• The research shows that 81 per cent of the cases that were subject to PCI-DSS compliance had not been found compliant prior to the breach. Either they had had an assessment and not been found compliant, or had not completed an assessment yet. The most interesting statistics regarding PCI are the two critical parts of the data security standard:
o Requirement 3: Protect stored data with 11 per cent compliance; and
o Requirement 10: Track and monitor all access to network resources and cardholder data with five per cent compliance.
These two requirements are the cornerstones of the PCI programme and have extremely low compliance when reviewed by our investigators. Even a simple requirement such as Requirement 5: Use and regularly update AV has only 62 per cent compliance. Therefore 38 per cent of the organisations we worked with did not even have anti-virus software functioning properly on the environment that was compromised.
What needs to be done by the IT industry and major enterprises to rectify the issues highlighted in this research?
• One of the main issues is that organisations are typically not compliant with their own policies. The vast majority of data breaches would not happen if they were compliant with their own policies. Unauthorized Access via Default or Shared Credentials, SQL Injection, and Improperly Constrained or Misconfigured ACLs are the three leading causes of data breach and are preventable with proper coding, configuration and regular testing. Organisations should also realise when they can perform a necessary security function and when they cannot. For example, only six per cent of data breaches are discovered by the victim organisation through event monitoring or log analysis. The events are almost always in the logs, so why are organisations unable to pick up are the signs of data breach in logs? We believe this is because event monitoring and log analysis is a function that requires specialists to set up and monitor. If organisations cannot do log analysis properly, they should seek the assistance of an expert third party. Lastly, many organisations still think of information security in a 1990s network perimeter paradigm. With the Web 2.0 world and the explosion of B2B/B2C and partner connections, the traditional network perimeter no longer exists and organisations need to focus on data security of which the first step is to identify your critical data. This is done extremely poorly by victim organisations67 per cent of the 285 million unique breached records were stolen from data stores the victim organisation was unaware they had. This is a staggering figure to us, and unfortunately has not changed materially over the course of the study.
Sign up for CIO Asia eNewsletters.