Posted by Kevin on December 11, 2014.
Many security experts worry that compliance is driving security rather than the other way round. Being compliant doesn’t mean being secure. But faced with the choice between the minimum to be compliant rather than the minimum to be secure, companies tend to choose the former.
That, at least, is current received opinion. And it just makes the statistics released today by Sophos all the more disturbing.
According to Sophos, 72% of those firms surveyed are not ‘cyber secure’. Part of the reason is that 77% of these firms rely solely on perimeter-based protection such as firewalls, and 33% on anti-virus – and it should be evident to everyone that these defences alone will not keep the hackers out.
Being more specific, the 72% insecure firms are insecure because they have not implemented basic encryption to secure company and customer data. And the firms themselves are retailers. As such, they are subject to both PCI and Data Protection Act regulations.
I asked James Lyne, global head of research at Sophos, if that means that 72% of British retailers are de facto non-conformant with PCI and Data Protection requirements. He replied, “DPA and PCI state that retailers should have basic encryption in place so the survey results would indicate that this is the case.”
This is a shocking situation on many levels:
A further question we should all ask is whether ‘compliance’ is actually the source of this insecurity. Large companies use risk management principles to guide their spend on security; small companies do similar without thinking. Risk management implies that you spend most where it hurts most. The light touch delivered by the ICO makes the risk of non- or minimal-compliance with the DPA barely perceptible – in other words, being caught out being non-compliant is not as expensive as paying for compliance.
But if firms can get away without implementing what is required by law with no comeback, where is the incentive to implement any security that is not required by law?
Given the high volume of US retailer breaches with RAM scraping malware installed on physical payment terminals, I asked James Lyne if the Sophos survey differentiated between high street and online retailers. His response is a shocking indictment on the security of British retailers:
The survey covers both types of retailer and the issues described certainly apply to both. There have been a number of demonstrations of the inadequacies of common PoS systems, allowing details to be scraped from memory (indeed, there is even a Metasploit module that can be used on a target system to look for credit card data!). Weak credentials, poor vendor security standards and patching failures have all been implicated in the recent spate of failures. Online merchants have also had challenges, perhaps to an even greater degree. It is common to see payment pages infected with malicious code to scrape details as they are provided to legitimate, but vulnerable sites. Equally, online database security has demonstrated time and time again to use weak data protection which allows reversal (if the data was ever encrypted) of sensitive data. In short, quite a substantial number of systems are vulnerable, although online retailers are on average an easier target for attackers. There have been a larger number of mass thefts of details in the US where the archaic card standards have made PoS systems more interesting to cyber criminals — but to a large degree we are all equally vulnerable online.
It is time for firms to shift from implementing (or ignoring!) compliance to implementing real security. At the very least, where regulations exist, they must be adequately enforced. Compliance is often championed as being ‘better than no security’ – but the reality is that compliance is often the cause of ‘no security’.Submitted in: News, News_encryption |