Blogpost

The Cybersecurity Panic Room

The concept of a panic room is a fortified room in place in a private home or business to provide refuge or hiding from a home or business intrusion. Panic rooms tend to contain technology to contact law enforcement or medical resources, and resources to sustain basic resource needs until help arrives. While panic rooms in residential areas bring up images of the elite homeowners; for corporations the focus is more on a refuge for key executives for physical security break-ins or intrusion. In today’s cybersecurity intrusion, where is the virtual panic room? Is there such a thing, and why does it feel so out of control?

The first quarter of 2015 resulted in more industry focus on cybersecurity, malware, threats with compromised credentials, and vulnerability management. According to the Identity Theft Resource Center, an estimated 86 million records including credit card, debit card were compromised.

Verizon released their 2015 PCI Compliance Report with interesting results on the current state of payments security. The Payments Card Industry Data Security Standard is planning a 3.1 out of band update to PCI standards as a result of the 2014 increase in vulnerabilities like Heartbleed and Poodle. Payments Security Compliance is not an annual event or hurdle, but needs to be embedded in the DNA of each organization in how it operates 365/24/7.

5 Scary Factoids

  • 67%- in 2014 2/3rds of organizations surveyed did not adequately test the security of all in –scope systems
  • 4 out of 5 companies fail at interim assessment – demonstrating a lack of sustainability of controls
  • PwC reported in a survey of 9,700 companies that’s they’d detected nearly 43 million security incidents in 2014, a compound annual growth rate of 66% since 2009
  • 45% of Americans say that they or a household member have been notified that their credit card information had been compromised
  • 69% of consumers would be less inclined to do business with a breached entity

Even Money Magazine is weighing in on the data breach with their April edition, highlighting for consumers what to do after a data breach. It’s all about putting it into perspective, and taking a risk based point of view vs. having a panic attack. Consumers may be facing media fatigue or despair at the daily onslaught of the most recent cyber risk or breach. Their report outlined a few basic reminders to help consumers downgrade from panic to managing their risk and putting some element of control back into their lives.

5 Tips to Help Consumers

  • Pay the most attention to any breach or compromise that contains high risk data like your SSN. This data element is a master data element to identity fraud, and opening accounts in your name.To provide the optimum reduction in your panic levels, freeze your credit with the agencies and put yourself in control for any new credit accounts
  • You change the batteries in your smoke detectors annually – you renew your insurance annually.Make a schedule to review and change your passwords starting with the accounts that have the most risk to either financial data or personal data. Don’t create your own panic situation by sharing passwords across applications. When you get the notice from one company you won’t reminder that is the same password for another account.
  • Know the difference between your credit and debit card. Consumers can be put into a false sense of security since payment acceptance of both types of cards is simple – legal rights for dispute differs between the types of cards. Always check your statements for any fraudulent or unrecognized transactions.
  • Don’t respond to unsolicited emails that are likely phishing campaigns to collect “more” data about you, that when combined with prior data compromised help fraudsters take additional fraudulent action. Updates to security credentials are requested by legitimate organizations after a successful log on or periodic basis and not via outbound email campaign. Fraudsters are simply exploiting consumer panic.
  • Don’t be led into a false sense of security by credit monitoring which only alerts consumers to certain types of fraudulent activity. It is easy in today’s automated payments space to not pay attention to details, but check your account statement frequently to look for fraudulent transactions and report it to the financial institution.

Bottom line – there are not any easy answers, and really no safe panic room to hide in until the cyber- threat goes away. We are in a new era of digital fraud, cybersecurity, and our technologies and customer education strategies need to help navigate consumer panic in times of crisis.

For me, at work I’m going to consider how to break the challenge into the building blocks of security and privacy fundamentals to get to consistency and sustainability of controls. At home, I’m going to follow my own advice and create a prioritize list of where I need to decrease my own risk. Then I’m going to hunker in and eat some popcorn while watching the downloaded movie Panic Room and see how the bad guys get trapped. Maybe I’ll start to write the screenplay about the movie sequel called the Digital Panic Room in our not so distant cyber future.

Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Deluxe Blogs