In this post, we get insights from Chris Novak, Global Director of Verizon Enterprise Solutions. He recently presented at the Middle East and Africa Forum in Cape Town, South Africa. Learn more about updates in the payment card industry by attending upcoming community meetings Bangkok (17-18 May), Orlando (12-14 September) and Barcelona (24-26 October).
This is the 10th year of the Data Breach Investigations Report. What are some of the biggest changes you’ve seen in data breach trends?
Chris Novak: The most notable changes have been in the advancement of the attacks. It used to be standard procedure when investigating an attack to pull the power on a machine and then take a forensic image of the hard drive many years ago. Nowadays pulling the power on a machine is taboo and instead the first step we typically take is to take a forensic image not of the disk, but of memory. Much of the best evidence is now resident in volatile memory as well as the traffic witnessed going across a network. This can make detection and response more difficult for organizations that are not familiar with these types of changes in threat actor techniques.
What are organizations still getting wrong when it comes to security? What are they getting right?
Chris Novak: Unfortunately, we still see a lot of organizations struggling with the basic foundational elements of security. Quite often we see organizations wanting to focus on the most sophisticated security technologies and solutions. While there is nothing wrong with those technologies and solutions, many organizations are just not ready for them yet. They are lacking a security strategy or journey mapping whereby they are applying all of these technologies and solutions in a coordinated and layered fashion. PCI DSS and the associated compliance programs do a great job of laying out those foundational items as well as the importance of a defense in depth or layered approach.
What do you see as the next big threat to payment security?
Chris Novak: With the global migration to EMV, we expect that the threat actors are going to focus more heavily on ecommerce targets, third parties, and intermediaries. I can’t emphasize enough how important it is that all organizations ensure that their respective partners and suppliers understand how they all play a role in the payment security ecosystem and to ensure that they too are able to facilitate compliance with PCI DSS, PA DSS, etc…
What industry sector is the hardest hit by criminal actors? What can be done to improve their security posture?
Chris Novak: This can be somewhat of a moving target as we see the criminal actors generally rotate through industries based on their level of knowledge of the payment ecosystem. We recently saw a wave of attacks on the hospitality industry and we’ve long seen ebbs and flows of attacks on fast food establishments and restaurants. With the increased targeting of ecommerce platforms, we’re seeing more diverse victim targeting.
The latest DBIR shows that it takes on average 8 months to detect a breach. Why does it take so long and what can be done to shorten this time frame?
Chris Novak: That’s correct. This is usually due to a number of factors… Some of the most notable include the victim organization simply not being aware of the threat landscape. They’re not plugged into the threat intelligence community and so may not become aware of new threat patterns and mechanisms for detection until it hits them for the first time. This is truly unfortunate as our research has long found that most organizations are not targeted in isolation. In reality, most victims are among a group of dozens to hundreds or even thousands of victims all being compromised in a similar manner. Not all are PCI related breaches, but the knowledge of the attack tools, techniques and procedures is a key missing ingredient in their ability to detect breaches faster and similarly mitigate them more quickly. I would encourage organizations to read our DBIR (www.VerizonEnterprise.com/DBIR) for a great list of security recommendations.
Why should organizations shift their mindset from believing that security is just an IT issue to realizing that security is a business priority?
Chris Novak: This has been growing in importance every year. In fact you’re starting to see the mindset shift already in that you’re seeing more CISOs reporting directly to the CEO or CFO instead of reporting to the CIO. There is a realization that a security/data breach can have far reaching impacts to the business. In fact there is even legislation being proposed in the United States to require that publically traded companies must identify at least one member of their board of directors that is considered to be a cybersecurity expert. We continuously advise organizations on the importance of a sound security strategy that must have top-down support in order to be effective.
What is the one key takeaway you hope attendees will come away with after your discussion at the PCI Middle East Forum?
Chris Novak: A key takeaway should be that nobody is immune to cybersecurity attacks. Our investigations team covers all corners of the globe and we have similarly investigated breaches all across the globe. Size, revenue, industry, etc… have little to do with whether you may suffer such an attack, so it’s imperative that all organizations take cybersecurity seriously.
Learn more from global payment security experts at the next community meeting:
