[BreachExchange] Facing the UK cyber-security threat

[Audrey McNeil]

http://www.scmagazineuk.com/facing-the-uk-cyber-security-
threat/article/566897/

Cyber-crime is an urgent priority.

A recent report released by the Financial Fraud Action (FFA UK) showed more
than one million incidents of financial fraud occurred in the first six
months of 2016.  That is an alarming 53 percent increase compared to the
same period last year.

On top of this dramatic growth in financial fraud, new EU legislation,
which comes into effect in 2018, could result in substantial fines and
penalties for businesses that experience cyber-security breaches. In the UK
alone, this could add up to a whopping £122 billion pounds in regulatory
penalties for these breaches. That should be a wake-up call for everyone
who cares about their cost of doing business and protecting their
consumers' payment data.

The cyber-threats to the UK business community are very real indeed. A
survey of 7,000 large UK organisations showed that 90 percent reported
suffering a security breach in 2015. Small and mid-size businesses are no
long immune to attacks either. The same survey found that 74 percent of
businesses with less than 250 employees reported suffering a security
breach.

With looming legislation and increasing attacks, organisations doing
nothing for data security is no longer an option, the time to take action
is now. That's why this month in Edinburgh the PCI Security Standards
Council, the leading global authority on payment security, hosted its
annual Community Meeting bringing together cyber-security experts to
discuss the growing cyber-threat, and collaborate on helping businesses
prevent, detect and respond to cyber-attacks that can lead to payment data
breaches.

The good news is we know what works for protecting data and what doesn't.
The PCI Security Standards have been in place now for 10 years and
represent a strong foundation for data security that involves people,
process and technology all working together in an atmosphere that
prioritises data security.

So what actions can businesses take today to do this?

Educate, empower, protect

For starters, many companies need to change the way they view security and
make it a 24/7 priority.  Some questions you should be asking are:

 Do you have a person in your organisation with overall responsibility for
data security? Please tell me it is not just the IT director! Cyber-crime
is so much more than just an IT issue. It affects everyone, and it must be
prioritised from the top down, and throughout your company.
Have you implemented and had externally assessed a data security programme?
The PCI DSS is an excellent data security standard that can be applied
across the board.
Do you have an incident response plan in place, and has this been tested
this year? Recent breaches have clearly highlighted the critical importance
of having such a plan so that everyone, but especially board level staff,
are fully prepared when the breach occurs.

It might come as a surprise to many that almost all of the
headline-grabbing payment card data breaches we've seen over the past few
years were entirely preventable. In fact, most breaches involving credit
card data have been neither sophisticated nor “new.”  Payment data
breaches, in contrast to the sophisticated cyber-espionage attacks we read
about, are surprisingly simple and preventable –IF you are making security
part of your business-as-usual.

Data security must be deeply engrained into an organisation's culture, not
layered like frosting on a cake but baked in from the start. Too many
organisations view data security as a once-or-twice a year annoying box to
check.

The cyber-threat is not going away, but organisations can fight back by
prioritising data protection now. Establishing good data security takes
time and effort, and requires ongoing education vigilance and
collaboration.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161021/f72f0126/attachment.html>