Usually, turning the calendar from one month to the next is no big deal. However, in the security world, October 1, 2015, is a pretty big deal. First, October is National Cybersecurity Awareness Month, which celebrates its fifth anniversary this year. Second, today is the day that we are supposed to transition to a more secure credit card system. I thought I’d look at these two significant security events and see how they are reshaping the way we look at the threat landscape.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=iThe Department of Homeland Security, which sponsors National Cybersecurity Awareness Month, has a list of themes for each week of the month, including Creating a Culture of Cybersecurity at Work and Building the Next Generation of Cyber Professionals. Areas that we need to discuss and promote, yes, but they are also discussions we’ve been having in the security community for more than five years. It’s disappointing that we still have to revisit topics that should be part of the mainstream by now.
I like Paul Ducklin’s take on cybersecurity awareness at the Naked Security blog. He focused on the progress we’ve made, saying that security issues like multi-factor authentication, better encryption and password use, and (finally) recognizing that Apple and Linux users have to take security more seriously are now mainstream topics. I totally agree with Ducklin. I think we need to celebrate what we are doing right, but we also have to question why we remain stuck in so many old patterns and habits. Why are we struggling to find security professionals and why are we still struggling to get the average user to understand why security practices are necessary in today’s environment?
But that second question may lead to some answers in the slow start to the new credit card regulations. Known as the EMV standard, the point is to take out the old, inefficient technology and replace it with something more secure in order to prevent fraud. As TechRepublic explained:
The ease at which a memory stripe credit card can be cloned is well known. The new EMV style credit card combats that by replacing the magnetic stripe with a small computer chip that creates a one-time transaction code that cannot be duplicated.
The system has been used in Europe for years, but, not surprisingly, as the October 1 deadline approached, American companies weren’t prepared for the switch. Reports state that the majority of credit card users haven’t received updated credit cards yet (personally speaking, I’m in that majority). Retailers haven’t made much progress either.
In an email comment to me, Henry Helgeson, CEO of Cayan, explained why:
There are three main obstacles to EMV adoption for merchants: awareness, cost and available solutions. In terms of awareness, at this point most payment processors have educated their customers about EMV and have moved on to activating and providing actionable steps for merchants. However, initially, merchants were confused by what EMV meant to their business and as a result delayed in starting the upgrade process.
The cost of upgrading their systems to become EMV-ready certainly created hesitation among retailers. However, for small retailers with standalone terminals, the cost can be as low as $140. For mid-market merchants, these costs can increase as many require integrated solutions. And the last main hurdle to accepting EMV has been the availability of solutions from processors and gateways for merchants. EMV is an extremely complex technology that has taken years of development and planning.
Perhaps it isn’t a coincidence that the EMV standards are supposed to begin on the same day that we welcome the annual National Cybersecurity Awareness Month. Both events show why we need to take steps to be more secure in work and play, while at the same time, they highlight exactly why we’re still struggling.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba