Well, it’s the start of all those analytical reports for 2015 and I'm glad that this one is out to give us an account on PCI across the world…
In this year’s report, for an account of breaches in 2014, we have a new addition on the analysis of usage of compensating controls and compliance sustainability… Interestingly, whilst compliance across the case load showed an increase of 80% for companies that validated compliance, it still represented only 20% of organisations assessed, and unfortunately, many fall out of compliance rather rapidly with nearly a third of organisations falling out of compliance less than a year after successful validation… It’s the old potato again: those organisations that haven’t embedded security in their DNA will only ever treat it as a compliance exercise and forget about it until the next time an assessment is due...
A blog about information security, payments, risk, fraud, digital innovation and social media... Connect on LinkedIn?
Showing posts with label PCI DSS. Show all posts
Showing posts with label PCI DSS. Show all posts
13 March 2015
22 April 2014
WHY DO DATA BREACHES HAPPEN? Clues from the Verizon DBIR 2014...
The always eagerly awaited Verizon DBIR 2014 was released earlier this year. As always, with a nice cup of coffee and some smooth jazz playing in the background, I will endeavour to distil the essence of this always excellent publication... Well, this year, the DBIR departs from just analysing data breaches to looking at 63,347 confirmed security incidents, of which 1,367 were confirmed data breaches (compared to 621 for 2012) across 95 countries (compared to 27 in 2012). This gives far greater richness to the data set and the insights that can be derived from it (rightly so, the DBIR team notes that incidents need not necessarily result on data loss to have a significant impact on an organisation – I couldn’t agree more!). Also don’t miss the month by month review of the major incidents of 2013 on pages 3 & 4, that’ll get you in the mood...
10 March 2014
DON'T BE A TARGET... ON RETAIL POS, BANKS, EMV & WINDOWS XP...
McAfee Labs' latest report reveals that hackers are using basic 'off the shelf' malware to target retail POS systems, a very topical subject, I’m sure you will agree... But we have to remember that the breaches mentioned in the McAfee report took place in the US, and there is one notable difference between retailers there and those in Europe: the US haven’t yet adopted EMV (aka Chip & PIN)...
4 April 2013
A CONSOLIDATED VIEW ON DATA BREACHES IN 2012 - PART 2...
Google
It seems that many of you found my previous post of interest, so as promised, here’s the second part. But first, let’s all have a look at this 2min 48s video: Security Threats by the Numbers from the Cisco 2013 Annual Security Report. Unsurprisingly, the Trustwave GSR highlights that e-commerce sites were the most targeted asset, accounting for 48% of all investigations...
It seems that many of you found my previous post of interest, so as promised, here’s the second part. But first, let’s all have a look at this 2min 48s video: Security Threats by the Numbers from the Cisco 2013 Annual Security Report. Unsurprisingly, the Trustwave GSR highlights that e-commerce sites were the most targeted asset, accounting for 48% of all investigations...
31 March 2013
A CONSOLIDATED VIEW ON DATA BREACHES IN 2012 - PART 1...
Google
It’s that time of year again where we try to make sense of all the new research and statistics. Today, I give you the Trustwave 2013 Global Security Report which analyses 400 data breach investigations (compared to 300 in 2011) across 29 countries (compared to 18 in 2011). Unsurprisingly, 96% of the breaches involved the theft of customer records (payment card data, PII, email addresses), compared to 89% in 2011. Closer to home, this is confirmed by the CIFAS Fraudscape report published in March 2013, where, whilst total fraud in the UK only showed a 5% increase since 2011, abuse of identity fraud increased by a whopping 17.1%, correlating to the Trustwave report showing that out off all client-side attacks observed, 61% targeted Adobe Reader users via malicious PDFs, clearly pointing to social engineering.
It’s that time of year again where we try to make sense of all the new research and statistics. Today, I give you the Trustwave 2013 Global Security Report which analyses 400 data breach investigations (compared to 300 in 2011) across 29 countries (compared to 18 in 2011). Unsurprisingly, 96% of the breaches involved the theft of customer records (payment card data, PII, email addresses), compared to 89% in 2011. Closer to home, this is confirmed by the CIFAS Fraudscape report published in March 2013, where, whilst total fraud in the UK only showed a 5% increase since 2011, abuse of identity fraud increased by a whopping 17.1%, correlating to the Trustwave report showing that out off all client-side attacks observed, 61% targeted Adobe Reader users via malicious PDFs, clearly pointing to social engineering.
26 March 2012
VERIZON DBIR 2012 - some context...
