A recent study by the Ponemon Institute shows that payment data security practices need improvement. This doesn’t come as a surprise due to the nature of security being one that requires continuous work, but it does raise some concerns when you break down why improvement is still needed.
The study’s findings point to problems within the organization in their implementing security measures and practices that are really just the basics of securing data and the business environment.
Know where your data is stored or located
- 55% of IT security pros don’t know where all their payment data is stored or located.
Knowing where data is located or stored should be a given. If you don’t know where your data is, how are you supposed to keep eyes on it? The fact that more than half of respondents to this survey don’t know is astonishing; especially following mega breaches like Target, Sony, and the OPM incident.
Centralize payment data security ownership
- Ownership for payment data security is not centralized with 28% of respondents saying responsibility is with the CIO, 26% saying it is with the business unit, 19% with the compliance department, 15% with the CISO, and 14% with other departments.
Building a culture of security, where everyone within the business are on the same page regarding best data management and security practices is essential. Even with a disconnect between departments, a minimum layer of security should have been established with good policies and procedures.
Make security a priority
- 54% of IT security pros said that payment data security is not a top five security priority for their company; and only one third (31%) feels their company allocates enough resources to protecting payment data.
It seems that even though executives and the board have been made aware of the consequences of breach, like CEOs and CIOs being let go or companies losing customers post-breach (a perfect example: TalkTalk losing 250,000 customers following their breach), security still hasn’t made it to the top of the to do list. Why this is the case doesn’t make much sense with the obvious business ROI you get from good security.
If that wasn’t enough, the Ponemon study also showed that 74% of IT security pros said their companies are either not PCI DSS compliant or are only partially compliant and 54% of them said their company had a security or data breach involving payment data four times in the past two years (on average).
Although the study focuses on payment data security, the problem isn’t the type of data, but it’s the organizations themselves. When 74% of these companies aren’t even compliant (or partially compliant), it’s pretty clear that security is way out of the mind of business leaders. If businesses don’t start changing their thinking of security or absence of; they’re in for a huge wake-up call.
Even on a tight budget, organizations can implement basic security steps, like knowing where data is or having policies and procedures set up across the enterprise. Lack of expertise can’t be an excuse either with security organizations such as ours that can meet the needs of organizations (and without leaving out all the other companies within the security industry just waiting to help out). It comes down to a company’s Security Why and their desire to continue staying in business.
Photo Courtesy of Tashatuvango