Tripwire today announced the results of a survey conducted by Atomic Research which evaluated the responses of 102 financial services organisations and 151 retail organisations in the U.K., all of which process card payments, finding that the confidence financial organisations place in their security controls is only marginally better than the confidence retailers place in their controls.
“The survey responses indicate that a surprising number of organisations are building their security programs based primarily on PCI,” said Dwayne Melancon, chief technology officer for Tripwire.
“My concern is that PCI is a very prescriptive, checklist-oriented approach that is less effective if it is not coupled with a holistic risk-based security program. If these organisations stop at mere PCI compliance, they may be lured into a false sense of security.”
Key findings from the survey include:
- 65 percent of both financial and retail organisations would need between one to three days to detect a data breach on critical systems.
- 49 percent of financial respondents said that the Payment Card Industry (PCI) data security standard is the backbone of their security programs, compared with just 39 percent of retail respondents.
- 44 percent of financial respondents are unsure if their security controls would prevent the loss of customer data in the event of a data breach, compared to 38 percent of the retail respondents.
“The majority of the organisations who responded said they could detect a breach of critical systems within one to three days. This is inconsistent with historical data that says most breaches go undiscovered for weeks, months or even longer,” Melancon continued. “This survey data suggests that most organisations have a rose-colored view of their own capabilities when it comes to breach detection and response.”
Other findings reveal:
- 45 percent of respondents from financial services firms said that recent breaches have not changed the level of attention executives give to security, compared to 37 percent of retail respondents.
- Only 18 percent of financial respondents said their organisation had already suffered a data breach that compromised customer data, compared to 28 percent of the retail respondents.
“It is not surprising that the financial services industry has more nascent attention and fewer detected breaches because it’s more regulated,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “In many cases, regulations and their enforcement drive not only security but general situational awareness that contributes to more effective risk mitigation.”
More information on this study is available at: http://www.tripwire.com/company/research/uk-retail-and-financial-survey-part-2/.