Search

Recent Posts

Posts by Topic

see all
free-on-demand-webinars.png

10 Lessons for Retailers from Recent Security Reports

by Freddy Mangum on Jun 16, 2015

Recent security reports from Verizon and new data from Mary Meeker of Kleiner Perkins Caufield & Byers have important security lessons for retailers. This blog summarizes key findings from these two widely respected sources.

Verizon has a unique position in having both a data breach investigation practice and a PCI compliance practice and can see “both sides of the coin.” It recently released its two anticipated security reports:

Mary Meeker echoes many of the themes from the Verizon security reports in her annual 2015 Internet Trends Report presentation for the Code Conference.

We have organized the findings in a list that retailers can use as a reference point:

  1. Impact of a data breach quantified
  2. POS intrusions are the leading source of confirmed data breaches
  3. Social engineering is still the preferred vector of attack
  4. Mobile devices are increasingly used to harvest data
  5. PCI compliance is a process
  6. Susceptibility to a breach has strong correlation with lacking PCI compliance
  7. ...But even Verizon notes drawbacks in the PCI process
  8. Complying with PCI DSS is hard
  9. Automating security and PCI compliance is key
  10. Payment security matters

Each of the 10 points is expanded on below:

1. Impact of a data breach quantified

Verizon Data Breach Report introduces a new model of estimating the cost of a data breach. The model in rather involved, but the key finding is as follows:

“Forecast average loss for a breach of 1,000 records is between $52K and $87K.”
Source: Verizon 2015 Data Breach Investigations Report

 

Verizon: cost of a data breach quantified (Click to enlarge) Verizon: cost of a data breach quantified (get the Verizon report)

Verizon notes that larger organizations have higher losses per breach, but they typically lose more records and have higher overall cost. For a smaller organization, even though the overall dollar amount may be smaller, the results can be devastating, amounting to a much larger loss as percent of annual revenue.

2. POS intrusions are the leading source of confirmed data breaches

Even though POS (point-of-sale) intrusions represent only .7% of reported security incidents, they result in 29% of confirmed data breaches, according to Verizon. This is not at all surprising given the headlines in 2014.

Verizon notes that most affected industries are accommodation, entertainment and retail – wherever payment cards are accepted. (We’ll discuss the intersection of PCI compliance and data breach prevention in the subsequent sections).

“POS intrusion result in 29% of confirmed data breaches.”
Source: Verizon 2015 Data Breach Investigations Report

Small restaurants and retailers were the attackers’ ‘cash cows’ for years; we just did not hear about these breaches. POS intrusion attacks evolved from impacting mostly small businesses with low dollar amounts to affective large organizations, leading to massive data losses.

Still, Verizon notes that attackers employ different methods to breach organizations of different sizes:

  • POS devices of small organizations are directly attacked, normally by guessing or brute forcing the passwords.
  • Breaches of larger organizations tend to be multi-step attacks, with some secondary system being breached before attacking the POS system.

3. Social engineering is still the preferred vector of attack

Many incidents involved direct social engineering of store employees to trick them into providing credentials needed for remote access to the POS system.

“38% of POS hacking involved stolen credentials”
Source: Verizon 2015 Data Breach Investigations Report

Little insider misuse was through accounts with high level access. More data breaches exploited the accounts of cashiers and call center operators than app developers and system administrators. The reasons cited by Verizon include high turnover of staff, lower security awareness and poor policies, such as shared accounts.

The ‘social engineering’ in question was surprisingly low-tech, often involving placing a call to the cashiers or phone bank operators to request the credentials.

Mary Meeker highlights the lack of security skills at all levels in organizations:

At least 30% of organizations cite a ‘problematic shortage’ of each of following: 1) cloud computing and server virtualization security skills; 2) endpoint security skills; 3) network security skills; 4) data security skills; 5) security analytics / forensic skills.
Source: 2015 Internet Trends Presentation by Mary Meeker (slide 89)

-

4. Mobile devices increasingly used to harvest data

Adware can be a potential precursor to attacks, giving perpetrators access to personal information such as contacts, which can be subsequently used to launch phishing or social engineering attacks.

