Following the earlier blog in which I talked about the U.S. Senate banking panel having scheduled a subcommittee hearing on safeguarding consumers' financial information, here is the latest. After reading an article and listening to the February 4, 2014, hearing, I came away with five key points:
1. Public confidence is crucial to our economy. If we don’t have faith in businesses to protect our personal information, the national economic recovery is going to falter.Consider this: USA has ¼ of the world’s card transactions and yet we are victims to ½ of all card fraud.
2. Research by the Consumer Reports and Consumers Union shows that, “Consumers who have their data compromised in a large scale security breach are more likely to become victims of ID theft or fraud.”
3. Sen. Feinstein introduced a Data Notification Bill in 2003, but couldn’t get cooperation from retailers at that time. Even today, no federal law sets out clear security standards that merchants and data brokers need to meet and no federal law requires companies to tell their customers when their data has been stolen; Judiciary Chairman Patrick Leahy has introduced a bill to address this.
4. Since threats are evolving, even the best intelligence agencies can’t tell what threats will be around 18 months from now. Environments are also changing with information being everywhere (data center, cloud, mobile devices). This creates a broader attack surface. Savvy engineers and security experts must find technical solutions and the laws must be as sophisticated as the crooks who perform the acts. There seemed to be a consensus that at a minimum, the U.S. retailers should implement cards with both chip and PIN, as banks in Europe have been offering for a decade. Further, organizations also need to look at implementing layered security.
5. In a world of crafty criminals, a one size fits all approach probably won’t work for all retail businesses. When considering data security requirements, any law mandated should provide flexibility and account for businesses of different sizes and resources. It will also be important to determine how government can partner with businesses to strengthen security – e.g., NIST Cybersecurity framework has received bi-partisan support.
Additionally, “cleaning up” post a data breach becomes expensive not only for the affected business, but also banks, as shown by the recent Target incident, which cost banks and credit unions over $200 million to replace cards affected by the data breach. To help preempt these incidents, Juniper would suggest that organizations deploy multi-layered security to prevent data breaches or at least become aware of them earlier so less damage is incurred.
To counter attackers before they can inflict damage of the kind Target and other retailers fell victim to, organizations could also benefit from an approach that catches attackers during the reconnaissance phase, before they can even get into the network. Intrusion Deception is built with that in mind. Unlike signature-based approaches, WebApp Secure inserts random, variable detection points, or tar traps, into the code of outbound Web application traffic to proactively identify attackers before they can do damage - without false positives.
Whether you are a consumer, business owner, financial institution, or any combination thereof, take data security seriously. Together, we can fight cybercrime. After all, the army is only as strong as the soldiers that make it up.