The Future of Software Development - Devin AI Innovative Approach.pdf
Neira jones pci london january 2013 pdf ready
1. The right focus and the right language...
Lessons learned from 2012 and predictions for 2013
PCI London – 24th January 2013
Neira Jones
Senior Vice President Cybercrime
Centre for Strategic Cyberspace + Security Science
Head of Payment Security
Barclaycard
payment acceptance
2. The harsh reality...
2012 shows we have experienced
36% more data breaches than in 2011.
(source datalossdb.org 21st January 2013)
payment acceptance PCI London – 24th January 2013 2
3. Payment card information represented 48% of all breaches in
2011, but unlike previous years, it was not a runaway winner.
This may allow payment cards to retain the title of “most
stolen” but the title of “largest hauls” now belongs to the
personal information variety, which includes name, e-mail,
national IDs, etc. (95%)
Authentication credentials were a close second 42% in the
current dataset.
Source: Verizon Data Breach Investigation Report 2012
payment acceptance PCI London – 24th January 2013 3
4. It couldn’t possibly happen to me...
• 84% of organisations were notified of a breach by external
entities (e.g. regulatory, law enforcement, third party or public).
• Within those 84%, attackers had an average of 174 days within
the victim’s environment before detection occurred.
• The number of self-detected compromises decreased by 4%
since 2010.
• Businesses that self-detected the breaches were able to identify
attackers infiltration 43 days on average after the initial
compromise; or a quarter of the time that attackers would have
had in the previous scenario.
Source: Verizon Data Breach Investigation Report 2012
payment acceptance PCI London – 24th January 2013 4
5. What of 2013 then?...
Popular perception...
payment acceptance PCI London – 24th January 2013 5
6. 2013 Data Breach Predictions...
Social Engineering
Web Application Exploits (75% probability)
Authentication Failures/ Attacks (90% probability)
Source: Verizon, December 2012 http://biztech2.in.com/news/security/verizons-data-breach-predictions-for-2013/150402/0
payment acceptance PCI London – 24th January 2013 6
10. What of 2013 then?... An organisation’s service provider could
inadvertently increase the likelihood of a breach
The reality... by failing to take appropriate actions or taking
inappropriate ones.
Verizon believe that lost & stolen – and unencrypted
- mobile devices will continue to far exceed hacks
and malware.
They also project that attacks on mobile devices by
the criminal world will follow closely the push to
mobile payments in the business & consumer world. Targeted attacks from adversaries
motivated by espionage & hacktivism
will continue to occur, so “it’s critical to
be watchful on this front.”
Source: Verizon, December 2012 http://biztech2.in.com/news/security/verizons-data-breach-predictions-for-2013/150402/0
payment acceptance PCI London – 24th January 2013 10
11. What of 2013 then?... An organisation’s service provider could
inadvertently increase the likelihood of a breach
The reality... by failing to take appropriate actions or taking
inappropriate ones.
Large organisations tend to pride themselves on their security strategy
and accompanying plans, but the reality is that a large business is less
likely to discover a breach itself than to be notified by law enforcement.
“And if you do discover it yourself,” Wade Baker said, “chances are it
will be by accident.”
He concluded, “Keep in mind that all of these breaches can still be an
Verizon believe that for enterprises. However, what we’re saying is that they’re over-
issue lost & stolen – and unencrypted
- mobile devices will continue to far exceed hacks data and are far less likely to factor
hyped according to our historical
and malware.into an organisation’s next breach than is commonly thought.”
They also project that attacks on mobile devices by
the criminal world will follow closely the push to
mobile payments in the business & consumer world. Targeted attacks from adversaries
motivated by espionage & hacktivism
will continue to occur, so “it’s critical to
be watchful on this front.”
Source: Verizon, December 2012 http://biztech2.in.com/news/security/verizons-data-breach-predictions-for-2013/150402/0
payment acceptance PCI London – 24th January 2013 11
12. Data breaches have become a statistical certainty
and third party breaches continue to increase...
Information security is no longer just about
deploying controls...
Effective incident response is a priority...
Social media usage has exacerbated exposure...
Cloud computing demand has increased risk...
Mobile/alternative payments have generated friction
between Marketing & IT...
Regulations have become tougher...
payment acceptance PCI London – 24th January 2013 12
13. Source: Symantec, Cost of a Data Breach Study, United Kingdom, March 2012
payment acceptance PCI London – 24th January 2013 13
14. For the first time in years, this 8% decline
suggests that organisations represented in
this study have improved their
performance in both preparing for and
responding to a data breach.
