The year 2014 may very likely go into the history books as one of the worst in terms of IT security given the tremendous data breaches (i.e., Target and Home Depot, to name just two big retailers suffering huge system break-ins) and cybersecurity attacks. On average, a security breach is now going undetected for over 200 days, giving hackers a huge head start with stolen data.
Tech Times reached out to cybersecurity expert Gokhan Inonu, president of Cardtek USA, to learn what's ahead with cybersecurity, how companies and consumers can better protect data and the trends emerging in the battle against sophisticated malware and data breaches. Cardtek USA is a division of Cardtek Group, which makes software for financial transactions.
Tech Times: Last year saw tremendous data hacks and that's not counting the Sony Pictures Entertainment incident. How can companies better recognize a threat?
Inonu: Fraud-prevention methods need to include measures for not only external threats, but also internal ones as well.
Companies can also recognize threats through unexpected activities like a higher-volume transaction, multiple transactions on a single account, PIN trials, the time of the transaction (if after midnight, it is a suspected one), the source of the transaction (e-commerce/CNP sort transactions are potential risks) and the type of merchants (anything that can easily be converted to money are suspected transactions, like casino chips, etc.)
These type of transaction counts/volumes and/or activities need to be monitored, reported (SMS, email) to different levels of responsible employees and the customer as well.
Tech Times: One of the biggest threats is the internal one -- a rogue employee or angry ex-employee. How can companies better vet employees to prevent data breaches?
Inonu: The database where sensitive data is stored needs to be encrypted and they need to be kept in different storages [areas]. The access to sensitive data needs to be continuously monitored and reported. For some access requests there needs to be a "maker-checker" control (a double control). The time of entry as well as the type of entry, together with the action taken, need to be registered and reported (if it is a "copy" sort of access, it has to have a double confirmation (like maker/checker) and again needs to be reported. The users need to be assigned in hierarchical groups. Some can just display, some can edit, some need a superior confirmation of what is done before it goes [to] production.
Tech Times: Should companies look toward external security companies for help, or should they put a focus on better developing internal security measures?
Inonu: Most of the time, external resources provide generic measures and are trusted, since they also go through industry certifications, but the parameters and the sensitivity as well as the level of security is a combination of the business experience. Therefore, external resources must be fed with these experiences.
Tech Times: Do you envision a future in which the threat of security breaches no longer exists? What would need to take place for this to happen?
Inonu: Fraud or breach may happen anytime, anywhere. The more control you apply, the lower the system performance you get. Therefore, I simply don't envision a "no security breach" environment, but a well-controlled, monitored environment. All the controls and measures may help minimize the fraud, not totally block it. Therefore, we have insurance even if we pay the utmost attention for any loss.
Tech Times: How can consumers protect themselves when it comes to hacks on large corporations? Would you suggest using tech like mobile payments rather than credit cards to better protect personal data?
Inonu: With all the new improvements, mobile payments is a new arena not only for customers, but also for the industry as well. A "one-to-one" transaction always seems to be more secure than a traditional transaction, but at the end, the data is again sorted, managed, stored at a site, whether it is a virtual or a physical one. 2013 and 2014 have clearly proven the fraudsters are following the rules, regulations, the technology of the business, as much as the industry professionals. Since consumers' knowledge is limited on the topic, they can just protect themselves and their sensitive data from the third/malevolent eyes only during a transaction. It is the systems', the brands', and the corporate responsibility to protect customers before everyone else.