When it comes to the inherent risks of protecting business data, the landscape is constantly shifting. While the entryways for fraudsters to steal information have not changed dramatically, the highly motivated fraudster community is relentlessly seeking and finding new modes of attack, making risk mitigation a tricky business.
Criminals are generally considered crafty people, but data thieves, in particular, are ranked in the upper echelon of offenders. This is primarily due to their stealth, which make their strikes tough to anticipate. This factor gives them the offensive position and leaves business owners to continually live on the defensive.
When a business accepts any form of electronic transaction, it is more susceptible to fraud. Thus, data vulnerability takes on new dimension. This is why payments industry leaders have taken steps to implement merchant accountability measures such as EMV (Europay, MasterCard and Visa) and the Payment Card Industry Data Security Standard.
Yet, as any risk and security professional would counsel, these steps tend to drive perpetrators into dark corners where they can contemplate the next phishing scheme or viral attack.
Certain business types are at greater risk than others. High-volume retailers, for example, must have rock solid security practices in place. Even the simplest steps, such as immediate firewall updates or routine scanning for possible points of failure, can make the difference in being able to prevent fraudsters from sneaking in through a back door.
"So far in 2016, the monthly percentage of scans that we've seen pass on the first attempt has remained steady, hovering between 66 and 71 percent," said Cory Miller, Director of Security Operations at ControlScan Inc. "Failures are most often a result of weak or deprecated encryption, outdated software, insecure remote access or SQL injection vulnerabilities."
The Internet is also a breeding ground for fraud due the vast data that passes between consumers and businesses each day. As small to midsize businesses increase usage of contemporary call-to-action buttons and request forms, vulnerability will also increase. With little to no resources for conducting ongoing security scans, these businesses fall prey to perpetrators simply because they wrongly assume their payment gateways are covering all their security bases.
"We have seen on many occasions businesses leaving themselves open to attack by lacking basic input validation in their web forms," Miller said. "What may seem like an innocuous form field can lead to leakage of sensitive data if businesses aren't demonstrating secure coding practices and regularly testing their applications."
Businesses that use call centers or take payments by phone are also at risk. While these companies must have smart social engineering plans, their data-entry environment is also an open-door to fraud when security measures are overlooked.
"Take the data away from the equation and then there is no opportunity for fraud," Iain Regan, Global Sales Director at Semafone Inc., told The Green Sheet. "This is the key to supporting the multi-channel payments journey securely."
Semafone, a global voice security company, counsels clients to allow call center workers to telecommute, when possible. Regan noted this tactic makes it more difficult for hackers to find a system entry point, and it enhances workforce stability, which also promotes greater security. "It's an emerging business model because it helps a company retain quality people, and that's the biggest issue in this space," Regan said. "Companies are finally going away from the Draconian environment where they lose good people."
In today's business climate, it appears the need for third-party vulnerability scanning remains high. ControlScan confirmed that its latest projects are to address legacy encryption and weak ciphers, SQL vulnerabilities on web apps, out-of-date software, and end-of-life operating systems.
"External vulnerability scans provide visibility into the weaknesses left exposed to the Internet every day," Miller said. "External testing is important because it provides a glimpse into what outside attackers are seeing."
Other security companies are exploring new techniques, such as passive vulnerability assessments, which are designed to sniff everyday data interactions instead of conducting broad scans to proactively hunt for inconsistencies and other red flags.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next