A costly and newsworthy breach at one of the US's leading
payment transaction processors, a new US president calling for a
cybercrime review as one of his first actions in office, and a
similar review undertaken in the UK means that cyber security has
once again hit the headlines in 2009, write Nick Graham and Nicola
Tutton of the information and privacy group atDenton Wilde
Sapte.
Heartland Payment Systems
The widely quoted (and much criticised) $1 trillion cost of
cybercrime may seem a little exaggerated. However, an announcement
by Heartland Payment Systems that it has set aside $12.5m to cover
expenses (including bank fines from Visa) resulting from a malware
attack on its payment systems indicates the real cost to business
of large scale security breaches. (Heartland's CEO admits that this
figure represents just the tangible costs to Heartland and not the
reputational costs caused by breach.)
This attack occurred despite the company's compliance with
strict Payment Card Industry Data Security Standards, showing that
businesses may need to go beyond standard industry guidelines to
keep cyber criminals at bay. Indeed, Heartland has taken the
security breach as a warning and is currently developing an end to
end data encryption process which encrypts data at rest as well as
data in motion - going beyond payment security standards.
The increased awareness of data security issues amongst
consumers means that failure to take these extra steps may result
in consumers going elsewhere for services.
Cybercrime reviews
In his presidential campaign, Barack Obama likened cybercrime
risks to those of a nuclear or biological attack; something which
he has followed through since being elected.
Within days he had commissioned an investigation to highlight
vulnerabilities to such attacks within government and the private
sector. Following the investigation he declared, "The networks and
computers that we depend on every day will be treated as they
should be - as a strategic national asset." A cyber tsar role has
been created to prevent and respond to attacks by enemy countries
and cyber criminals.
Not wanting to be left out, the UK government has recently
published the Cyber Security Strategy for the UK. The high-level
strategy calls for the development of a more "cohesive and coherent
framework" and an approach that is "proportionate the risks". The
strategy also promised to establish an Office of Cyber Security and
a Cyber Security Operations Centre to build on work already
undertaken by existing governmental agencies. Although whether
these organisations last for longer any of their predecessors
remains to be seen.
Practical impact of cybercrime
As well as the political focus, industry regulators are becoming
focused on data security issues. Visa's fines formed part of the
Heartland's expenses and the FSA has also levied serious financial
penalties for past security breaches. The FSA's Data Security in
Financial Services Report is fairly scathing of the lack of
co-ordinated resources within financial services institutions and
the use of insecure data transfers meaning that they are likely to
take a dim view of data security breaches in the future.
As the most obvious targets for cybercrime, banks are taking the
lead on new technological advances. The one time password
technology already used by certain financial institutions may be
old news but the digital credit card with this function built in
may soon take its place - perhaps aiding in the fight against
card-not-present fraud. (Something which the introduction of Pin
security has failed to make a mark on.)
Common ground?
The common ground to all the investigations, strategies and
commentary on security breaches is that the strategies and
technologies cannot remain static and must develop with the
strategies and technologies of the cyber criminals. And, in order
to do this, there needs to be coherence between the private and
public sector. Information and technology needs to be shared in
order that cybercrime experiences can be learnt from and prevented
in the future.