As the findings reveal, fewer records are
being lost in these breaches and there is
less customer churn.
Source: Symantec, Cost of a Data Breach Study, United Kingdom, March 2012
payment acceptance PCI London – 24th January 2013 14
15. Organisational factors...
Factors reducing the cost of a data breach
• Having a CISO with overall responsibility for enterprise data protection can
reduce the average cost of a data breach by as much as £18 per
compromised record.
• Containing the size of the breach and improving responsiveness can result
in lower organisational costs by £7 per compromised record.
• Outside consultants assisting with the breach response can save as much
as £11 per record.
Factors increasing the cost of a data breach
• Data breaches caused by third parties can increase the overall cost by £9
per compromised record.
• Data breaches resulting from lost/stolen devices can increase the overall
cost by £6 per compromised record.
Source: Symantec, Cost of a Data Breach Study, United Kingdom, March 2012
payment acceptance PCI London – 24th January 2013 15
16. What does this mean for the CIO?...
payment acceptance PCI London – 24th January 2013 16
17. Arise, Sir Lancelot....
The CIO is going through a metamorphosis...
Legal Expertise
Corporate Finance
MC Escher “Metamorphosis”
Enterprise Data Management
Partner/ IT Vendor Management
IT Project Management
IT Security & Compliance
Source: www.searchcio.techtarget.com “Six ways the CIO job description is changing” November 2012
payment acceptance PCI London – 24th January 2013 17
19. 23rd February 2013: the European Commission will
propose a new obligation for security breach
notifications for the energy, transport, banking and
financial sectors,” said an official working at the
Commission's digital agenda department. It also
confirmed plans to extend security breach notifications
to new industries, other than telecommunication
companies and internet firms which in Europe are
already subject to reporting obligations.
payment acceptance PCI London – 24th January 2013 19
20. What does this mean for the CISO?...
payment acceptance PCI London – 24th January 2013 20
21. Multi-perspective & multi-disciplinary...
Incident Preparedness
Speaking The Language
Continuous Monitoring
Human Risks
MC Escher “Convexe & Concave”
Third Party Risk Management
Using GRC To Improve Business & IT Processes
Getting Quantitative (Measure Performance)
Source: darkREADING, November 2012, 7 Risk Management Priorities For 2013
payment acceptance PCI London – 24th January 2013 21
22. Global Mobile Device Management (MDM)
Enterprise Software market forecast to grow
at a CAGR of 7.8% over the period 2010-
2014.
One of the key factors contributing to this
market growth is the increasing need for
enhanced mobile communication security.
The global mobile security market, projected
to have reached $1.6 billion in 2012, is
expected to continue its growth spike in
2013, according to a Visiongain report.
payment acceptance PCI London – 24th January 2013 22
23. Mobile and social...
• As social media usage explodes, what are the risks?...
• As mobile device pervasiveness increases, so will the attacks...
• As mobile payment acceptance emerges, what are the security
implications?...
• The monetisation of social networks introduces new risks...
• Social mobile payments?...
• F-commerce
• Shoppable videos
• Pinterest...
payment acceptance PCI London – 24th January 2013 23
25. Count down 2013...
Mobile
• mobile device attacks
• BYOD
• Mobile Device Management
• Mobile Payments
• Social Mobile Payments
MC Escher “Crystal Ball”
• Mobile Payment Acceptance
• etc.
payment acceptance PCI London – 24th January 2013 25
26. Count down 2013...
Social Media
• Social Media Risk
• Social Media Engagement
• Social Media Servicing
• Marketing drive
• Finance pressure
• Alternative payments
• Monetisation of social networks
• Social Engineering MC Escher “Crystal Ball”
• New social platforms
• etc.
payment acceptance PCI London – 24th January 2013 26
27. Count down 2013...
Laws & Regulations
• EU Data Protection Laws
• Disclosure Laws
• PCI DSS
• All Privacy Laws
• Cloud implications
• Legal Counsel MC Escher “Crystal Ball”
• Etc.
payment acceptance PCI London – 24th January 2013 27
28. Count down 2013...
MC Escher “Crystal Ball”
payment acceptance PCI London – 24th January 2013 28
29. Count down 2013...
MC Escher “Crystal Ball”
payment acceptance PCI London – 24th January 2013 29
30. Count down 2013...
Incident Response
• 84% of organisations were
notified of a breach by external
entities.
