As we embark on a new decade and begin 2020 it’s a good time to take stock and reflect on the lessons learnt from the last 12-months. It’s fair to say that 2019 was one of the worst years on record for data breaches. At the very start of the year, 16 high-level breaches occurred in January alone, including the hugely popular online game Fortnite to name just one, which saw an estimated 108 million user records compromised.
Facebook was at the heart of a scandal in April, as more than 540 million records fell into the wrong hands, while online shopping giant Amazon was found to have been publishing private user data in error on its Japanese site. There was also Capital One’s damaging hack, which resulted in the loss of 106 million pieces of sensitive user data.
While breaches are becoming ever more prevalent, it appears that many companies are however still taking a rather ‘laissez faire’ approach to data security:
The annual Verizon Payment and Security Report found that the numbers of businesses complying with the PCI DSS framework one year after achieving compliance actually fell between 2017 and 2018 – from 52.5% to just 36.7%– reaching the lowest levels since 2013.
Surprisingly, 18 per cent of companies still don’t have a defined compliance program, despite significant increases in data breaches and repercussions for organisations found to be non-compliant.
Looking at the sectors specifically discussed in the Payment Security Report, finance remains the best performer when it comes to the PCI DSS, with 39% compliance, while hospitality ranked last with just 26.3%.
European companies were found to be ahead of their US-based peers, however, with 48% compliance compared to just 20% across the Atlantic. Both US and European organisations are paling in comparison of their Asia-Pacific neighbours, however, whose compliance rates were found to sit at 69.6%.
It raises the question as to why 80% of US companies are having such problems maintaining compliance? The Verizon report highlights that once companies achieve initial compliance, the constant updating, patching and testing – as per PCI DSS Requirements 6 and 11 – appear to cause problems, resulting in compliance failures.
Perhaps, adopting modern cloud strategies could be one answer; removing the need for organisations to rely on older, complex infrastructures or ageing networks that create compliance barriers and a maintenance headache.
When looking at the causes of the largest breaches last year, many were caused by poor security protocols, hackers and human error and, while companies aren’t in a position to eradicate these risk factors entirely, with careful planning and understanding, they are in a position to mitigate them.
While it is impossible to fully protect a business 100% from hackers and other data breaches, by ensuring compliance with industry standards and implementing the right systems and processes to sensitively handle personal data, businesses can at least insulate themselves and their customers from potential harm. It will be interesting to see how organisations respond over the coming year – we look forward to seeing what 2020 and the new decade may bring.