Payment companies and merchants are taking the wrong approach to cybersecurity if they address problems only after they arise.
The average time a fraudster has been inside a company's infrastructure before the company realizes it is 229 days, said Mark Weatherford, principal at The Chertoff Group, during a panel discussion on cybersecurity at the National Retail Federation conference in New York City on Jan. 12.
And about 66% of companies that experience a data breach are tipped off about the intruders by an outside party, such as their banking partner, a law enforcement agency or security bloggers, Weatherford said.
That's why de-valuing the data through tokenization or encryption is so essential. Tokenization, a process for replacing sensitive account data with a secure value called a token, is one of the key technologies being pushed by Visa and MasterCard for digital payments.
Apple, in designing the Apple Pay mobile wallet, included tokenization. This move sparked fresh interest in the security technology.
Companies are just waiting to be victimized, said Erin Nealy Cox, executive managing director at Stroz Friedburg, a computer forensics and investigations firm. Instead, companies that store payment credentials or personally identifiable information should hire security experts to constantly "go on the hunt," she said.
"Risk in cybersecurity is dynamic," said Weatherford, so the security systems that companies employ need to be dynamic as well. One of the most important things for a company to do is to create a playbook for reacting to a data breach, he said.
Data security is especially pertinent since the cost and expertise required to pull off a data breach has decreased substantially. Nowadays good malware costs about $1,000, said Paul Kleinschnitz, senior vice president and general manager of cyber security solutions at First Data.
But a breach isn't necessarily a problem, Kleinschnitz said; it becomes a problem when fraudsters take data from the system and commercialize it.