PCI DSS Compliance Reduces the Risk of Data Breaches

The payment card industry data security standard (PCI DSS) is designed to protect consumers by encouraging businesses to do more to protect payment card details. A recent survey by US Internet giant Verizon found that compliance with PCI DSS can be a powerful force in fighting cyber-crime – but many organisations struggle to maintain full compliance with the standard.

Speaking to Computer Weekly, Verizon’s head of advisory services Gabriel Leperlier commented: “Since 2010, not a single organisation that has been breached was 100% PCI DSS compliant at the time of the breach.” This is a remarkable finding. Why are so few organisations struggling to comply with the standard?

Firstly, it helps to examine the 12 requirements of PCI DSS:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Protect all systems against malware and regularly update antivirus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need-to-know
  8. Identify and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

In addition to these 12 requirements, digital security teams must contend with changing technology, workplaces that are riddled with web-connected devices, malicious employees and a host of determined hackers, criminals and foreign agents – who are all working day and night to access a company’s valuable data.

As Leperlier puts it: “Many organisations struggle to keep up with the continual cycle of scanning, testing and patching, which is why it is important to involve all employees, so they understand why certain security controls are in place and will be more likely to stick to them rather than finding ways around them.”

Achieving and maintaining PCI DSS compliance does not guarantee that you won’t be hacked – but failing to maintain compliance is a sure-fire way to attract the attention of hackers and criminals. After all, dropping the ball on PCI DSS compliance effectively means you’re making life easier for anyone who wants to steal your data.

There are many examples of companies that have paid a heavy price for data breaches that could have been prevented by complete compliance with PCI DSS. For example, US retail giant Home Depot agreed to pay at least $19.5 million to consumers harmed by a data breach in 2014. The breach occurred because Home Depot used inadequate security software and weak data protection policies. Under PCI DSS, companies are required to conduct vulnerability scans – something that was not carried out fully at Home Depot.

PCI DSS compliance may be difficult to achieve and maintain, but it seems the costs of dealing with a major data breach are likely to be far higher than the price of meeting the 12 requirements outlined above.

Cyber attacks on UK businesses up 27% in 2018

A new report by business broadband provider Beaming suggests that UK companies are being bombarded by cyber attacks.

Their survey found that attacks are up by a quarter (27%) in the first three months of 2018. On average, UK companies with an internet connection experienced 600 attempts per day to break their corporate firewalls, compared to 474 attempts in the same period in 2017.

Surprisingly, the majority of attacks are not aimed at servers and databases. Hackers are instead turning their attention to smart devices and internet-connected gadgets such as building control systems and cameras. Perhaps these are seen as softer targets where their intrusion can go undetected. It is believed that hackers want to control these devices so they can later use their processing power to launch distributed denial of service (DDoS) attacks – or spread malware.

Part of the dramatic rise in hacking attempts can be attributed to an increase in attacks coming from Europe. 44% of attacks originated on the continent, pushing Europe to overtake Asia as the most common source of attacks. Over a third of attacks were launched from the Czech Republic and 12% originated in Russia.

Sonia Blizzard, managing director of Beaming, comments: “2018 has been the worst start to a year we’ve seen for the volume of cyber attacks on UK businesses, in large part due to an unusual increase in activity originating from Europe since the start of March.”

“Company firewalls and IT security systems have been under constant pressure from malicious computer scripts and we’ve had to constantly update our network-level protections to keep up with new and evolving threats.

“It is important that businesses of all sizes regularly review their cyber security measures, monitor their IT systems and communication networks for unusual activity and take all the help they can get to stay ahead of the criminals.”

Raise awareness with regular staff training

Your employees are on the front line of the data wars. Hackers often target employees as a means of gaining access to your systems, whether in the form of phishing, invoice fraud, or taking advantage of weak passwords. Once hackers have a window into your systems, they can search for valuable data and copy as much as they like.

Regular training is the easiest way to remind employees of their important role in maintaining the integrity of your systems and shielding your valuable data from competitors and opportunists.

At VinciWorks, we offer cyber-security training that is delivered online, making it convenient and affordable to deliver to small teams or large populations, wherever they are based.

Have you Taken the Social Media Challenge Yet?

We’re very pleased to announce the arrival of our latest compliance course: The Using Social Media Challenge.

