Are Local Governments Doing Enough to Manage Risk and Meet Citizen Expectations?
High profile breaches at Target, Home Depot, P.F. Chang’s, Staples, and many others have put credit card security in the spotlight. In a recent broadcast, 60 Minutes called 2014 the “year of the data breach.” That label might apply in 2015 as well, since the issue isn’t improving fast enough.
Cybercrime is increasing at an alarming rate with no sign of slowing down; cyber incidents quadrupled from 2008 to 2013. A report released in June, by the Center for Strategic and International Studies, estimated the likely annual cost of cybercrime and economic espionage to the world economy at more than $445 billion — or almost one percent of global income.
The consequences of a data breach to an individual organization are massive. For example, the direct costs of the December 2013 Target breach will top $1 billion. Of course, that cost doesn’t take into consideration the damage to Target’s reputation with the general public.
Many Target customers dealt with the hassle of having to closely monitor their credit and get their cards reissued. Approximately two million customers actually had their credit card information sold on black market web sites. Their tarnished image and a 46% drop in profits following the breach ultimately led to the resignation of Target’s CEO and other key executives.
While data breaches at large retailers garner most of the media attention, government agencies are also in the crosshairs of cybercriminals. Rapid7, a security intelligence company, reported that between January 2009 and May 2012, 94 million records were compromised in government data breaches. As was the case in the Target and Home Depot instances, many of these breaches can be traced directly to international crime syndicates in Russia, China, and Eastern Europe.
A mid-sized city in the Midwest recently had its website and databases hacked by a Turkish group targeting government sites; thereby compromising names, addresses, Social Security numbers, and possibly credit card data. It was embarrassing and costly for the city, which had to handle thousands of calls from frustrated citizens as well as deal with the negative press. What’s more, the city then had to expend time, resources and money to rectify the breach including free credit freezes (which, at $5 per person, add up very quickly) for the affected citizens.
Unfortunately, this isn’t an isolated example. According to the Verizon 2014 Data Breach Investigations Report, breaches from malicious hacking, malware, and social engineering attacks have gone up a mind-boggling 500% in the last four years. The reasons for these increases are simple:
- Ineffective, easily penetrable security systems that leave businesses vulnerable;
- Highly profitable returns for criminals; and
- Understaffed, technologically-disadvantaged law enforcement unavailable and/or unable to apprehend and prosecute criminals.
The bottom line is that there are burgeoning numbers of cybercriminals out there and their numbers will continue to grow as opportunities increase. Like any offense, data breaches are a crime of opportunity; albeit a virtual one.
The Onus is on Local Governments
For local governments, it is incumbent that they secure their data above and beyond what other organizations implement. Citizens look to government agencies to provide safety, security, and stability. Consequently, these expectations put more focus and pressure on local governments. With the sheer volume of confidential data being handled, government agencies can’t afford such publicized data breaches; let alone break their citizens’ trust.
Because breaches are often crimes of opportunity, agencies would be wise to have security systems and policies in place that exceed industry norms in order to avoid becoming targets. In other words, it is akin to locking an office drawer to thwart theft. The criminal will just move onto the next office in the hopes that there is an unlocked drawer there.
Led by Visa and MasterCard, the credit card industry, has issued a set of security standards, PCI DSS, to protect themselves, merchants, and cardholders for fraud and theft. Short for Payment Card Industry (PCI) Data Security Standard (DSS), PCI DSS is the standard by which all organizations must adhere when storing, processing and transmitting their customers’ credit card data.
PCI DSS security standards are enforced at four levels. Those organizations processing over six million transactions annually are required to achieve the highest level of payment card security - which is Level 1 Compliance. Local government agencies typically are not required to operate with Level 1 Compliance, putting them at greater risk of a breach than their larger, better-funded counterparts.
While Level 1 Compliance would be ideal for every organization including local governments, attaining compliance often requires a significant budget of approximately $500,000 and up. For some organizations, the annual cost of PCI compliance can exceed the benefit of taking credit cards in the first place.
