Neira jones pci london january 2013 pdf ready

payment acceptance

The right focus and the right language...Lessons learned from 2012 and predictions for 2013

PCI London – 24th January 2013

Neira Jones

Senior Vice President CybercrimeCentre for Strategic Cyberspace + Security Science

Head of Payment SecurityBarclaycard

payment acceptance

The harsh reality...

2012 shows we have experienced 36% more data breaches than in 2011.

(source datalossdb.org 21st January 2013)

2PCI London – 24th January 2013

payment acceptance

Payment card information represented 48% of all breaches in 2011, but unlike previous years, it was not a runaway winner.

This may allow payment cards to retain the title of “most stolen” but the title of “largest hauls” now belongs to the personal information variety, which includes name, e-mail, national IDs, etc. (95%)

Authentication credentials were a close second 42% in the current dataset.

Source: Verizon Data Breach Investigation Report 2012


payment acceptance

It couldn’t possibly happen to me...

• 84% of organisations were notified of a breach by external entities (e.g. regulatory, law enforcement, third party or public).

• Within those 84%, attackers had an average of 174 days within the victim’s environment before detection occurred.

• The number of self-detected compromises decreased by 4% since 2010.

• Businesses that self-detected the breaches were able to identify attackers infiltration 43 days on average after the initial compromise; or a quarter of the time that attackers would have had in the previous scenario.

Source: Verizon Data Breach Investigation Report 2012


payment acceptance

What of 2013 then?...


Popular perception...

payment acceptance

2013 Data Breach Predictions...

Social Engineering

Web Application Exploits (75% probability)

Authentication Failures/ Attacks (90% probability)


Source: Verizon, December 2012 http://biztech2.in.com/news/security/verizons-data-breach-predictions-for-2013/150402/0

payment acceptance PCI London – 24th January 2013 7



payment acceptance



The reality...


An organisation’s service provider could inadvertently increase the likelihood of a breach by failing to take appropriate actions or taking inappropriate ones.

Verizon believe that lost & stolen – and unencrypted - mobile devices will continue to far exceed hacks and malware. They also project that attacks on mobile devices by the criminal world will follow closely the push to mobile payments in the business & consumer world. Targeted attacks from adversaries

motivated by espionage & hacktivism will continue to occur, so “it’s critical to be watchful on this front.”

payment acceptance



The reality...


An organisation’s service provider could inadvertently increase the likelihood of a breach by failing to take appropriate actions or taking inappropriate ones.

Verizon believe that lost & stolen – and unencrypted - mobile devices will continue to far exceed hacks and malware. They also project that attacks on mobile devices by the criminal world will follow closely the push to mobile payments in the business & consumer world. Targeted attacks from adversaries

motivated by espionage & hacktivism will continue to occur, so “it’s critical to be watchful on this front.”

Large organisations tend to pride themselves on their security strategy and accompanying plans, but the reality is that a large business is less likely to discover a breach itself than to be notified by law enforcement.“And if you do discover it yourself,” Wade Baker said, “chances are it will be by accident.” He concluded, “Keep in mind that all of these breaches can still be an issue for enterprises. However, what we’re saying is that they’re over-hyped according to our historical data and are far less likely to factor into an organisation’s next breach than is commonly thought.”

payment acceptance

Data breaches have become a statistical certainty and third party breaches continue to increase...Information security is no longer just about deploying controls...Effective incident response is a priority...Social media usage has exacerbated exposure...Cloud computing demand has increased risk...Mobile/alternative payments have generated friction between Marketing & IT...Regulations have become tougher...

PCI London – 24th January 2013 12


Source: Symantec, Cost of a Data Breach Study, United Kingdom, March 2012


Source: Symantec, Cost of a Data Breach Study, United Kingdom, March 2012

For the first time in years, this 8% decline suggests that organisations represented in this study have improved their performance in both preparing for and responding to a data breach.As the findings reveal, fewer records are being lost in these breaches and there is less customer churn.

payment acceptance

Organisational factors...

Factors reducing the cost of a data breach• Having a CISO with overall responsibility for enterprise data protection can

reduce the average cost of a data breach by as much as £18 per compromised record.

• Containing the size of the breach and improving responsiveness can result in lower organisational costs by £7 per compromised record.

• Outside consultants assisting with the breach response can save as much as £11 per record.

Factors increasing the cost of a data breach• Data breaches caused by third parties can increase the overall cost by £9

per compromised record.• Data breaches resulting from lost/stolen devices can increase the overall

cost by £6 per compromised record.Source: Symantec, Cost of a Data Breach Study, United Kingdom, March 2012


payment acceptance

What does this mean for the CIO?...


payment acceptance

Arise, Sir Lancelot....The CIO is going through a metamorphosis...

Legal Expertise

Corporate Finance

Enterprise Data Management

Partner/ IT Vendor Management

IT Project Management

IT Security & Compliance


Source: www.searchcio.techtarget.com “Six ways the CIO job description is changing” November 2012

MC Escher “Metamorphosis”



23rd February 2013: the European Commission will propose a new obligation for security breach notifications for the energy, transport, banking and financial sectors,” said an official working at the Commission's digital agenda department. It also confirmed plans to extend security breach notifications to new industries, other than telecommunication companies and internet firms which in Europe are already subject to reporting obligations.

payment acceptance

What does this mean for the CISO?...


payment acceptance

Multi-perspective & multi-disciplinary...

