Digital Transactions Authoritative, insightful and timely information for payments professionals
By Kevin Woodward
@DTPaymentNews
When it comes to actively testing sensitive data networks for problems, only 23% of companies consider themselves as “very proactive.” This finding from a new Osterman Research Inc. survey of 126 companies representing thousands of employees arrives as the onslaught of breaches and malware continues to wreak havoc among payments companies and their clients.
The survey, commissioned by Chicago-based data-security services provider Trustwave Holdings Inc., found that 48% labeled themselves as “somewhat proactive.” Only 16% said they were “somewhat reactive;” 10% “very reactive;” and 3% had no position.
In a bit of a twist, 74% of overall respondents had conducted network testing in the past six months, while 59% had tested the applications operating on their networks for security faults.
“While most organizations find value in security testing, it does take time, planning and employees with security skills,” Kevin Overcash, director of Trustwave’s SpiderLabs, tells Digital Transactions News via email. “Many companies are struggling to retain those things. A good option for these companies is to outsource the testing. While most companies are required to perform security testing by regulations such as PCI [the Payment Card Industry data-security standard], others do not have a proactive approach to security and often only get serious about security testing after they experience a breach.”
One problem endemic to payments and most other industries is malware. Designed to surreptitiously collect data and send it off to unauthorized recipients, malicious software is a particular problem for payments companies. Phishing or social-engineering attacks are a popular way for criminals to sneak malware onto a network. The unsuspecting employee clicks on a link or attachment, which appears harmless, but secretly installs malware onto the computer and into the network.
In the past 12 months, 71% of those surveyed experienced a phishing or social-engineering attack. Fifty-nine percent said they had a malware infiltration in the same period. These attacks are popular with hackers because essentially every company is a potential target, Overcash says.
Indeed, there is a connection between phishing attacks and malware,” he says. “The most common form of phishing attack takes the form of a specially crafted email that appears to be from a legitimate source requesting the user to click on a link. Phishing and malware remain a very significant issue because many anti-phishing solutions are still not foolproof and employee education is still lagging.”
