Everyone knows that computer security has long been an ongoing game of cat-and-mouse in pursuit of cybercriminals and hackers. This fact will not change in 2014. As we enter the New Year, there are several trends that seem particularly relevant for business leaders to consider.
Whether it’s the bad guys demanding ransoms for malware fixes, or the growth of cloud-based tools and wearable devices, security experts face a range of emerging concerns that deserve their serious attention. As if to highlight these issues, a massive breach of Target’s customer payment card data this past November and December only served to emphasize the need for stronger security as 2014 progresses.
With that being said, here are my top five security predictions that businesses of all sizes need to be aware of in 2014:
1. There will be significant fallout from the Target data breach
As many as 40 million credit and debit card numbers were compromised as a result of the recent Target data breach in late 2013. This breach included more than the credit card numbers themselves. It also involved the names, expiration dates and the CVVC codes located on the cards. Basically, hackers obtained everything they needed to create a new credit card. What’s most disturbing about this breach is that the CVVC (or CVV2) codes were compromised. Strictly speaking, this isn’t supposed to happen, at least not on a scale this large.
According to PCI DSS requirement 3.2, the CVVC code is never supposed to be stored. Given the fact that this breach included that information, I am theorizing there are only a few possible means for this breach.
The first possibility is that this breach happened at the store level and was on such a massive scale that it is going to make us take a serious look at our physical security. This will possibly cause us to entirely rethink our payment system security on the storefront level.
The second possibility is that the payment system network was compromised. This is unlikely, as all of the data that transits this network is encrypted. But if that is the case, the implications are serious because it makes this breach repeatable and may change the way payment card data is processed.
The final scenario is that Target was centrally batching its payment card data in order to conduct transactions at high volume. If this is the case, then Target is going to face substantial PCI-related fallout, including fines as well as paying for credit monitoring for 40 million credit cards.
We may also see fallout in terms of government intervention. For a long time the payment card industry has self-regulated. It is in their best interest to do so. PCI is not a government standard, it is a payment card industry (PCI) standard. If you don’t abide by it, MasterCard, VISA and other payment card companies can renounce your ability to take payments via credit cards. The biggest nightmare for the payment card industry would be government regulation of key aspects of their business.
Right now, PCI is the same standard globally. Different regulations in different countries would cause significant problems for the payment card industry. Expect to see some changes to the PCI-DSS framework in 2014.
Solution: PCI is a minimum requirement. If you take payment cards, you should go above and beyond what is prescribed in PCI in order to ensure data security.
2. Ransom malware will continue through 2014
Today’s malware is all about making money, and what easier way to make money than to go directly to the consumer. If a business owner finds a product or marketing technique that provides successful profit, he is going to continue to use it until it stops providing income. The criminals behind malware are no different. If it works, they’ll keep doing it until it doesn’t work anymore, and ransomware certainly worked in 2013.
How effective was it? In 2013, there were nearly a quarter of a million CryptoLocker infections. If just 10 percent of those infected chose to pay the ransom of $300, the net profit would be $7,500,000.