Aug 19, 2015 By Brian Reynolds In Blog

Bombshell! Cyber breaches more widespread than reported

A bombshell is defined as “an overwhelming surprise or disappointment.” For example, you open the paper one day and read that your next-door neighbor is an escaped serial killer. That’s a bombshell. A well-known politician is charged with bigamy. That’s a bombshell.

On several occasions over the last several years, high-profile cyber breaches reported by the media have also been labeled “bombshells.”  But are they really all that surprising?

Verizon’s recently released “2015 Data Breach Investigations Report” shows that these so-called “bombshell” cyber breaches are actually quite common.  They are neither new news nor all that surprising, given how often they occur. These incidents are simply waiting to be revealed, leaked or reported.

Some key points from the Verizon report include:

  1. Global financial losses related to card fraud doubled from $7 billion in 2009 to $14 billion in 2013
  2. Breached companies were typically not complying with 10 out of 12 requirements of Payment Card Industry Data Security Standards (PCI-DSS) when their breaches occurred in late 2013 and 2014
  3. S. breach disclosure laws may seem archaic, particularly because they are decentralized, but they are far ahead of anything currently on the books in other countries

So what is the lesson here?  As business executives and government officials, we should not be surprised that hundreds of cyber breaches are occurring on our global networks every day—and right under the noses of our IT professionals.  This is not a bombshell!

I also see three other important findings:

  1. Cyber breaches are increasing, despite higher spending on cyber defense
  2. In the private sector, widespread non-compliance exists in both policy and reporting
  3. In the U.S. government, where reporting and policy are in place, cybersecurity is still not being properly managed or understood

So what can we do with this information?  We can’t just sit back and accept yesterday’s “bombshell” as today’s “status quo.”  Our goal should be to move away from a status quo where governance initiatives are reactive and organizations exhibit little enthusiasm for PCI-DSS and other compliance efforts.

As a first step, we need a “Call to Action” in terms of stronger compliance at the executive leadership level, as well as among the IT professionals supporting their enterprises. While the PCI framework is not the cure for all breaches, it was created as a launch pad to set up an intermediate technical roadmap, create and energize a forum aligning customers, businesses and technology from companies like SwishData, and promote “checks and balances” for each responsible party, fair to their level of activity.

It should also be emphasized that when implementing compliance regimes, security teams need to avoid a check-the-box mentality and instead architect a solution that creates a well-oiled security machine while meeting compliance needs.

Establishing an effective architecture is also important because, too often, organizations fill up their security budgets with tools that have redundant capabilities and/or don’t necessarily work well together, creating tool sprawl that drives up administrative costs but provide relatively little marginal security value. To optimize their collection of security tools, organizations should design its security architecture from the ground up to ensure that their tools are integrated, efficient, and effective.

It’s time to mobilize these principles and get the PCI framework off the launch pad.  Contact us to find out more.