Moreover, local government agencies often do not have the same financial resources or specialized staff that larger business do. As attacks on larger organizations are met with more sophisticated defenses, it makes sense that attackers will focus their efforts on organizations such as local government agencies, which often lack the budget for a dedicated security expert or specialized security technologies.
PCI DSS standards are comprehensive and far-reaching, addressing security vulnerabilities across the entire business. As you’d expect, modern technologies are a critical component of effective security. Adequate firewall protection, data encryption, data storage, and intrusion monitoring are paramount and logical first steps for all organizations.
Leaving a Door Unlocked for Cybercriminals
Since the majority of breaches are attributed, in some part, to “inside” activities, it is also important to have comprehensive internal processes in place, as well as controls that address physical, facility-level security. PCI DSS requires approved, well-documented plans, specifying which employees (and contractors) are allowed access to both physical and virtual locations where sensitive data is stored. Attackers have gotten very adept at “phishing” via unsuspecting employees in an attempt to get information or gain network access.
It’s not enough to just define and document these policies. PCI DSS requires essential personnel to be thoroughly trained in the appropriate security practices. Every employee must be briefed on the proper procedures and policies (changing passwords frequently, ensuring password strength, taking care not to lose laptops, reporting stolen company laptops to the company’s security department as soon as possible, etc.) as well. Additionally, raising awareness of potential scenarios where their information could be compromised or when they may be duped into a phishing scam can go a long way towards thwarting such breaches. Company data is only as safe as the policies and procedures you enforce with your employees and contractors. Cybercriminals only need one door unlocked to infiltrate an entire network.
Such a door was left unlocked in the Target breach when an off-site worker was given remote network access to perform efficiency updates on HVAC software. Somehow the worker’s credentials (i.e., username and password) were compromised and the hackers were able to use this digital pathway to install destructive malware across the entire retail network, allowing them to siphon credit card data as cards were swiped at the point-of-sale (POS).
Minimize your Burden and Offload Risk
Cybercriminals will continue to find new and innovative ways to attack networks, and security practices will need to evolve to protect sensitive customer and payment data. In fact, a new set of PCI DSS 3.0 security requirements were published this year with compliance required by January 1, 2015. Additional rules and regulations also play an important role in protecting customer information, such as the Red Flag Rules for Identity Theft Protection and NACHA regulations that protect customer payments made from checking and savings accounts.
The changing security and compliance landscape can make it difficult for local governments to keep up. For example, as breaches increase in frequency, breach detection software that actively detects breaches as they are occurring is becoming more important. According to the 2013 Trustwave Global Security Report, the average duration from the time a breach occurs to the time it is detected is 210 days, making real-time active breach detection a valued tool in breach protection. Unfortunately, most agencies don’t have the budget to consider these types of tools.
Many municipalities and utility billing organizations are turning to third-party Hosted Payment Vendors to host and maintain a complete payment infrastructure. Much like an insurance policy, businesses can shift risk and liability away from themselves and onto an outsourced vendor who will take responsibility for the payment infrastructure as well as much of the burden of PCI Compliance.
As local governments consider Hosted Payment Vendors, it is important to choose wisely. With proper due diligence, agencies can find the appropriate vendor to partner with. Primary considerations should be a vendor with a proven history of innovation in payment security and Level 1 PCI DSS 3.0 Certification.
Vigilance is Needed
According to the Cost of Data Breach Survey from Symantec and the Poneman Institute, a security firm and research organization, respectively, the average cost of a data breach is $136.00 per exposed record – a significant expense when you add up all of your customers.
The best advice for any municipality is to be prepared. Do not take the “stick-your-head-in-the-sand” approach and allow yourself to be lulled into a false sense of security. The threat is real and increasing with frightening speed. While it isn’t possible to eliminate the threat, by being vigilant and consistent, which includes the right policies, systems, and partners, local governments can minimize their risk.
About the Author
John Schott is the Vice President of Customer Experience at the Paymentus Corporation, a Hosted Billing and Payment Provider with over 700 local government customers across North America. Paymentus is a proven innovator in secure electronic billing and payment technologies.