Lack of long-term security strategies by business leaders results in almost 1 in 4 organizations failing to keep cardholder data secure, says the Verizon 2020 Payment Security Report.
This finding is concerning as more and more customers are turning towards contactless payment forms for in-shop purchases to address the social distancing requirements because of the coronavirus pandemic.
Protecting customer payment data is a priority
No matter which industry you belong to or the size of your business, if you accept card payments and process, transmit or store cardholder data you need to meet the payment card industry (PCI) security compliance requirements and continuously validate compliance.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards established in 2004 and comprises of 12 Key Requirements. The standard’s fundamental purpose is to inform businesses about how to become more secure and provide overall guidelines for sustaining a secure payment environment.
These standards are designed to protect businesses, and their customers, from breaches that could negatively affect their functions, finances, and reputation. Customers trust that merchants will protect their payment card information. If the merchants fail to do so, the chain of trust is broken, which is why securing your customers’ payment data should always be a priority.
The report key findings include the following:
- Only 27.9% of global organizations were able to maintain full compliance with PCI DSS
- This is the third successive year that a decline in compliance has occurred with a 27.5 percentage point drop since compliance peaked in 2016 (as seen in the 2017 PSR)
- Lack of competent strategies and leadership support are cited as the root cause for lack of compliance
- A little more than half of the organizations (51.9%) successfully test security systems and processes as well as unmonitored system access
- Less than half of organizations (47.9%) in the Americas changed vendor defaults or had a process for monitoring them.
- Approximately two-thirds of all businesses (66.2%) track and monitor access to business-critical systems adequately
- Only 7 out of 10 financial institutions (70.6%) maintain essential perimeter security controls.
Data security compliance impacts all businesses
The Verizon report has identified the small and medium-sized businesses (SMB) as having their own unique challenges with securing payment data. While smaller businesses have less card data to process and store than larger ones, they also have fewer resources and smaller budgets for security, impacting their efforts to maintain compliance with PCI DSS.
Often the measures needed to protect sensitive payment card data are perceived as too time-consuming and costly, but as the likelihood of a data breach for SMBs remains high, it is imperative that PCI DSS compliance is sustained. According to the 2020 Verizon Data Breach Investigations Report (DBIR), a growing number of SMBs are using cloud- and web-based applications and tools. These services can make them prime targets for threat actors determined to compromise payment security data.
Data security compliance challenges
Lack of data security sustainability and effectiveness is not the result of a lack of appropriate technological solutions, rather the result of designing, implementing, and maintaining an effective and sustainable security strategy. According to the Verizon 2020 PSR report, CISOs are faced with 7 data security challenges that need to be addressed to build a strong compliance regime that can adapt when necessary.
- Inadequate leadership
Data security is not just an IT problem. It is primarily an issue of leadership and executives lacking the skills, competency, experience, and resources to run effective and sustainable data security compliance programs. Further, as data security has – and will continue to – impact to the overall enterprise, organizations may benefit from reassessing the role of the CISO within the organization. More than 54% of them report to a CIO. As they constantly deal with internal and external threats, they usually lack visibility on enterprise risks, assets, organizational changes, business strategies, and legal and compliance requirements. In the current environment, the CISO should be astute in business and strategy analysis.
- Lack of strategic support
A security strategic plan includes a prioritized list of objectives with adequate support for critical resources. An essential and often missing ingredient for a successful security strategy is the collaboration and support between the business and the security compliance objectives and priorities. A security strategy cannot be enforced without support from the business and operation functions. Organizations exist to execute their business models with security as a secondary objective. However, as more businesses are using online systems for expanding and operating, they are starting to realize the information security needs to be factored as a cost of business. The CISO, however, needs to be part of the organization’s strategic decisions to communicate the value of incorporating data security and compliance into the organization.
- Lack of resources
CISOs struggle to get the resources they need to support security strategies. There are several factors that impact an organization’s control environment. These include a global shortage of cybersecurity skills in the market and an organization’s lack of resources needed to develop proficiencies to train people. These constraints are preventing them from achieving the process and capability maturities needed to achieve a sustainable and effective security program.
- Weak strategic design
Effective data security compliance programs start with a robust strategy. The strategy, however, needs to be supported with capabilities, processes, and leadership. Further, the strategies need to tracked and monitored for success. The absence of these factors will lead a good strategy. The same would be true with a weak strategy which results in weak processes and capabilities. If robust and concise processes and capabilities are not clearly specified in the strategic plan, data security will be left open to weaknesses and vulnerabilities.
- Inefficient strategy implementation
The failure to align security and business strategy results in data security solutions that are far too technology-focused. However, security is also about the processes and strategy to achieve a balance between strategic planning and execution, and managing the day-to-day operational challenges. The correct selection, adaptation, and adherence of a framework is also an important piece of the puzzle for enforcing and sustaining security strategy.
- Low process maturity with lack of continuous improvement
Inadequate capability and business process management and control result in weak security and compliance programs. Poor processes and capabilities are the key factors for lack of alignment of people and fit-for-purpose technology. Mature data security environments can be achieved by all organizations if they focus on maturing all key processes, instead of over-reliance on technology.
- Poor communication
How companies communicate complex projects, such as a compliance program implementation, can impact the likelihood of a breach. Poor communication can be a significant reason why data compliance is trending downward. Business leaders fail to see the value and benefits in data security and compliance as CISOs don’t communicate their impact to the organizations and its goals.
How to establish an effective data security environment
Businesses and CISOs can address the above challenges if they focus on the following key elements of an effective data security environment:
Security business model
An overarching model that ties all the elements together to obtain business support for security strategy. This model defines the objectives and aligns organizational programs to deliver maximum value.
The security business model is translated into a strategy. The security strategy aligns with business mission and objectives, determines the careful selection and prioritization of the security and compliance approach and objectives, and guides the allocation of resources.
Security operating model
The strategy is supported by the security operating model, which allocates resources to processes. The operating model represents how value is created and by whom within the organization.
Frameworks provide structure. The correct selection and application of frameworks should move organizations away from being too technically focused.
Security programs and projects
The operating model is supported by security programs. The program delivers outcomes and achieves long-term objectives by managing related projects.
How ITEGRITI can help
ITEGRITI develops and implements security programs that mitigate cyber and compliance risk, supported by internal controls to measure, monitor, and report ongoing program effectiveness. Our programs help companies avoid hacks and minimize business impact during a cybersecurity event.