Incident Preparedness

Speaking The Language

Continuous Monitoring

Human Risks

Third Party Risk Management

Using GRC To Improve Business & IT Processes

Getting Quantitative (Measure Performance)


Source: darkREADING, November 2012, 7 Risk Management Priorities For 2013

MC Escher “Convexe & Concave”


Global Mobile Device Management (MDM) Enterprise Software market forecast to grow at a CAGR of 7.8% over the period 2010-2014.One of the key factors contributing to this market growth is the increasing need for enhanced mobile communication security. The global mobile security market, projected to have reached $1.6 billion in 2012, is expected to continue its growth spike in 2013, according to a Visiongain report.

payment acceptance

Mobile and social...

• As social media usage explodes, what are the risks?...• As mobile device pervasiveness increases, so will the attacks...• As mobile payment acceptance emerges, what are the security

implications?...• The monetisation of social networks introduces new risks...• Social mobile payments?...

• F-commerce• Shoppable videos• Pinterest...



payment acceptance

Count down 2013...

Mobile• mobile device attacks• BYOD• Mobile Device Management• Mobile Payments• Social Mobile Payments• Mobile Payment Acceptance• etc.


MC Escher “Crystal Ball”

payment acceptance

Count down 2013...

Social Media• Social Media Risk• Social Media Engagement• Social Media Servicing• Marketing drive• Finance pressure• Alternative payments• Monetisation of social networks• Social Engineering• New social platforms• etc.



payment acceptance

Count down 2013...

Laws & Regulations• EU Data Protection Laws• Disclosure Laws• PCI DSS• All Privacy Laws• Cloud implications• Legal Counsel• Etc.



payment acceptance

Count down 2013...



payment acceptance

Count down 2013...



payment acceptance

Count down 2013...

Incident Response• 84% of organisations were

notified of a breach by external entities.

• Containing the size of the breach and improving responsiveness can result in lower organisational costs by £7 per compromised record.

• etc.



payment acceptance

Count down 2013...

Enterprise GRC• Laws/ Regulations tracking• Enterprise Asset Management• Security & Compliance• Automation• Economies of scale• Process efficiencies• Continuous monitoring• Performance measurement• Finance KPIs• New social platforms• etc.



payment acceptance

Count down 2013...

Third Parties• Cloud security• Big data• Merchant agents• Card scheme mandates• Data breaches caused by third

parties can increase the overall cost by £9 per compromised record.

• etc.



payment acceptance

Count down 2013...

Authentication• Credentials breaches• Authentication failures• Multi-factor authentication• Identity & Access Management• Behavioural analysis• Fraud management• etc.



payment acceptance

Count down 2013...

Awareness & Education• Having a CISO with overall responsibility

for enterprise data protection can reduce the average cost of a data breach by as much as £18 per compromised record.

• Speaking the language (finance, law, marketing, business development, etc.)

• Human risks• Data breaches resulting from lost/stolen

devices can increase the overall cost by £6 per compromised record.

• 36% breaches were due to negligence.• Social engineering.• etc.



payment acceptance

Count down 2013...

Risk Management• Corporate finance• Regulations• Existing risks• Emerging risks• Emerging technologies• Business growth• And everything else to deploy an

effective and convergent business framework...

• etc.



payment acceptance

Count down 2013...

Mobile

Social Media

Law/ Regulation

Incident Response

Governance, Risk & Compliance

Third Parties

Authentication

Awareness & Education

Risk Management



payment acceptance

And don’t take my word for it...




The Barclaycard Risk Reduction Programme is very applicable to the aggressive growth of Paddy Power.The BRRP process allows Paddy Power to reduce and control risk levels in an appropriate manner that also aligns with company growth and objectives.

With this in mind we feel that this programme will result in Paddy Power becoming fully compliant with PCI DSS. Moreover, IT security and operational BAUs will ensure that PCI is permanently retained.

Stephen Breen, IT Security ManagerPaddy Power

The Barclaycard Risk Reduction Programme enabled TfL to conduct a standalone review of PCI-DSS risk across the organisation and identify the areas where both additional and less input were required.

The structure of the programme makes it possible for TfL to work more closely with Barclaycard and to track business areas through to compliance.

Nigel Tate, Treasury ManagerTransport for London

The John Lewis Partnership is proud to have been one of the first companies to join the Barclaycard Risk reduction programme as we take information security extremely seriously and for all our Partners reputational risk is paramount. The single most advantageous thing when we transitioned across to the BRRP was the desire of all parties (Barclaycard, IRM our QSA and the Partnership as a whole) to bring judgement into play rather than just ticking boxes for ticking boxes sake. The end result is that we have a clear agreed remediation path which is fully endorsed by the executive board and which can show real return on investment for the Partnership, on-going security maturity for Barclaycard and a reduction in our security risk profile.

I would encourage any company to fully explore the benefits of the BRRP and the risk based approach as a whole. Ben Farrell, Head of Operational Risk ManagementJohn Lewis Partnership

payment acceptance

Join our LinkedIn Group...


payment acceptance

Know your risk, educate, select the right partners, fix the basics first and be prepared…

Neira [email protected]

http://uk.linkedin.com/pub/neira-jones/0/7a5/140

@neirajones

neirajones.blogspot.co.uk

http://pinterest.com/neirajones/

https://plus.google.com/110320990111565528559?prsrc=2


Neira jones pci london january 2013 pdf ready

Technology

payment acceptancepci

payment acceptance pci

data breach predictions

data breaches

data breach study

hacks data

payment cards

payment card information