There’s a very tough question on the table that no one can afford to ignore: If more than half of global IT and security executives say they actively fear the exposure of payment card data and other personal identifiable information, why are 70% of them not deploying measures such as encryption to maintain security? This troubling reality, one of many findings in the 2019 Thales Global Data Threat Report, provides a stark look at the state of payments security – and leaves a lot of data vulnerable.
This isn’t entirely unexpected. Just ask any one of the estimated 3 billion people who fell victim to Yahoo’s data crisis. Or the 500 million people whose sensitive personal information was stolen in the Marriott breach. More than 43% of the entire American population was offered credit monitoring after hackers stole data from the Equifax servers, and now nearly a year and half later, whereabouts of that stolen data is still unknown.
Breaches over the past five years have become such a large part of the daily global news cycle, it’s more unusual to not see a data security story. And many security breaches don’t even make the news either because it’s no longer newsworthy when just a few thousand are affected, or a ransomware event is painstakingly kept completely out of the public eye.
The fact is, the internet wasn’t originally built with security in mind. But now, the limitless potential of how we conduct business online means this convenience is not going to go away. Demand will continue to increase while laws and policy lag behind the sustained push for innovation and greater access. It’s incumbent upon enterprises to step up – actually get a step ahead – to secure our most sensitive data and stop the cyber-crisis tidal wave that’s dominating the narrative.
No organization is safe from data security risks. Threats can be both external and internal, and even the most sophisticated companies get breached. Our study shows that the greater the level of sophistication, the more likely respondents are to say that they have been breached.
While we may never achieve an overwhelming sense of security, we’ve identified a three-pronged approach to achieving vast improvements that will put you and your customers a little more at ease: 1. adopting secure emerging technologies; 2. staying up to date on industry requirements; and 3. ensuring staff are fully trained in security protocols.
The Digital Transformation Arms Race
Companies are looking to transform their infrastructure to perform better, stronger and faster. Too often, this unfortunately leads to the adoption of technology that isn’t secure. 97% of companies are using these transformative technologies to store sensitive data, but only 30% are deploying measures to maintain security. This directly contradicts the fears that executives have of data breaches because they aren’t putting security where the money is.
Companies must look for product solutions that build security into their design. This is especially true when these products transmit and store sensitive customer information, such as POS systems and payments software. These issues can prove to be especially difficult to solve when customers are using devices that may not be secure, such as phones, to make purchases.
Digital payments fueling a mixture of hardware and software security
The traditional payment card world effectively relies on a complete end-to-end hardware-based security infrastructure. The online, digital world is different – it accepts that a consumer mobile device is inherently untrusted and relies on a range of software security approaches underpinned by strong risk management and hardware-based security at the service provider or issuer to minimize the threat of fraudulent transactions. With payment cards, we have a trusted bank-issued device where the cryptographic keys are secured inside the chip and are valid for the lifetime of the card.
Contrast this with the mobile device equivalent which uses a host card emulation (HCE) approach where no secure element (SE) is deployed. The keys are only valid for one or a few transactions and need to be regularly replenished. The common factor with cards is that the keys themselves are generated and secured in transit using hardware security modules (HSMs). Other payment approaches, as just one example, may look like they are based purely on software and have fundamental requirements for HSMs at the back end for provisioning, management and authorization.
Training staff in a world of digital identities
Handling sensitive information is a reality in the world of digital and physical payments. Training IT staff, customer service and management in the proper handling of sensitive data is integral to avoid security mishaps. In just the last few weeks we’ve seen mishandling of secure data by employees at ASUS and GitHub, resulting in massive amounts of information being sold.
If the employees involved in these leaks had followed proper security protocol, the entire situation could have been avoided. The enterprise world, and specifically financial services, is only becoming more digitally focused. It’s incumbent on employees be acutely aware of the sensitive information that is in their possession and trained on how to successfully handle it.
Companies trafficking in sensitive financial information should prioritize security over every other digital transformation initiative. If they don’t, they’ll be doomed to repeat the breaches that have plagued the industry of late. With consumers more interested than ever in security and their personal data, financial enterprises must put their security where the money is.