Dark Reading reported on Verizon’s PCI compliance assessment and I think the numbers are interesting, but not terribly unexpected (see article). The actual report, all 84 pages, is available here.
Most of the time (maybe always), when a business has an assessment done by a third party assessor, that company will do an interim assessment first. The purpose of the interim assessment is to find as many weaknesses as they can so that the business can fix them before the final assessment. That way the final assessment falsely inflates the level of compliance. As a result, Verizon looked at the interim assessments instead of the final ones.
Verizon said that last year, about 20 percent of the companies were fully compliant at the interim assessment. That means, of course, that 80 percent of the businesses that have a contractual requirement to be PCI compliant were not compliant.
The good news in that, if there is any, is that the 20 percent number is an improvement. That number was 11% in 2013 and 7.5% in 2012. That means that between 2012 and 2014, the number of businesses that managed to comply with the terms of the contract that they signed with their banks for at least one year increased by almost a factor of 3. If you are a glass half full kind of person, that is good news. If you are not, that means that before, more than 90% of the businesses were out of compliance and now only 80% are out of compliance.
Verizon also said that only 28% of the businesses they assessed managed to stay compliant from one review to the next. That means that more than two thirds of the businesses could not remain within the terms of their contracts for even one year.
That kind of explains why we see all the data breaches in the news. I think that is not likely to change unless banks start enforcing the terms of the contracts. Banks don’t want to do that because they are afraid you will take your business somewhere else.
This difference – between a point in time validation and compliance, may, in fact, be the key point in the lawsuits against Home Depot. Home Depot has admitted that they “may not” have been in compliance at the time of the breach.
PCI compliance is a pretty low bar – even if you are compliant, it does not mean that the bad guys won’t get in. But it is fair to say that if you can’t even maintain that level of security between reviews, that other, more complex security measures are even less likely to be in place and effective.
One strategy – actually the one that many businesses prefer – is to hope that the hackers don’t come visit you. With only around 3,000+ breaches reported last year out of millions of businesses, that seems like a good bet.
The problem is that only breaches that violate the law (like the theft of non public personal information or health care information) are required to be reported. And, while I can’t prove it, I bet that many of those go unreported.
Also, companies will only report breaches that they know about. For example, Lowes had a breach that they announced last May (2014) when the attackers had been inside their system since July 2013. If they were asked in say, January, 2014 if they had been breached, they would have answered NO. They would have been wrong, but that is what they would have said.
Finally, theft of intellectual property is often not reported. After all, the police will likely not be able to catch the thieves and as long as it is not publicly visible, the news won’t pick it up. An example of this is the F-35 Joint Strike Fighter that Lockheed is building at the cost of hundreds of billions of dollars.
Mashable reported that documents leaked by Edward Snowden and published in Der Spiegel show that the NSA was aware that the Chinese had stolen terabytes of documents on the F-35. That data was used to help China create the J-20 and J-31 stealth fighters.
The report that Snowden leaked was classified Top Secret. In part they do that because once the “cat is out of the bag” they don’t what the Chinese to know that we know. The other reason is that after spending $300 billion on the F-35, they don’t want to admit that the Chinese were able to steal the plans and build their version for a whole lot less.
How the F-35 story applies to regular businesses is that if they have intellectual property breaches, they typically mark it with their version of Top Secret, if they even know they were hacked and it isn’t reported. This also includes stuff like sealed bids. If your competitor hacks you and finds out what you are going to bid and under bids you, how do you prove that. You just lose the work.
Bottom line is that businesses are not doing very well at security and it makes the job of the bad guys a whole lot easier.