10 Sep How to stop losing the global cyber war
The message couldn’t be starker: the world is under a massive cyber attack. So says Jeremy King, International Director of the PCI (Payment Card Industry) Security Standards Council and he is well equipped to say so. Travelling around the world and talking to companies across the UK, Europe, US and Africa, he hears the same story: companies are the targets of cyber attacks. “The criminals are very well organised, they are global and they share details about how to attack,” he says.
The biggest problem, according to King, is that CEOs either believe that their company would never be a target, or consider cyber security to be a mere IT matter, without realising that everyone who has access to their systems is a possible weak spot. Only one person has to press the wrong button for an attack to begin. “Companies need the right security practises and processes, but above all the employees need the right tools and training. People still have terrible passwords like ‘password1’ or ‘123456’ and the criminals know this. We also put too much information about ourselves on social media, so we make it easy for the criminals to attack.”
There have certainly been some high profile attacks out there. Last year there was a security breach on the e-commerce platform Magento, while in May this year there was a global WannaCry attack, infecting more than 230,000 computers in over 150 countries. The UK’s National Health Service, Spain’s Telefónica and Deutsche Bahn were just some of those affected, before it was halted by an English web security researcher, who discovered a kill switch. “What happened was that malware came in and encrypted everything,” says King.
“In the financial world we’ve been using encryption for years, but now the criminals have realised what we have been doing and unfortunately turned it against us. Furthermore, the invention of Bitcoin has helped: it’s hard to trace and easy to use.” It is also becoming increasingly apparent that targets are often not involved with payment data – for example, the NHS – which means they would have been less aware of the potential threat of an attack.
One way for companies to combat fraud is to adopt and implement the PCI-DSS (Data Security Standard) and to understand the issues involved. “How many people have access to your website?” King asks. “How many have access to payment data? Where does that data go? Restricting access to employees that don’t need everything on the system might be a start.”