First Data Symposium: Which Security Category Describes Your Business?
By Bernadette Wilson, Integrated Solutions For Retailers
At First Data’s Cyber Security Symposium “Commerce in the Crosshairs: Solutions to the Growing Threat,” experts shared that when it comes to security, businesses can be divided into basic categories. The event, held in New York on March 18, was First Data’s first symposium providing information and education on trends and evolving threats to security.
Symposium panelist Art Coviello, executive chairman of RSA Security, says, basically, there are four types of businesses. The first type — the way most businesses can be classified — are those who “set it and forget it.” These are people who want to install a firewall and “put their heads in the sand.” He says next type are “compliance people” who are more interested in checking a box that a requirement is met, rather than working toward the goal of security. The third category is “risk people,” who understand the risks, but don’t partner well to communicate and share intelligence.
John Watters, CEO of iSIGHT Partners, describes the last category — which only about 1 to 2 percent fall into — as those who consider their business’s assets that could be at risk and take steps to protect them, as well as using intelligence to assess threats from the outside.
Both agree types of responses to security don’t fall along vertical lines. Businesses in retail, banking, healthcare, non-profit, state and local government, education, and small manufacturing verticals can vary from “set it and forget it” to using a best-in-class approach to security.
Steve Surdu, VP of professional services for Mandiant, says it’s not that people aren’t interested in security — usually they just don’t think a cyberattack can happen to them. He adds sometimes businesses rely too much the technology they’ve installed without having people and processes in place to make sure their systems are secure. In other cases, businesses might have the data they need, but have no way to drill down to find vulnerabilities and threats.
Watters says there are also biases that can affect a business’s response to the threat of attack. Sometimes people approach security with a “mirror image bias,” thinking, “What would I do if I were a bad guy?” and taking measures against those potential threats instead of real ones. The other bias, “the valley of mirrors,” is becoming overwhelmed with all possible threats and becoming ineffective. He advises, “Focus on what’s real….Build a short list of threats and look for those threats in your environment.”
Charles Henderson, director of SpiderLabs for TrustWave, says, “We need to get back to basics.” He suggests more emphasis on security and less on compliance. He also said people have to be willing to communicate to contribute to intelligence about attacks.
Coviello adds that putting tools in place to stop attacks in the first place is another layer to security, but technology that can’t break in from an ever-growing number of entry points hasn’t been developed yet.
One deterrent available now, says Martin Ferencz, president, North America, for Oberthur Technologies, is EMV. Adoption in the U.S. is progressing slowly as Oct. 1, 2015 approaches — the date when liability will shift to acquirers in POS transactions with counterfeit cards if the merchant does not have an EMV-enabled POS device. Ferencz explains with a totally EMV-enabled environment, the digital signature attached to a specific transaction can’t be reused, eliminating the problem of counterfeit cards.
Lee Jurgens, director of sales and tender audit for Polo Ralph Lauren and chairman of the Merchant Advisory Group, says adding a PIN to credit cards could help solve that problem now. He also points out the attack and resulting data breach at Target last year was a wake-up call for many retailers. He says Target encrypted data from the POS system, not the terminal. He says securing the transaction from end to end is a step businesses can take to make systems more secure.
David Pollino, senior VP and fraud prevention officer for Bank of the West, says upgrades to security businesses are making now have to be viewed as a starting point: “It takes a continuous ongoing investment — always looking at the control environment and making it more efficient.”
Fran Townsend, former U.S. Homeland Security Advisor, stresses the importance of making someone responsible and accountable for security in the organization. Henderson adds this person should also be an advocate for what the business needs to continually upgrade its security.
During a question and answer period at the symposium, a retailer in the audience commented that retailers aren’t security experts. Jurgens responded, “Wouldn’t our job be to make sure transactions are secure?”
See also: What Retail Executives Need To Know To Migitage Security Risks