Happy New Year (We can’t believe it’s already February) to our customers, partners, and everyone interested in improving the state of payment data security in 2023! This is the first of two articles: the first looking back at the security and compliance landscape in 2022, and the second will look at how last year’s learnings may shape what will happen in the year to come.
Trends in 2022
The world is growing more dependent on the Internet, as we settle into our remote, mobile, and networked lifestyles. Every year, orders of magnitude more online business and payment card transactions take place, a trend that was only exacerbated by the COVID-19 pandemic; and which continues to become more frictionless and universally accessible through the explosion of alternative payment methods (APM) and neo-banking solutions.
At the same time, according to Verizon’s 2022 Data Breach Investigations Report (DBIR), there has been a concerted effort to protect your payment data, and computer security experts have indeed made progress. But by now, you know the old refrain: financial fraud is an endless game of cat-and-mouse, attack and defense are constantly evolving, and criminals never quit – but continue to follow the money.
Therefore, each year, we are wise to take note of the prevalent attack vectors, so that we can better prioritize our defenses. With that in mind, here are three data points from the latest DBIR that will be of interest to our community.
- Attackers are now targeting 1) confidentiality, 2) integrity, and 3) availability – in that order
- Within that confidentiality data set, hackers above all seek personal data and user credentials
- Among 20 industries, Finance was #4 in incidents (2,527), and #1 in data breaches (690)
The financial industry was the single largest affected industry, accounting for 16% of breaches. Among financial organizations, the average cost of a data breach was $5.97 million.
Data Breach Impact
In their Cost of a Data Breach Report 2022, the Ponemon Institute and IBM conducted over 3,600 interviews at 550 organizations, in 17 industries, across the world. The researchers focused on both the short-term and long-term costs and consequences of a data breach. They examined dozens of data points, from root causes to mitigating technologies that allow companies to limit their losses. For example, a “compromised record” refers to information, such as a name, number, or record, that is personally identifiable information (PII), or that which can be used to identify a real person.
The financial industry, which includes banking, insurance, and investment companies, was the single largest affected industry, accounting for 16% of breaches. Among financial organizations, the average cost of a data breach was $5.97 million. However, that figure may be understated; the report notes that penalty costs in the financial industry are rising sharply over time, because it is a “high data protection” regulatory environment. Ponemon and IBM employed the US Government’s Cybersecurity & Infrastructure Security Agency (CISA) classification for financial services, and call it “critical infrastructure,” similar to technology, energy, transportation, etc. Finally, for the critical infrastructure vertical, 45% of data breaches involved either supply chain attacks, destructive attacks, or ransomware.
Malware in Focus: Ransomware
In 2022, the world spent $150 billion on cybersecurity. Wow. Logic could dictate that much cash could seemingly solve any business problem – and it is likely that some computer vulnerabilities, and some types of cyberattacks, have been mitigated. But we know for sure that some infosec challenges, particularly in the data security and digital commerce space, remain just as vexing as they were a year ago.
Let’s take a quick look at the state of ransomware. According to CISA, ransomware is malware that encrypts your files, and renders them unusable until you pay a ransom in exchange for decryption. As a result, if your business depends on access to its data, all of your normal business operations may remain on ice until the ransom is paid – or until you rebuild your network from scratch. According to the DBIR, ransomware was present in nearly 70% of malware breaches in 2022.
Unfortunately, despite large corporate investment in security infrastructure, 2022 was the worst year on record for ransomware. Profit-driven cybercriminals targeted verticals including financial services, software companies, education, healthcare, and critical infrastructure. There were high-profile attacks against scores of cryptocurrency firms and supply chain providers. Iranian state hackers used ransomware as a form of international pressure against the government of Albania. In Costa Rica, a ransomware attack caused the government to declare a national emergency, and compare the incident to terrorism and warfare.
The gravity of this problem has led governments around the world to join global initiatives like the International Counter Ransomware Task Force (ICRTF). But the challenge of successfully addressing transnational cybercrime (and nation-state hacking) is multifaceted at best. For example, Russia’s invasion of Ukraine has currently put many international law enforcement efforts on hold.
Therefore, successfully mitigating the problem of ransomware will also require next-generation engineering solutions, such as those we are building at VGS. For a bit more on that, see section 5, below.
Security & Compliance: PCI DSS v4.0
Thus, information security challenges are likely to remain with us for the foreseeable future, and this helps to explain the increasing focus of governments on legislation, regulation, and compliance. According to the 2022 Verizon Business Payment Security Report (PSR), there is good news, and bad news, in this dynamic space. On the good side, over 40% of organizations now say that they are in “full compliance” (in 2019, it was less than 30%). On the other hand, over 50% of organizations failed an interim validation assessment (typically due to the omission of one or more security controls).
Why do so many corporations fail their information security tests? The reason is that the InfoSec discipline is vast, quickly evolving, and unpredictable. In order to achieve real security and compliance, businesses are forced to master a wide range of (often technical) strategies and tactics. And even then, many companies suffer data breaches that are largely beyond their control. For example, the latest DBIR notes that the majority of financial breaches today involve compromised servers or stolen credentials, which may have been acquired in any number of ways, including brute force hacking.
All of this explains why, in 2022, one of the most prominent events in payment data security was the transition to PCI Data Security Standard (PCI DSS) v4.0. Chief Information Security Officers (CISOs) and compliance personnel should know that this is the most significant rewrite of the DSS since its release in 2004.
For more details, please read our recent blog, “What's New in PCI DSS 4.0?”.
Data thieves, hackers, and malware continue to plague the landscape of payment data security. Here at VGS, we promote a philosophy known as Zero Data®, which transforms sensitive information into data ‘aliases’. If lost or stolen, our aliases are meaningless to cyber criminals. Our clients store their sensitive data in our vault, which has security controls including segregated accounts, key rotation, patch management, audit logging, vulnerability testing, strong encryption, and continuous monitoring.
No single solution is a silver bullet against ransomware – or any other class of malware. However, VGS technology mitigates these risks by reducing the spread of sensitive data, both on your live network and in your backups. As a result, VGS customers are at a significantly lower risk of data breach and extortion. Attackers could threaten to release your data, but if it has already been transformed into aliases, the risk of disclosure is minimal, and the criminals have dramatically reduced negotiating power. Together, VGS security controls cover the vast majority of PCI, SOC 2, GDPR, CCPA, and HIPAA security requirements related to the storage and exchange of sensitive data.