New research has found merchants fail to maintain security standards, while UK companies in particular lag behind their US counterparts in terms of cyber readiness
The Verizon 2014 PCI Compliance Report
also links non-compliance with increased breach risk, financial and reputational damages, based on findings from hundreds of PCI DSS assessments conducted by the security firm’s team of PCI Qualified Security Assessors.
Confirming that payment card transactions remain a prime target for attackers, the report said the rate at which data breaches are occurring appears to be increasing.
But, in most cases, payment card data breaches were not a failure of security technology or of PCI DSS non-compliance, but rather a failure to implement appropriate compliance and security measures as they were intended.
Maintaining security stance
“We continue to see many organisations viewing PCI compliance as a single annual event, unaware that compliance needs to have a 365 day-a-year focus,” stated Rodolphe Simonetti, PCI practice managing director for Verizon Enterprise Solutions.
“Anything less than 100% compliance is an issue,” he added. “Organisations need to rethink how they factor in maintaining a PCI-compliant environment, whether it’s devoting more resources or working with a managed security services provider.”
Areas where businesses had the most difficulty in achieving initial compliance included: security testing (23.8%); security monitoring and the ability to effectively detect and respond to data compromised (17%); and protecting stored sensitive data (55.6%).
It did, however, find that the overall proportion of organisations’ initial compliance with the PCI standard has improved. In 2013, more than 82% of organisations were compliant with at least 80% of the PCI standard at the time of their annual baseline assessment, compared to just 32% in 2012.
The report also highlighted regional differences due to breach notification laws, varying legal requirements and levels of adoption. The Asia-Pacific region took the top spot (75%), followed by the US with 56% and Europe with 31% in terms meeting at least 80% of the PCI requirements.
Lack of cyber awareness
If Europe lags behind the rest of the world for baseline PIC compliance according to Verizon, then the UK might be bottom of the pile according to a new survey about business leaders’ cyber security awareness from BT
Market researcher Vanson Bourne
surveyed 500 IT decision makers in finance, pharmaceutical, retail and government medium-to-large businesses across seven countries, including the UK, about attitudes to cyber security and levels of preparedness on behalf of the communications giant’s security divison.
It found just 17% of UK business leaders saw cyber security as a major priority, compared to 41% in the US. And just one in five (21%) UK respondents said they were able to measure the return on investment of their cyber security measures compared to the majority (90%) of US companies. Similarly, 86% of US directors and senior decision makers were given IT security training, compared to just 37% in the UK.
The difference in levels of preparedness correlates with attitudes to threats. Non-malicious insider threats (e.g. accidental loss of data) were the most commonly cited security concern globally, being reported as a serious threat by 65% of IT decision makers. In the UK this fell to 60% and is followed by malicious insider threats (51%), hacktivism (37%) organised crime (32%), nation states (15%) and terrorism (12%).
Internal and external threats
Looking ahead, the BT survey revealed more than half of all the IT decision makers believed that hacktivism (54%) and malicious insider threats (53%) would pose a greater risk over the next 12 months. In the US this increases to 73% and 74% respectively. This compares to 29% and 23% in the UK. Globally, terrorism was seen as the threat least likely to pose more risk over the next 12 months.
In response to emerging threats, 75% of IT decision makers globally said they would like to overhaul their infrastructure and design them with security features from the ground up. A further 74% would like to train all staff in cyber security best practice and just over half (54%) said they would like to engage an external vendor to monitor their systems and prevent attacks.
Mark Hughes, BT Security chief executive, commented: “US businesses should be celebrated for putting cyber security on the front foot. The risks to business are moving too fast for a purely reactive security approach to be successful. Nor should cyber security be seen as an issue for the IT department alone.”