(The author is Canada sales manager of Chicago-based Trustwave Inc. )
In our recent 2013 Global Security Report, out of the more than 450 data breaches we investigated Canada ranked third of the nations we looked into.
Canadian organizations in general lag behind other nations in the adoption of thorough cyber-security strategies leading to cyber-attacks which are generally not publicized.
Why? The main reasons – lack of government regulations, low awareness levels of the risks and costs of a breach, and a belief from the management of organizations that Canadian companies are not targets. Cybercriminals prefer to target the low hanging fruit and the path of least resistance when it comes to stealing data that, for them, can be extremely profitable.
The Office of the Privacy Commissioner of Canada’s website states, “Unfortunately, privacy breaches are becoming more and more common. Over the last few years, hundreds of thousands of Canadians have been affected by privacy breaches. And the consequences for affected individuals can be significant.”
Canadian organizations need to start taking cyber security seriously to protect their customers’ data and to avoid costly breaches. This includes following the Payment Card Industry Data Security Standard, a mandate for organizations designed to protect cardholder data from fraud, and implementing a cyber-security strategy that protects data loss and prevents targeted cyber-attacks.
Cybercrime is a multi-billion industry and growing. Some Eastern European countries are relying on credit card fraud as a significant revenue stream and will stop at nothing. These are sophisticated organized crime rings that are determined to continue their revenue streams and are not going away.
According to our 2013 report, retail merchants were the most targeted in 2012 comprising 45% of all breaches with e-commerce websites being the most popular target. The findings revealed criminals strongly prefer stealing cardholder data, which they sell on a well-established underground marketplace and is then used in fraudulent transactions.
The report also revealed that victims on average took 210 days to realize their systems were attacked leaving plenty of time for cybercriminals to collect their loot before anyone even noticed.
So, how can Canadian organizations protect themselves from becoming the next victim?
First, the perception by executives and our political leaders needs to change. Currently, Canada lacks regulations making it mandatory to disclose breaches, which contributes to the perception by executives of many Canadian companies that they are not being targeted. The federal government is currently reviewing a new regulation that would require breach disclosures. This regulation will be a significant step to bringing Canada in line with other nations.
Second, organizations need to use security technology, in addition to chip and pin, or EMV technology to validate the identity of a card holder. Your debit and credit cards are embedded with a computer chip that complements a personal identification number provided by you that identifies you as the cardholder. This system is known as EMV technology. There is a misconception among organizations that EMV technology prevents credit card breaches.
EMV only helps validate the identity of the cardholder. It does not protect the data once it enters the merchants systems. Organizations must also implement, either internally or with the support of a managed service provider, the technologies that detect and manage cyber threats, prevent data loss and comply with the Payment Card Industry Standard, as well as monitor their systems daily for strange behavior, implement strong security policies & procedures and provide ongoing security awareness education for employees.
Finally, although all companies processing credit cards are contractually required to comply with the Payment Card Industry Standard, many Canadian companies ignore or avoid becoming compliant because in many cases fines for non-compliance are not being enforced as diligently as they are in other countries. Executives and franchisors need to understand that by not investing in security best practices, including complying with the Payment Card Industry Standard, they are setting themselves up as the path of least resistance for cybercriminals and exposing their organizations or their franchisees to significant risks, costs and fines. The cost of prevention is minimal vs. the cost of a breach.
It’s time for Canadians to step up, take cybercrime seriously and become a leader in the protection of consumer data by ensuring that the proper technology, policies and procedures are implemented and followed. For too long, this issue has been swept under the rug leading to destructive cyber-attacks and financial losses from which are extremely difficult to recover. Our report found nearly every industry, country and type of data was involved in a breach of some kind in 2012. It’s not a question of “if”, only “when.”