In part six of our payments Q&A, we look at some of the prevailing cybersecurity issues and concerns moving into 2020. While innovation and advancements in technology have largely been a boon for the industry, bad actors have found ways to take advantage of new technologies, too. Between data breaches, evolving compliance requirements, and new vulnerabilities, companies in the financial sector need to step up.
We spoke with Dominic Vogel, Founder & Chief Strategist at CyberSC. Dominic holds a proven track record within cyber security across multitude of industries (financial services, logistics, transportation, healthcare, government, telecommunications, and critical infrastructure) and actively participates in the Vancouver security community. He is also a well-respected cyber security expert for Global BC, CKNW980, News1130, and the Vancouver Sun. Dominic is highly regarded as a cyber security thought leader and serves on the BC Provincial Cyber Security Advisory Committee.
Ashley Poynter: The payments landscape is evolving at an accelerated pace, yielding new, faster ways to pay. That said, bad actors are evolving just as rapidly, creating cause for concern when it comes to keeping payments secure. What are the top threats to payments currently, and will we see any new, emerging threats in 2020?
Dominic Vogel: Many industry and security commentators tend to overplay the external/criminal threat. Don’t get me wrong the malicious actors are very much a clear and present danger. However the true risks are very much of our own doing and are enabling criminals to greatly profit! Apply security patches is a critical activity for any security-conscious organization. Effective patching must sufficiently address vulnerabilities on operating systems, applications and network infrastructure. Most organizations struggle when it comes to applying security patches in a timely manner. Criminals leverage these unpatched vulnerabilities to carry out their nefarious activities. The other emerging attack vector is that criminals are now taking advantage of the proliferation of applications across most businesses. The explosive growth of mobile and web-apps has led to a many insecurely coded applications being compromised. Whether an application was purchased from a vendor or developed in-house every business needs to perform security scans on these apps and and do frequent secure code reviews. Application penetration tests will identify any significant weaknesses that need to be addressed before the application goes live. If you have in-house developers they should be trained on secure coding best practices. As an organization if you focus on improving these two risk areas it will greatly reduce your chances of experiencing a negative security event. The criminals will simply move onto other low-hanging fruit at other businesses!
Ashley: Based on your experience, how many (or what percentage) of companies are actually prepared for a cyberattack? Why is this?
Dominic: Hahaha that is a tough question! It really depends on the company size and sector. Some sectors (like financial sector) are generally more prepared than those in less regulated industries (like travel for example). I would say that over 2/3 of small/midsize businesses (under 1000 employees) are unprepared for a sustained cyber-attack. That number tends to get smaller as the organization size gets larger. Broadly speaking most companies are NOT doing enough to be sufficiently prepared to deal with cyber risks. Every organization big and small can and must strive to do better. They owe it to their employees, shareholders, and customers.
Ashley: We have seen a rash of mega retailer data breaches over the past several years, which has really damaged trust in some major brands. What is the biggest piece of advice you have on preventing a data breach?
Dominic: A paradigm shift is required in terms of how we gauge “successful” security. Data breaches and security incidents will happen. The “zero breach” mentality of yesteryear does not hold today. The new approach of “assume breach” is sorely required. There has been a traditional over-focus of preventing data breaches however that is myopic thinking. How we approach data breaches should be similar to how we approach cancer – an equal focus on prevention, early detection, and rapid response. That is how you strategically reduce the likelihood and impact that cancer can have on your life. You can’t fight cancer with just focusing on prevention. Fighting cancer the prevention portion is about eating right and exercising. If you have cancer you want to detect that as early as possible and rapidly respond once a cancer diagnosis has been made. Data breaches are no different. An equal balance of preventative controls/processes coupled with detection capabilities and a well-planned and practiced response capability greatly reduces the likelihood and impact that a data breach will have on your business. Data breaches will be part of the new operating norm. How organizations respond to data breaches will be a key competitive differentiator within the next few years. Data breaches for organizations that have robust and resilient preventative/detection/response capabilities in place will be a minor speed bump. Data breaches for unprepared organizations will be a massive sinkhole.
Ashley: PCI DSS v4.0 will likely be released in late 2020 at the earliest. What’s new and what can organizations do now to gear up for compliance?
Dominic: The new version will not be fundamentally different than previous PCI compliance mandates. The new version will incorporate additional areas that need to be included given the current threat landscape. The four areas where there will be new guidance: authentication (reflects latest best practices on passwords and multi-factor authentication), encryption (broader requirements for encrypting cardholder data), monitoring (expand usage of network traffic analysis and endpoint detection capabilities), and testing (critical controls may be tested more frequently than they have been in the past). None of these items are earth-shattering or intrinsically difficult to complete. I would encourage organizations that need to be PCI compliant to begin drawing up project plans for meeting these new requirements (if they have not already done so). The multi-factor authentication control may be the hardest as it could directly impact business processes and the user experience. Any multi-factor authentication deployment requires working directly with users and making sure the transition from just username & password is as frictionless as possible.
Ashley: Compliance is a complex issue and given the plethora of threats out there, many wonder if compliance is enough to protect sensitive payments data. What are your thoughts? Is PCI compliance enough or are there additional measures that need to be taken to avoid a breach or other negative outcomes?
Dominic: There is a prevailing myth that being compliant means that as an organization you are 100% secure. Compliance does not equal security unfortunately. An organization can be PCI compliant but still have poor security posture. Compliance mandates are meant to establish a minimum baseline of best practices and controls and serves as a foundational building block. I am a firm believer that if you adopt a rigorous security framework (such as the CIS Top 20 Security Controls or NIST Cybersecurity framework) compliance will be a natural outcome of going through this process. Becoming compliant with different mandates becomes systematically easier as a result.
If you missed our other Q&A articles, you can view them here:
- Payments Q&A: IBM’s Dave Maddox on Consolidation, Emerging Payment Platforms, and Blockchain
- Payments & Fintech Q&A: Scarlett Sieber on Apple Card, Gen Z, and Cryptocurrency
- Quick Hit Payments Q&A with Holly Hughes
- Payments Expert Q&A: Gregory Leos Talks Acquisitions, Digital Payments, and Mobile Skepticism
- Payments Leaders Q&A: Fiserv’s Stephanie Foster Discusses 2020 Predictions, Connected Experiences, and Open Banking
Stay tuned in the coming weeks. I will be interviewing more experts on the evolution of the payments world, shifts in the ecosystem, and what to expect in 2020.
If you’re interested in participating in one of our Q&A With the Experts series, please send us a note here.