On Friday, the White House is hosting a cybersecurity summit at Stanford University on how to keep us all safe from cybercriminals throughout the world who work tirelessly to wreak havoc on our economy. This summit is bringing together experts from across many fields to brainstorm on how to prevent cyberattacks in the future and stay one step ahead of the bad guys.
What is at stake in this discussion is the future stability of the global economy, our national security and the individual security of us all.
Cybercrime is spreading like a virus. It costs the U.S. economy $100 billion a year; the average data breach now costs companies and organizations $3.5 million. A recent survey estimated that 47 percent of all American adults have been affected by data breaches in the last year. The number of reported data breaches has spiked by more than 30 percent in the past couple of years with an increase in state-sponsored cybercrime and organized-crime networks.
The summit comes at a critical time; 2015 will be the most important year in recent memory for cybersecurity, with Congress looking to create legislation to better protect consumers, generate more avenues for information sharing and bolster law-enforcement efforts. This is also a landmark year as the United States transitions to credit and debit card chip technology that has been effective throughout Europe and other parts of the advanced world.
On top of these monumental changes, the threats of cybercrime will continue to grow. The summit offers a unique opportunity to identify threats, build consensus around best practices and encourage cooperation to stop the criminals. Amid all the data-breach stories and gloomy predictions, the good news is that we know what works and what changes could be made to improve security.
For starters, many companies need to change the way they view security issues. Properly following security standards 24/7 is required. Data security cannot just be an annoying “box” you check off once or twice a year. It has to be an all-day, everyday priority. Protecting data is no longer a simple task that companies leave to the IT department.
Too many CEOs are learning this lesson the hard way. A recent survey showed 17 percent of senior executives were not aware of whether their organization had suffered a data breach in the last year. For CEOs, data security is job security. Companies that fail to make data protection an everyday priority run the risk of losing money and destroying their reputations.
Despite cybercriminals becoming more and more sophisticated, we at the PCI Security Standards Council, which sets data security standards for the payment-card industry, have not seen any recent data breaches that weren’t predictable. On the contrary, problems arise from a failure to maintain key security controls and a lack of vigilance. Simply put, most data-security breaches involving credit card data are not sophisticated attacks at all, nor are they new tactics. Far too many of the recent major breaches were entirely preventable.
Something as simple as a password can cause problems. A recent study by Trustwave reported that the most popular numeric password used by U.S. businesses is “123456.” The word “password” remains one of the most commonly used passwords. It wouldn’t take a very sophisticated hacker to crack that code.
Later this year, America will take a major step forward in implementing payment-card chip technology for consumers. This is a step that PCI has long supported. The technology provides protection against fraudulent transactions in stores. It will be a major step in the right direction and will allow America to quickly catch up with much of the rest of the world.
But we should not be fooled into believing it is the magical technology that eliminates data security threats. No single technology can keep us completely safe all the time.
For those of us who participate in the summit, we must view this collaboration for what it was – a good first step. Data security must be an ongoing and ever-changing effort. Only by all of us working together and being smart can we get out ahead of future cyberattacks.
Stephen Orfei is general manager of the PCI Security Standards Council.