The Payment Card Industry (PCI) Security Standards Council recently released a helpful short guide to preventing phishing attacks. Merchants and any other organization that accepts payment cards most follow the PCI Data Security Standard (PCI DSS). One of the requirements of the PCI DSS is to train the workforce about how to properly collect, handle, and protect PCI data.
A major threat to PCI data is phishing, with almost a third targeted at stealing financial data.
According to a stat in the PCI Guide, Defending Against Social Engineering and Phishing Attacks,: “Every day 80,000 people fall victim to a phishing scam, 156 million phishing emails are sent globally, 16 million make it through spam filters, 8 million are opened.”
Recently, I blogged about how “nearly 25% of data breaches involve phishing, and it is the second most frequent data security threat companies face.”
I am pleased that the PCI guide to phishing and social engineering discusses training at many points. Indeed, nearly half the tips involve how to implement better training and awareness. For example, to protect against malicious attacks via email, the guide states:
Train employees and users on email and browser security best practices,
including these key tips:
→ Resist the urge to click links in a suspicious email; visit websites directly.
→ Be cautious of email attachments from unknown sources. Also, many viruses can fake the return address, so even if it looks like it’s from someone you know, be wary about opening any attachments.
For dealing with malicious websites, the guide provides:
Train employees and users on website and browser security best practices,
including these key tips:
→ Only install approved applications.
→ Be sure you’re at the right website when downloading software or upgrades. Even when using a trusted site, double check the URL before downloading to make sure you haven’t been directed to a different site.
→ Recognize the signs that your computer is affected and contact IT.
And for authentication, the guide states that organizations should “[e]ducate employees and users on choosing strong passwords and changing them frequently.” The guide also recommends using two-factor authentication, a topic that I have recently written extensively about, as passwords alone are a very weak security measure.
Several provisions of the PCI DSS require organizations to implement a PCI training program for all employees who handle PCI data. Specifically, the PCI DSS require “a formal security awareness program to make all personnel aware of the importance of cardholder data security.” Employees must be trained upon being hired and “at least annually.” Part of this training involves learning some of the special rules for handling PCI data, but another part of the training involves understanding basic good data security practices. Training to help people avoid phishing and other social engineering attacks is essential.
The message from this guide by the PCI Security Standards Council is clear: Training is of great importance. However, it is often overlooked when organizations implement PCI because PCI DSS has so many other requirements. Data breaches are very expensive, and ones involving PCI data are particularly costly because organizations must pay for a PCI investigation, and when organizations are found not to be following the requirements of PCI DSS, the PCI Council can issue fines or revoke the right to process payment cards, which can be devastating to many businesses.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.