News Pick: Data Breach Targets Speak

Posted on November 04, 2014 by Fahmida Y. Rashid

While any organization can suffer a data breach, some organizations seem to be bigger targets than others. Representatives from financial services, retail, media, and healthcare organizations talked about their security strategies at this year's Privacy Xchange Forum in Scottsdale, Ariz., Dark Reading reported.

Not all industry sectors face the same threats. Organizations have to finetune their security defenses towards the security concerns most prevalent in their industry. At the Privacy Xchange Forum panel, industry executives touched upon different threats their respective industries faced and the strategies critical to their security success.

What Financial Services Organizations Worry About
Financial services organizations see account takeover, identity theft, and payment card fraud as their biggest threats, not direct assaults against their networks. "People get in and steal your user ID and password and transfer money out of your account," said Michael Young, vice president and product team manager for financial services firm EverBank.

The FFIEC guidelines require banks to provide multi-factor authentication for online banking, but criminals have figured out how to bypass several two-factor authentication schemes. Many banks are looking at tokenization to protect sensitive pieces of data such as credit card and Social Security numbers.

"We have to make it safe to bank online but not too onerous or difficult for the end user. It's a fine line," Young said.

Retailers Need to Communicate More
Even with all the headlines over the past year, retailers still don't seem to get it, according to the Dark Reading report. "When you talk to the CEO of a retailer, [he says] 'we're not a bank, why are they coming after us? We're PCI-compliant,'" said Arthur Tisi, CIO for Natural Markets Food Group.

Retailers need to improve their internal coordination efforts, Tisi said. While many retailers now have incident response plans in place and are considering security measures beyond those required by PCI, they still need to learn how to communicate internally, with law enforcement, and with their customers.

"What are you going to say? When are you going to say it? Who do you retain to communicate?" Tisi said.

Media, Healthcare Speak Out
Executives from a media company and healthcare organization were also at the panel and spoke about their concerns. Some of the breaches aren't because the attacks are highly sophisticated, but because controls are missing. Either basic steps are being missed or too many people have access to sensitive data.

Check out the Dark Reading piece for more insights from the panel.

Contributors

Fahmida Y. Rashid

Managing Editor, Features, Dark Reading

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.