“22% of breaches reported by network security decision makers involved lost or stolen devices.”
Source: 2015 Internet Trends Presentation by Mary Meeker (slide 88)

If devices are not properly locked down and protected, they can be used to access the sensitive information on the network. Mobile device management becomes critical.

5. PCI compliance is a process

Verizon notes that less than 1/3 of companies were found to be fully compliant a year after successful validation, indicating a lack of procedures for managing and maintaining compliance.

“4 out of 5 organizations still fail an interim assessment, indicating that they failed to sustain the security controls that they put in place.”
Source: Verizon 2015 PCI Compliance Report

-

6. Susceptibility to a breach has strong correlation with lacking PCI compliance

PCI guidelines have been evolving over the years, putting more and more emphasis on security and compliance as an on-going process. The emphasis on business practices has been paying off, and the Verizon PCI compliance report notes strong correlation between PCI compliance and security:

“Out of all data breaches Verizon investigated in the past 10 years none of the companies were compliant at the time of the breach.”

“Unbreached group outperformed the breached group by 36%, suggesting a strong correlation between not being PCI DSS compliant and being more susceptible to a data breach involving payment card information.”
Source: Verizon 2015 PCI Compliance Report

7. But even Verizon notes drawbacks in the PCI process

-

“PCI DSS relies on prevention, and not enough attention to detection, mitigation and identification of residual risks.”
Source: Verizon 2015 PCI Compliance Report

8. Complying with PCI DSS is hard

Verizon notes that before embarking on the PCI compliance journey, many organizations may not realize its scope, resource requirements and impact on the organizations.

What makes PCI compliance hard?

  • Scale and complexity of requirements
  • Uncertainty about scope and impact
  • Lack of resources
  • Lack of insight into existing business processes

9. Automating security and PCI compliance is key

Verizon places a big emphasis on automating security practices, to make them sustainable and consistent. Here's just one examples of Verizon's recommendations:

“Automate threat and vulnerability mitigation.
“A Plan-Do-Check-Act approach to the vulnerability management process can improve quality and help streamline it, so that it functions in a consistent, repeatable and predictable manner.”
Source: Verizon 2015 PCI Compliance Report

10. Payment security matters

Well, this is one is obvious, but the impact goes far beyond the data loss and fines, affecting consumer confidence and willingness to do business with a brand after a breach.

“47 of the 50 US states have mandatory notification laws, forcing companies to publicly any loss of data.”
“69% of consumers would be less likely to do business with a breached organization.”
Source: Verizon 2015 PCI Compliance Report

In conclusion...

Payment card security remains a complex matter; we just scratched the surface on the findings contained in the security reports. The security and compliance game goes well beyond the 10 lessons referenced in this post, but it's a good start – for retailers and any other organizations where payment cards are accepted.

[Tweet "10 Lessons for Retailers from Recent Security Reports /via @AirTight"]

Mojo automates your wireless PCI compliance

If you are looking to automate your wireless PCI compliance, Mojo’s Wi-Fi solution has just such protection built-in, in the form of its wireless intrusion prevention system (WIPS).

WIPS is included with any cloud Wi-Fi system at no cost. The system can be centrally managed from the cloud, just as with Wi-Fi access.

Our WIPS is behavior-based, which allows for fully-automated 24x7 protection, with zero false positive / false negative operation. It requires no IT involvement for mitigation of wireless threats or compliance reporting.

Retailers have a chance to experience Mojo's Wi-Fi at RIS 2015 Retail Executive Summit:

RIS 2015 Retail Executive Summit

Topics: Wireless security, Compliance, Best practices, Security and WIPS, PCI, WiFi Access, Retail