Throughout the U.S., many companies are still not covering the essentials when protecting their systems, but the enemy is getting increasingly sophisticated and relentless, Visa's risk chief said.
It is clear that companies are having a difficult time complying with the requirements of Payment Card Industry data security standards, said Ellen Richey, vice chairman of risk and public policy for Visa Inc. The PCI rules were established roughly a decade ago.
"Some very basic security prevention measures are not being taken, such as not changing a default password," Richey said during the "In Digital We Trust" conference March 26 in Washington, D.C.
Visa Inc. and Bloomberg Government sponsored the event.
The payments industry "has a lot of work to do" just to maintain a basic level of security, Richey said. Ultimately, all industries involved in securing sensitive data need to "raise the bar" to make it riskier and more costly for criminals to prey on sensitive data, she added.
Recent research reports from Verizon and Trustwave point to poor password security as a lingering concern.
Aside from paying more attention to basic security rules, industries handling sensitive data need to view the federal government as a key partner, not an overseer that can't be trusted, experts agreed.
Too often, when a company provides breach information to the federal government, the company is not able to get information back because it is classified, said Kim Ford, vice president of public affairs for payments technology provider First Data Corp.
"This is a structural problem," Ford said. "The government could do more to foster collaboration and bring the parties together."
Cyberattacks have evolved into more sophisticated assaults on individual companies by governments and other entities from Eastern Europe, Asia and the Middle East, making it vital to take a unified, national-security-style approach to data security, said Tim Pawlenty, CEO of the Financial Services Roundtable trade association in Washington and a former governor of Minnesota.
"This issue used to focus on college kids sitting in basements, just hacking for fun to see if they could get in, and it has migrated dramatically up the food chain to international organized crime and nation states and semi-nation-state-sponsored entities" Pawlenty said. "If it's China attacking a company it won't end well for the individual company or for their customers. That is why we need a Team America approach."
"You can't pit individual companies against those types of sophisticated criminal networks," Pawlenty said. "It won't end well for the individual company."
With no institution immune from cyberattacks or insider threats, it is important for the federal government to respond with plans that emphasize data sharing and teamwork, Pawlenty added.
The $172 million-plus cost that Target and its member banks have incurred to resolve the 2013 data breach should serve as an ongoing warning to other companies, said Nuala O'Connor, president and CEO of the Center for Democracy and Technology.
"It is better for companies to spend that kind of money on data security controls in the first place, rather than as a breach response," O'Connor said.
Experts agreed that efforts to de-value data should continue, as it has become increasingly apparent that hackers are persistent enough to find a way into nearly any network.
The industry effort to expand tokenization will help de-value the data, First Data's Ford said. Tokenization replaces card data and account numbers with a unique string of characters known as a token.
"It was slow going for tokenization a couple of years ago, but now we are getting close to 2 billion transactions that have used our tokenization and encryption," Ford said.
Retailers are more inclined to seek ways to de-value data after seeing the damage that breaches can inflict on their brand and on the careers of top executives, Ford said.
President Obama's initiative to establish data sharing between the private sector and federal government will be a key step in thwarting cyberattacks in the future, Congressman Jim Langevin (D-R.I.) said.
Some in the industry have cautioned that, while Obama's focus on cybersecurity is welcome, more work is still needed.
During the conference, Langevin said he was introducing a data breach notification bill that would call for organizations to disclose a data breach within 30 days. The key will be for a standard to be established across all states, Langevin said.
It is a positive trend that both the government and private sectors are far more aware of the importance of cybersecurity than in the past, said Scott Montgomery, vice president and chief technology officer for the public sector at McAfee.
"This is a $100 billion industry [for the criminals]," Montgomery said. "We now know that this is a coat-and-tie business and that it is not just a pony-tailed guy in his mother's basement."