Home » Topics » Cybersecurity » Compliance challenges

Compliance challenges

by Stefano Maruzzi

As a VeriSign security consultant, Jonathan Care is well placed to see how effective IT departments handle security – and how ineffective ones fail to handle it.

“IT staff are not equipped to resist advanced malware applications, like those that sneak in through social apps,” he says. “But I continually see things like SQL injections (website database hacks) – flaws that have been around for years, because web developers are not security experts.”

Much of Care’s work involves ensuring compliance, particularly in the area of PCI (payment card industry) standards, which sees him working with businesses to satisfy credit card companies that customer financial data is being protected and stored appropriately.

Care analysed 112 PCI assessments conducted by VeriSign Security Consulting to determine the most common causes of compliance failure, finding that inappropriate storage of sensitive data occurred in nearly 80% of PCI compliance failures.

“Sometimes [card numbers] are stored in a contact to a call centre, sometimes a device is left in debug mode and numbers are being written to plain text [rather than encrypted],” he says, adding that “the temperature rises dramatically” if CID (three digit card authentication) numbers are found to be stored in any format.

Other common causes of failure include not regularly testing security processes (74%), inadequate monitoring of transactions such as charge-backs and refunds (71%), and ineffective firewalls (66%).

User account sharing remains an issue, with 71% of businesses failing PCI assessments for not assigning unique IDs to accounts and monitoring access. “It makes tracking and auditing ineffective,” Care explains.

Perhaps of most concern is the widespread use of default passwords, present in 62% of cases – “a very simple thing we see time and time again.”

Care offers three steps he says that those responsible for sensitive data “should do right now.”

“Plan for incidents; ask yourselves, what would you do if your website was hacked or suffered an insider attack this afternoon? Next, initiate a penetration-testing program with internal vulnerability scans. Finally: review the way you manage data, and how you allow third parties to manage it. You’re still responsible even if data handled to third party,” he explains.

Related Topics

Related Stories

Cybersecurity

Cutting the cord: Can Air-Gapping protect your data?

Isolating hardware from the internet deters hackers, but at a huge cost. Charles Orton-Jones investigates the tactic of Air-Gapping

Cybersecurity

Can NIS2 and DORA improve firms’ cybersecurity?

Daniel Lattimer, Area VP at Semperis, explores NIS2 and DORA to see how they compare to more prescriptive compliance models

Cybersecurity

How AI will shift the security landscape in 2024

The impact of AI within cybersecurity is expected to grow significantly this year, says Alex Holland, senior malware analyst at HP

AI & Machine Learning

NCSC releases guidelines for secure AI development

New guidance from the National Cyber Security Centre (NCSC) aims to help businesses securely innovate with AI and minimise risks