Written and directed by our talented development team, the course combines a refreshing mix of story-telling, gamification, and immersive eLearning to offer learners an interactive video experience that’s sure to wow!

Fresh, fun, and informative, The Using Social Media Challenge is designed to raise awareness about hacking threats on Social Media.

To take the challenge, users must take on self-confessed cyber-criminal, John (and his fiendish team of hacking experts), and prevent him from accessing their data and infecting their computer by making the right choices whilst using social media. Each time learners thwart John’s efforts successfully, they will be rewarded with a shield. Making the wrong choices, though, will result in a win for the cybercrime syndicate and a ‘virus’ for the unsuspecting victim.

How many shields will you collect?

View a trailer for The Using Social Media Challenge:

Yes, There’s Still Time to Protect your Data Under GDPR

Recent suggests that almost half of UK businesses are preparing to receive non-compliance penalties, with many owners having already set aside funds in anticipation of a fine.

The research (conducted by data privacy firm, Ensighten) highlights a worrying amount of unpreparedness surrounding the new legislation and the additional responsibilities it will bring for organisations who wish to process and store personal data. CEO of Ensighten, Ian Woolley, comments that business owners are ‘aware, but still uncertain’ about GDPR, with 61% of survey respondents indicating they would like an extension of the deadline if one became available.

At What Cost?

A lot has been made of the potential penalties for non-compliance with GDPR. The shock value of The Information Commissioner’s Office (ICO)’s power to fine up to £17m, or 4% of annual turnover (whichever is higher) makes for eye-catching news articles indeed. However, organisations would do well to maintain a level-head on the matter and remember that their compliance efforts and behaviour will be taken into consideration when it comes to any fines incurred.

In this sense, it is important for companies to work on implementing a culture of data protection as standard – and as an ongoing commitment – rather than viewing GDPR as simply a box-ticking exercise with a ticking time-bomb attached.

How can VinciWorks Help?

The good news is that organisations still have time to educate their employees about the new legislation and what it will mean for data processors, subjects, and controllers at a practical, day-to-day level.

As firm believers that prevention is better than the cure, VinciWorks offer a range of GDPR eLearning courses, spanning from introductory modules to more comprehensive courses, and also includes microlearning courses to cover specific GDPR clauses that your employees may find tricky.

Specially developed to get organisations GDPR-ready, our comprehensive eLearning course, Protecting Data, offers a detailed yet accessible approach to GDPR legislation. Developed alongside subject experts, the course gives particular focus to the principles, rights, and obligations of GDPR, and offers learners the opportunity to test their knowledge by asking them to deal with realistic potential data-breaches.

To find out more, simply get in touch via the form below. It’s never too late to start your compliance journey.

Social Media Data Scandal: Who’s in Control of your Data?

Facebook and Cambridge Analytica recently found themselves at the centre of a sensational dispute over the collection and use of personal data (in this case, information about users’ political alignment; data that’s known as ‘sensitive’ personal data under new GDPR legislation).

It all began with a ‘Personality Quiz’ app designed – and one can assume, approved – for use on the social networking site as a fun way to pass the time and connect with friends. As was common at the time, the app was also developed to harvest personal data of the user and, if reports are true, that of their unconsenting friends’ list.

According to reports, the personal data was then sold to Cambridge Analytica and used to psychologically profile users so that targeted advertisements and political spin/smear campaigns could be delivered straight to their profile pages and newsfeeds. A shocking allegation of invasion of privacy and political bias that has authorities on both sides of the pond enraged.

It’s worth noting that Facebook has since changed the amount of data that app-developers can scrape in this way and removed the app, demanding all its information be deleted.

Cambridge Analytica claims that it never used the data, and deleted it when Facebook told it to.

So, what can we take from the events?

It’s true that most users of social networking sites have no idea how much the platform actually knows about them (and their list of contacts). Remember, advertisers buying space on such networks are paying for your attention, and that attention is intensely targeted by the personal and sensitive data we’re almost all guilty of over-sharing online. The question left in the aftermath of such a scandal is this: with whom does the burden of data protection lie, the user or the platform?

Whilst admitting that mistakes were made and listing the more stringent measures he would implement to protect users’ data, Zuckerberg’s proposed solutions include a tool to empower users to control their own data on the site, e.g., which apps they allow to access their profile information and for how long.