• Containing the size of the
breach and improving
responsiveness can result in
lower organisational costs by MC Escher “Crystal Ball”
£7 per compromised record.
• etc.
payment acceptance PCI London – 24th January 2013 30
31. Count down 2013...
Enterprise GRC
• Laws/ Regulations tracking
• Enterprise Asset Management
• Security & Compliance
• Automation
• Economies of scale
• Process efficiencies
• Continuous monitoring
• Performance measurement MC Escher “Crystal Ball”
• Finance KPIs
• New social platforms
• etc.
payment acceptance PCI London – 24th January 2013 31
32. Count down 2013...
Third Parties
• Cloud security
• Big data
• Merchant agents
• Card scheme mandates
• Data breaches caused by third
parties can increase the overall cost
by £9 per compromised record. MC Escher “Crystal Ball”
• etc.
payment acceptance PCI London – 24th January 2013 32
33. Count down 2013...
Authentication
• Credentials breaches
• Authentication failures
• Multi-factor authentication
• Identity & Access Management
• Behavioural analysis
• Fraud management
MC Escher “Crystal Ball”
• etc.
payment acceptance PCI London – 24th January 2013 33
34. Count down 2013...
Awareness & Education
• Having a CISO with overall responsibility
for enterprise data protection can reduce
the average cost of a data breach by as
much as £18 per compromised record.
• Speaking the language (finance, law,
marketing, business development, etc.)
• Human risks
• Data breaches resulting from lost/stolen
devices can increase the overall cost by £6
per compromised record.
• 36% breaches were due to negligence. MC Escher “Crystal Ball”
• Social engineering.
• etc.
payment acceptance PCI London – 24th January 2013 34
35. Count down 2013...
Risk Management
• Corporate finance
• Regulations
• Existing risks
• Emerging risks
• Emerging technologies
• Business growth
• And everything else to deploy an MC Escher “Crystal Ball”
effective and convergent
business framework...
• etc.
payment acceptance PCI London – 24th January 2013 35
36. Count down 2013...
Mobile
Social Media
Law/ Regulation
Incident Response
Governance, Risk & Compliance
Third Parties
Authentication
MC Escher “Crystal Ball”
Awareness & Education
Risk Management
payment acceptance PCI London – 24th January 2013 36
37. And don’t take my word for it...
payment acceptance PCI London – 24th January 2013 37
39. The John Lewis Partnership is proud to have been one of the first companies to join the Barclaycard Risk reduction programme
as we take information security extremely seriously and for all our Partners reputational risk is paramount.
The single most advantageous thing when we transitioned across to the BRRP was the desire of all parties (Barclaycard, IRM
our QSA and the Partnership as a whole) to bring judgement into play rather than just ticking boxes for ticking boxes
sake. The end result is that we have a clear agreed remediation path which is fully endorsed by the executive board and which
can show real return on investment for the Partnership, on-going security maturity for Barclaycard and a reduction in
our security risk profile.
I would encourage any company to fully explore the benefits of the BRRP and the risk based approach as a whole.
Ben Farrell, Head of Operational Risk Management
John Lewis Partnership
The Barclaycard Risk Reduction Programme is very applicable to the aggressive growth of Paddy Power.
The BRRP process allows Paddy Power to reduce and control risk levels in an appropriate manner that also aligns with
company growth and objectives.
With this in mind we feel that this programme will result in Paddy Power becoming fully compliant with PCI DSS.
Moreover, IT security and operational BAUs will ensure that PCI is permanently retained.
Stephen Breen, IT Security Manager
Paddy Power
The Barclaycard Risk Reduction Programme enabled TfL to conduct a standalone review of PCI-DSS risk across the
organisation and identify the areas where both additional and less input were required.
The structure of the programme makes it possible for TfL to work more closely with Barclaycard and to track business areas
through to compliance.
Nigel Tate, Treasury Manager
Transport for London
payment acceptance PCI London – 24th January 2013 39
40. Join our
LinkedIn
Group...
payment acceptance PCI London – 24th January 2013 40
41. Know your risk, educate, select the right
partners, fix the basics first and be prepared…
Neira Jones
neira.jones@barclaycard.co.uk
http://uk.linkedin.com/pub/neira-jones/0/7a5/140
@neirajones
neirajones.blogspot.co.uk
http://pinterest.com/neirajones/
https://plus.google.com/110320990111565528559?prsrc=2
payment acceptance PCI London – 24th January 2013 41