Cyber-crime is an urgent priority.
A recent report released by the Financial Fraud Action (FFA UK) showed more than one million incidents of financial fraud occurred in the first six months of 2016. That is an alarming 53 percent increase compared to the same period last year.
On top of this dramatic growth in financial fraud, new EU legislation, which comes into effect in 2018, could result in substantial fines and penalties for businesses that experience cyber-security breaches. In the UK alone, this could add up to a whopping £122 billion pounds in regulatory penalties for these breaches. That should be a wake-up call for everyone who cares about their cost of doing business and protecting their consumers' payment data.
The cyber-threats to the UK business community are very real indeed. A survey of 7,000 large UK organisations showed that 90 percent reported suffering a security breach in 2015. Small and mid-size businesses are no long immune to attacks either. The same survey found that 74 percent of businesses with less than 250 employees reported suffering a security breach.
With looming legislation and increasing attacks, organisations doing nothing for data security is no longer an option, the time to take action is now. That's why this month in Edinburgh the PCI Security Standards Council, the leading global authority on payment security, hosted its annual Community Meeting bringing together cyber-security experts to discuss the growing cyber-threat, and collaborate on helping businesses prevent, detect and respond to cyber-attacks that can lead to payment data breaches.
The good news is we know what works for protecting data and what doesn't. The PCI Security Standards have been in place now for 10 years and represents a strong foundation for data security that involves people, process and technology all working together in an atmosphere that prioritises data security.
So what actions can businesses take today to do this?
Educate, Empower, Protect
For starters, many companies need to change the way they view security and make it a 24/7 priority. Some questions you should be asking are:
- Do you have a person in your organisation with overall responsibility for data security? Please tell me it is not just the IT director! Cyber-crime is so much more than just an IT issue. It affects everyone, and it must be prioritised from the top down, and throughout your company.
- Have you implemented and had externally assessed a data security program? The PCI DSS is an excellent data security standard that can be applied across the board.
- Do you have an incident response plan in place, and has this been tested this year? Recent breaches have clearly highlighted the critical importance of having such a plan so that everyone, but especially board level staff, are fully prepared when the breach occurs.
It might come as a surprise to many that almost all of the headline-grabbing payment card data breaches we've seen over the past few years were entirely preventable. In fact, most breaches involving credit card data have been neither sophisticated nor “new.” Payment data breaches, in contrast to the sophisticated cyber-espionage attacks we read about, are surprisingly simple and preventable –IF you are making security part of your business-as-usual.
Data security must be deeply engrained into an organisation's culture, not layered like frosting on a cake but baked in from the start. Too many organisations view data security as a once-or-twice a year annoying box to check.
The cyber-threat is not going away, but organisations can fight back by prioritising data protection now. Establishing good data security takes time and effort, and requires ongoing education vigilance and collaboration.
Contributed by Jeremy King, international director, PCI Security Standards Council