Google
The Verizon
DBIR 2012 was released last week and I am sure you have seen a lot of blog
posts, articles and tweets on the subject... So let me try and put a different
perspective on it: many of you will have heard me say that the DBIR is the
“gift that keeps on giving”, and yes, it is! But as with every report,
statistics and opinions always have to be put into the right context... The conclusions are not surprising, but there are quite a few little
nuggets in the report that are worth examining...
To start with, I am glad to see that the analysis now offers
some separate insights in relation to SMEs and larger organisations, as some of
the issues can be different depending on size. The case load is also bigger
this year (855 incidents compared to 761 in 2010) and known compromised records
studied were also greater (3.8 million in 2010 compared to 174 million in 2011
- mostly due to the return of the “mega breaches” in 2011 after a relatively
quiet 2010).
21 February 2012
UNDERSTANDING CLOUD SECURITY: PART TWO...
Google
I
thank you for your attention on the previous
post where we had a look at security considerations for the three main
cloud service models commonly referred to as SPI (SaaS, PaaS, IaaS). As promised
here’s part two looking at other cloud implementation considerations, namely:
- Cloud deployment model: public vs. private vs community vs hybrid deployments,
- Cloud location: internal vs. external hosting or combined,
19 February 2012
UNDERSTANDING CLOUD SECURITY: FINDING THE BOUNDARIES...
Google
It
seems that my previous
post on compliance and third parties struck a chord with a few of you... So
I guess it’s about time I dedicated some time to “The Cloud” specifically! Over
the past couple of years, we have seen a lot of hype and confusion as to what
The Cloud really means and what it can do for you. I think we have now reached
the stage where there is perhaps a bit of disappointment that The Cloud, due to
inflated expectations, is perhaps not a miracle...
12 February 2012
COMPLIANCE IN THE DIGITAL ERA: WATCH OUT FOR THE 3rd PARTY...
Google
By 2015,
there will be more than more than 15 billion interconnected devices on the planet,
twice the world population. In that period, the total amount of global Internet
traffic will quadruple. (Cisco(R)
Visual Networking Index (VNI) Forecast (2010-2015), June 2011)
It is
estimated that every year in the UK, identity fraud costs more than £2.7
billion and affects over 1.8 million people (National
Fraud Authority, October 2010).
Every year,
we share more of ourselves online...
8 February 2012
THE TRUTH BEHIND DATA BREACHES...
Google
I was pleased to see the release of the Trustwave
2012 Global Security Report as I find it always a very good source of information! This year’s report analyses 300 data breach investigations across
18 countries and, unsurprisingly, 89% of
the breaches involved the theft of customer records, including payment card
data and other personally identifiable information such as email addresses.
3 February 2012
INCIDENT RESPONSE – HAVE YOU GOT A PLAN?
Google
So, the National Institute of Standards and Technology (NIST)
announced a couple of days ago the release for comments of draft Special
Publication (SP) 800-61 Revision 2, Computer Security Incident
Handling Guide. How very timely that was! With 2011 dubbed the year
of the data breach, and the fact that it takes 3 to 8 months on average for an
organisation to discover they have been breached, what better New Year’s resolution
than to have an effective Incident Response Plan?...
1 February 2012
EU DATA PROTECTION LAWS – WHAT DOES IT ALL MEAN?...
Google
After yesterday’s
post on data protection, I thought it would be logical to follow with some
info on the EU
proposal for new data protection laws...
17 years ago, the EU’s 1995 Data Protection Directive set a
milestone in the history of personal data protection, and whilst its principles
are still valid, the differences in the way that each EU country implements the
law have led to an uneven level of protection for personal data. In addition, the
rules were introduced when the Internet was still in its infancy and the
digital age has brought with it increasing and sometimes unexpected challenges
for data protection. With social networking sites, cloud computing, location-based
services and smart cards, we leave digital traces with every move we make. Evidently,
we now need a new set of rules that is future-proof and fit for the digital age.
29 January 2012
THE RISE OF THE NEW CISO: RISK MANAGEMENT vs COMPLIANCE
Google
For those who didn't attend PCI London on 25th January 2012, I reproduce here the article I wrote for their magazine, I hope you find it of some use... :)
THE RISE OF THE NEW
CISO: RISK MANAGEMENT VS COMPLIANCE
Last year at PCI London 2011, my article for this magazine
was about the need to move from Compliance to Risk Management and I hosted a panel
of industry experts from Visa Europe, MasterCard, the PCI SSC, IRM plc as well
as representatives from John Lewis plc and the Home Retail Group. It was
undeniable that retailers and merchants in general, have felt the need for some
while to invest where business value can be derived. The concept of risk management,
when it comes to looking at Payment Security, undeniably struck a chord!
Subscribe to:
Posts (Atom)