring!) compliance to implementing real security. At the very least, where regulations exist, they must be adequately enforced. Compliance is often championed as being ‘better than no security’ – but the reality is that compliance is often the cause of ‘no security’.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: News, News_encryption | Tags: , , , , ,