UK financial services and retail firms stand accused of ‘naivety' and ‘complacency' after a survey has revealed that recent major data breaches have had little impact on their cyber security controls.
A study by Atomic Research of 102 financial and 151 retail organisations in the UK finds that 60 percent are confident that their security controls are able to prevent the loss of data files. But this “flies in the face of recent evidence to the contrary,” said Tim Erlin, director of IT security and risk strategy at report sponsor Tripwire.
“It is shocking to see the high level of confidence exhibited by respondents in the wake of the recent series of high-profile cardholder data breaches,” he said.
Nearly a quarter of the survey respondents have themselves suffered a data breach where personally identifiable information (PII) was stolen or accessed, and recent hacks within the two sectors include the attack on US retailer Target that resulted in 40 million payment cards and 70 million sets of customer credentials being stolen.
In the face of this, Tripwire CTO Dwayne Melancon accused the firms of “a false sense of security”, saying “95 percent of respondents said they would be able to detect a breach on critical systems within a week. In reality, nearly all of the recent publicly disclosed breaches have gone on for months without detection.
“These attitudes seem to indicate a high degree of over-confidence or naiveté among information security practitioners. I believe a number of these organisations may be in for a rude awakening if their systems are targeted by criminals.”
In fact, more than a third of the respondents admitted they do not have confidence in their incident response plan and only 60 percent believe their systems have been hardened enough to prevent the kind of data loss seen recently.
The survey also quizzed respondents about their use of the Payment Card Industry Data Security Standard (PCI DSS) for handling cardholder information.
The report says: “When asked how important PCI compliance is, 43 percent of respondents said it was the backbone of their security programme. However, to protect confidential customer data, organisations must also apply other security controls.”
Industry figures contacted by SCMagazineUK.com agree the survey shows up an attitude problem among the organisations concerned and an over-reliance on compliance with standards like PCI DSS.
Scott MacKenzie, CISO with cyber security solutions provider Logical Step, told SC via email: “The PCI DSS gives organisations a cosy feeling that they are secure. However the compliance is at a point in time. One in four organisations have already suffered data breaches, yet over 95 percent of respondents were somewhat or very confident in the security controls they had in place. This indicates a high degree of naivety.”
Leading CISO and industry commentator Amar Singh agreed: “It's a mix of over-confidence and over-complacency. There seems to be a degree of naivety, in some cases credulity, from the respondents in this survey,” he told SC.
“This could be because of the sectors they are from: given that they are subject to regular compliance assessments and regulations (read as tick box exercises) I am guessing that it becomes a natural tendency to assume that ‘we have passed all the audits and assessments so we must be secure'.”
Singh added: “What stands out is there seems to be a high degree of overall confidence of the ability to detect a breach within a few days. That may be true for what I call regular breaches but I would be surprised if the majority of organisations surveyed are actually able to detect advanced attacks from highly skilled threat actors.”
Also commenting to SC via email, Tim Erlin said: “The evidence from the media and from security research from organisations like Check Point and Verizon clearly points in the direction of the problem getting worse, while the relative concern from this group of respondents is minimal.
“It's important to keep in mind that the respondents for this survey came from a specific demographic - retail and financial institutions involved in payment card processing. This group should be at the forefront of security, given the recent trend of breaches focused on cardholder data.”
The ‘Retail and Financial Services Security Report Infosecurity 2014' survey report is available here.