Indeed, if we were to find a silver-lining here, it would be the empowerment and the raised level of awareness amongst social network users who have been following the story. Knowledge, as ever, is the key to prevention.

As GDPR legislation came into force in May 2018, individuals will have ever-more control over their personal data as well as increased access to it, a directive which is highlighted in Zuckerberg’s promise to ‘provide an easy way to revoke’ data-access permissions.

Looking to raise awareness about using social media, data protection, or GDPR? Visit our Compliance page to see our full range of courses.

GDPR: 34% Planning to Exercise Right to be Forgotten

Research by media agency the7stars has found widespread interest in the new ‘right to be forgotten’ provision of the General Data Protection Regulation (GDPR). More than a third of respondents (34%) say they will exercise this right. With GDPR coming into force in May, this news may cause alarm among businesses who may not have any established processes for handling deletion requests from individuals.

But what exactly is the right to be forgotten, and how might this impact organisations in the UK?

The right to erasure

This provision exists so that people have the right to object to organisations holding their personal data. In simple terms, if you wanted your favourite supermarket to stop sending you emails, you have the right to request that they delete your email address and any other personal information they may hold.

There are exceptions to this right – so if an organisation has a need or a compelling reason to retain your data, then your request can be denied.

When the right to erasure applies

As an individual, you can usually request the deletion of your data when:

  • Your personal data is no longer required for the purpose it was collected for
  • You withdraw consent
  • You object to having your data processed (assuming there is no overriding legitimate reason for processing)
  • Your data was unlawfully processed
  • Your data must be erased to comply with a legal obligation.

When organisations can decline requests

There are a number of occasions when organisations can refuse to comply with deletion requests. If your organisation has a valid reason for retaining personal information, you may be protected under one of these provisions.

Legitimate reasons for refusing to comply:

  • To protect the public interest, or in the interest of public health
  • To exercise your right of freedom of expression
  • Archiving for public interest, historical, scientific or statistical purposes
  • Exercising or defending legal claims
  • To comply with a legal obligation, exercising official authority or to perform a public interest task.

Deleting third-party data

While it might be relatively easy to delete the data you hold on a particular person, GDPR also requires that you notify any other organisations that you have shared the data with. This might include marketing partners, data processors and other suppliers.

The challenges of complying with this part of the legislation may encourage organisations to reassess how personal data is managed and shared. Organisations may find it preferable to limit the spread of data so that it can be more easily identified – and deleted when required.

GDPR training from VinciWorks

If your organisation needs help getting ready for GDPR, our suite of eLearning programmes can help. Because our training is online, it can be delivered efficiently, at any time. As part of our GDPR eLearning offering, we have both comprehensive and short-courses available. These cover topics including: Protecting Data, Preparing for GDPR, Privacy Impact Assessments, Accountability and The Right to be Forgotten.

Equifax: A Tale of Caution about Bad Information Security and Compliance Practices

US credit agency, Equifax, have landed in serious hot water recently after a spate of information security and alleged compliance breaches that were uncovered by cyber security researchers, technology news sites, and – potentially – The Federal Trade Commission.

The initial breach, which saw 143 million Americans’ sensitive personal data and financial information potentially compromised, was a result of the company’s failure to ‘patch’ (that is, download the update and fix) a two-month old bug in Apache Struts (the organisation’s web application framework where database libraries and other web development activities are managed). Despite many reports of the bug being exploited for malevolent purposes, Equifax failed to secure the social security numbers, driving licence details, and other personal financial information of millions of Americans – the breach also revealed the names, dates of birth, email addresses and telephone numbers of approximately 400,000 UK consumers.

An update which patched the vulnerability, known as: Apache Struts CVE-2017-5638, was issued on 6th March 2017, however the agency’s website was breached via the same vulnerability in mid-May of the same year. For this reason, Equifax is accused of gross negligence for failing to protect their customers and knowingly leaving their data vulnerable to cyber-attacks.

Sadly, Equifax’s history of imprudence doesn’t end here. At its Argentinian base, a computerised system holding similarly sensitive data about South American customers, was configured to allow privileged access and control with the laughably easy-to-crack username and password combination: ‘admin/admin’. The site, which is actually an online tool used by employees of the company, was temporarily shut down following the public exposure of its weak credentials, and the following statement released:

“We immediately acted to remediate the situation, which affected a limited amount of information strictly related to Equifax employees.

