Legal Ease Contact

Compliant But Not Cyber-Safe

Posted by LegalEase Solutions on March 11th, 2019


Does meeting Payment-Card Industry standards mean you’re safe?

Over the past two years, more companies have obliged the Payment-Card Industry’s (PCI) Data Security Standards (DSS), but the country has recorded more security breaches – 1,579 in 2017 alone,[1] which was a 45% increase from the previous year –  and more customer data has been compromised than ever before. The natural interpretation of this phenomenon has been that compliance does not equal security[2].

In the financial world in particular, compliance laws were made to investigate cyberattacks, document breaches, and punish cyber-criminals, but not to keep breaches from happening in the first place. Once a customer’s data has been compromised, there’s usually no way to restore the privacy of his information. More often than not, criminals don’t get punished because they are based offshore and there’s no way to get past their government’s protection measures. So, while industries redesign compliance such that it is a preventative measure rather than a deterrent, there are three measures you can incorporate to protect your company’s data.[1]

Regulation that Keeps Up with Technology

Regulations in place for the finance industry lack depth, scope, dynamism, and sufficient digital precautions. Cybersecurity needs to evolve as fast as hackers figure out new cyberattack methods. In the age of Advanced Persistent Threats[3] (APT), cybercriminals are often a step ahead, appearing from organizations not included in the scope of regulations, operating ransomware that doesn’t steal but rather hijacks data, hacking enterprise computers to mine for cryptocurrency, and using the victims’ own networks against them. To keep up with current and projected digital threats, the Financial Industry Regulatory Authority’s most recent cyber report suggests security logging systems (SIEM), user access controls like identity and access management (IAM), insider threat and data loss prevention (DLP), specialized archiving of phishing attacks, and encryption for stored and communicated data.

Regular And Transparent Investigations that Force Accountability

Holding regular investigations that disclose every transgression that has occurred and having executives sign affidavits that describe the exact nature of the transgression will promote accountability. This way, executives will unfailingly employ every security measure they can and companies will act more responsibly to avoid public infamy. Companies also need to make room in their budgets and manpower for fortifying their investigations. They must monitor and document all assets, locations, network dataflow diagrams, potential threat vectors, and attack surfaces. Cybersecurity teams must perform predictive and reactive analysis to identify trends, and use raw packet data, net flow, IDS, and custom sensor output to perform network traffic analysis[3].

Sometimes, an organization may meet compliance standards on paper but have insufficient measures in place. IBM’s budget monitoring and identification strategy classifies system components into groups and assigns resources according to priority[3]:

Feedback that Prevents Stagnancy

Using the company’s annual compliance reports to collect feedback and extract regulatory intelligence, and applying it to develop the company’s policies further will result in a secure system that is resistant to threats. Also, converting isolated regulations into responsive ones will help convert regulatory compliance into real-time security

Conclusion

Meeting PCI standards doesn’t secure an organization from cyberattacks. The financial industry needs to go the extra mile to protect itself from digital hackers that are ahead of the curve and have unpredictable attacks in store. While regulations grow and evolve to not just avoid penalties but to consciously safeguard consumer data, cyber-prevention departments can incorporate a host of preventative measures into their compliance strategy to generate an impenetrable system built on next-gen cybersecurity technology, unavoidable accountability, and continuously evolving defense mechanisms. 


References

[1] https://techbeacon.com/security/30-cybersecurity-stats-matter-most

[2] https://www.forbes.com/sites/forbestechcouncil/2019/01/17/why-compliance-does-not-equal-security/#5c67390510a3

[3] https://www.csiac.org/journal-article/compliant-but-not-secure-why-pci-certified-companies-are-being-breached/