Top Security Issues for 2015New Payments Methods; 'Back to Basics' on Breach Prevention
I walked away with two overarching messages from the two cybersecurity summits Information Security Media Group hosted in the New York area last week. First, it's time to prepare for dramatic changes in U.S. payments. And second, the majority of the cyber-attacks waged against our financial infrastructure are not that sophisticated - and thus can be thwarted with the right strategies.
On the payments front, the U.S. migration to EMV chip cards will ramp up next year, in anticipation of the liability shift for counterfeit card fraud imposed by the card brands taking effect in October 2015.
You should constantly provide training throughout your organization to ensure the entire company is security conscious.
On the breach front, presenters at our Global APT Defense Summit on Oct. 22 pointed out that many breaches use low-tech techniques, such as SQL injections, which provide attackers remote access by bypassing normal authentication mechanisms; the exploitation of weak passwords; and the targeting of insiders with phishing schemes. And the best way to thwart these threats may be a stronger focus on spelling out clear security policies and procedures and then educating staff about how to put them into practice.
Lessons for 2015
At the Fraud Summit, Visa's Eduardo Perez pointed out that for EMV to succeed in helping reduce fraud, banking institutions and retailers need to do a good job of educating consumers about how chip and magnetic-stripe card transactions differ.
Perez says too many consumers remain clueless about how EMV chip cards will change the way they make payments. "Soon consumers will receive and use new chip cards and more than half of all payment terminals will activate chip technology in the next year," Perez notes. Obviously, awareness and education are a big part of this change," he adds. "That's why Visa is pushing a national education effort."
The advent of Apple Pay, which provides EMV-compliant mobile payments, will also rapidly change the payments landscape, Perez says. Banking institutions are already jumping onboard. Earlier this month, Apple announced that some 500 additional banks had signed on to support the service for their customers (see How Will Apple Pay Impact U.S. EMV?).
But the key to widespread use of Apple Pay, and other secure mobile payments options, again, is consumer education.
Going Beyond Compliance
That's because, in spite of all of the technology investments being made to enhance security, most organizations continually fail to address the basics: Educating staff and third parties about how to carry out security policies and procedures in their day-to-day routines.
I think FireEye's David Merkel, a featured speaker at our APT Summit, said it best: "We need to invest in the expertise of humans to detect and prevent these attacks."
Merkel points out: "You should constantly provide training throughout your organization to ensure the entire company is security conscious."
Clearly, technology can play an important role in breach prevention. Investing in network monitoring and behavioral analytics, for instance, is critical. But if your organization is forgetting to educate its employees about phishing attacks aimed at socially engineering them to cough up confidential information and network credentials, the best security technology out there is not going to prevent your network from being compromised.