We have no evidence at this time that any consumers or customers have been negatively affected, and we will continue to test and improve all security measures in the region.”

However, Hold Security (the cyber security firm responsible for uncovering the admin username and password) have more to add. They report that, using the original admin log-in, they were able to download more than 100 username/password combinations belonging to the organisation’s Argentinian employees – most of which were also matching words made up of the workers’ forename or surname. Additionally, from the main page of the portal, Hold Security report being able to access 715 pages worth of customer complaints and credit report disputes, all of which list the Argentinian equivalent of the customers’ social security number.

As if to add insult to injury, thirty-six US senators have recently called for a federal investigation into how three of Equifax’s senior executives came to sell nearly $2m worth of shares just days after the company’s initial data breach was uncovered – and before the incident was publicly reported.

News of the sales has drawn worldwide criticism, although the company’s official statement is that the three executives ‘had no knowledge that an intrusion had occurred’ at the time the shares were sold.

Whilst this may seem improbable, in order to prove insider trading took place, prosecutors would have to show that the executives knew about the scandal when they decided to sell their stock – a tough task to prove in court according to the experts. Nevertheless, as Brandon L. Garrett, a professor at the University of Virginia School of Law, suggests, this is ‘the type of conduct that a company should not tolerate in its executives. It sends a terrible message to the public and to customers.’

VinciWorks is a leading provider of compliance education and risk management solutions. We have a comprehensive suite of cyber-security and compliance eLearning courses, supported with brand-on-demand posters, communication tools, and much more.

Compliance: The Competitive Advantage you didn’t know you had!

For too long, compliance has been relegated to risk management. Now’s the time to think differently.

It’s true that for the majority of organisations, compliance with legislation is viewed as an exercise in risk mitigation. Sure, investing money in training and developing preventative processes is the best way to avoid expensive fines and protect your organisations’ reputation in the event of a compliance breach. But should this be the only motivation?

It’s more than likely you’ve already received emails and/or read news articles reporting on the punitive nature of the forthcoming GDPR legislation and its threat of hefty fines for non-compliance. This is a good example of the sort of thinking that positions compliance as no more than an expensive insurance policy… a necessary evil that takes up both time and budget.

Sadly, in many cases something has to go wrong before sufficient investment in compliance is forthcoming, and yet, by this time, the damage is usually done.

Revitalise your compliance efforts:

Yes, a good compliance programme will keep your internal and external auditors on side. It will also help to avoid expensive legislation and protect your reputation should the worst happen. However, have you considered the way compliance provides your organisation with a competitive advantage, allowing it to gain extra sales or increase revenues/profit margins?

Think about it, in an increasingly regulated world where evermore scrutiny is placed on supply chains and third parties, there is an opportunity to showcase your compliance efforts/achievements to achieve a competitive edge. In other words, compliance should be less about keeping your head ‘just above water’, and more a way of illustrating the value you place upon your company, its employees, and its customers. After all, being the organisation who is willing to go the extra mile to protect its customers could be a real selling point when it comes to securing new contracts or adjusting pricing structures – always good news for the C-suite.

Let’s look at a couple of examples:

It is not currently a legal requirement within the UK to monitor your supply chain for signs of modern slavery, but your organisation is probably required (under the UK Modern Slavery Act) to tell people what they are doing/not doing to combat modern slavery, i.e. you are required to publish a Modern Slavery Transparency Statement. To publicly state that ‘we are doing nothing’ tells the world that your organisation doesn’t care, or that it’s drastically out of touch with what’s going on in the business-world and society today. On the other hand, an organisation that can demonstrate how seriously it takes its moral and ethical responsibilities when it comes to preventing modern slavery, and also how much it has invested in ending the practice for the good of all people, has the advantage when it comes to pitching for new contracts.

We can apply the same logic to GDPR. Why not be proactive in reassuring your customers and clients how seriously you take the upcoming shift in legislation, and how you are preparing to protect their data in-line with the new laws? Rather than a chore, then, compliance can be a great reason to reiterate the trust between you and your customer-base and reassure them that your organisation is on the ball – over and above the competition.

Don’t forget, making room in the budget for compliance becomes much more achievable when senior management view the investment as it directly contributes to your bottom line through sales and profitability.

Positioning compliance as more than a box-ticking exercise, but instead as a strategic business partner (as well as risk mitigation) makes for a compelling case indeed.