A costly and newsworthy breach at one of the US's leading payment transaction processors, a new US president calling for a cybercrime review as one of his first actions in office, and a similar review undertaken in the UK means that cyber security has once again hit the headlines in 2009, write Nick Graham and Nicola Tutton of the information and privacy group at Denton Wilde Sapte.
Heartland Payment Systems
The widely quoted (and much criticised) $1 trillion cost of cybercrime may seem a little exaggerated. However, an announcement by Heartland Payment Systems that it has set aside $12.5m to cover expenses (including bank fines from Visa) resulting from a malware attack on its payment systems indicates the real cost to business of large scale security breaches. (Heartland's CEO admits that this figure represents just the tangible costs to Heartland and not the reputational costs caused by breach.)
This attack occurred despite the company's compliance with strict Payment Card Industry Data Security Standards, showing that businesses may need to go beyond standard industry guidelines to keep cyber criminals at bay. Indeed, Heartland has taken the security breach as a warning and is currently developing an end to end data encryption process which encrypts data at rest as well as data in motion - going beyond payment security standards.
The increased awareness of data security issues amongst consumers means that failure to take these extra steps may result in consumers going elsewhere for services.
In his presidential campaign, Barack Obama likened cybercrime risks to those of a nuclear or biological attack; something which he has followed through since being elected.
Within days he had commissioned an investigation to highlight vulnerabilities to such attacks within government and the private sector. Following the investigation he declared, "The networks and computers that we depend on every day will be treated as they should be - as a strategic national asset." A cyber tsar role has been created to prevent and respond to attacks by enemy countries and cyber criminals.
Not wanting to be left out, the UK government has recently published the Cyber Security Strategy for the UK. The high-level strategy calls for the development of a more "cohesive and coherent framework" and an approach that is "proportionate the risks". The strategy also promised to establish an Office of Cyber Security and a Cyber Security Operations Centre to build on work already undertaken by existing governmental agencies. Although whether these organisations last for longer any of their predecessors remains to be seen.
Practical impact of cybercrime
As well as the political focus, industry regulators are becoming focused on data security issues. Visa's fines formed part of the Heartland's expenses and the FSA has also levied serious financial penalties for past security breaches. The FSA's Data Security in Financial Services Report is fairly scathing of the lack of co-ordinated resources within financial services institutions and the use of insecure data transfers meaning that they are likely to take a dim view of data security breaches in the future.
As the most obvious targets for cybercrime, banks are taking the lead on new technological advances. The one time password technology already used by certain financial institutions may be old news but the digital credit card with this function built in may soon take its place - perhaps aiding in the fight against card-not-present fraud. (Something which the introduction of Pin security has failed to make a mark on.)
The common ground to all the investigations, strategies and commentary on security breaches is that the strategies and technologies cannot remain static and must develop with the strategies and technologies of the cyber criminals. And, in order to do this, there needs to be coherence between the private and public sector. Information and technology needs to be shared in order that cybercrime experiences can be learnt from and prevented in the future.
This was first published in September 2009