PCI Compliance contributes to false sense of security

Tripwire, Inc. has announced the combined results of a 2014 retail cybersecurity survey conducted by Dimensional and Atomik Research and sponsored by Tripwire. The survey evaluated the attitudes of 407 retail and financial services organizations in the U.S. and the U.K. on a variety of cybersecurity topics.

  • 10 years ago Posted in

Despite industry data to the contrary, Tripwire’s retail cybersecurity survey indicates that organizations that rely on PCI compliance as the core of their information security program were twice as confident that they could detect rogue applications, such as those used to exfiltrate data. These respondents were also significantly more confident that they would be able to detect misconfigured or unauthorized network shares, which was a key attack vector exploited in the Target data breach.

Industry research indicates that most breaches go undiscovered for weeks, months or even longer. The 2014 Trustwave Global Security Report reveals that retail is the top target for cybercriminals, comprising 35 percent of the attacks studied. The report also states that the number of firms that detected their own breaches dropped from 37 percent in 2012 to 33 percent in 2013.

“Taken as a whole, these retail cybersecurity survey results indicate that most payment card processors need to engage in a standard of care discussion for their security programs,” said Dwayne Melançon, chief technology officer at Tripwire. “While most respondents feel confident about their security investments, it’s not clear whether they are questioning the basis of that confidence. Instead of investing in the development of a solid security business process, they are focused on basic security steps that, while necessary, do not sufficiently protect their organization from cyberattacks.”

Key survey findings for those who said PCI was “the backbone of their security program” include:

• 89 percent said they would be able to detect a breach within three days.
• 69 percent were “very confident” that they would be able to detect rogue applications.
• 64 percent were “very confident” that they would be able to detect unauthorized network shares.

“It makes sense that PCI compliance improves cybersecurity confidence,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “Having a structured program in place that’s objectively measured by a third party is a definite improvement over more loosely defined programs that are evaluated only by internal personnel. Careful implementation of foundational security practices is a great way to begin building a security program. However, many organizations fail to realize that the goal of PCI compliance is the protection of cardholder data. It does not protect the rest of your business.”
 

New state-of-the-art data centre features Vultr’s first AMD GPU supercompute cluster.
Only a quarter (25%) think their approach to the cloud is carefully considered and successful.
Moving to AWS Cloud will enable The Co-operative Bank to adopt cutting edge IT Infrastructure.
The global airline group will upgrade the value of its data and get its AI & generative AI ready...
Barracuda Networks’s award-winning Email Protection and Cloud Backup security solutions will be...
Leading company in renewables to leverage HPE’s unique turnkey AI infrastructure solution to...
The four-year project extension focuses on cloud transformation and enhanced operational efficiency...
Businesses in the UK are risking slower development as they fail to fully embrace technologies that...