At the start of each new year, there is an opportunity for a fresh look at security threats and challenges faced in this digital age. Will the new year bring about a new wave of data breaches, internet viruses, and broken security promises? Will our personal data and privacy be stolen and offered to the highest dark net bidder? Will 2019 see the start of new regulations to finally hold internet companies and credit service providers accountable for breaches, and their deceptive practices that allow them to profit from our personal data?
I believe things must get bad before they start getting better. We only need to look back over the last five years in the consumer payments space to see evidence that things had to get very bad first, before change would come. According to The Nilson Report, in 2015, the U.S. accounted for 38.7%, or $8.45 billion, of gross card fraud losses worldwide, while generating only 22.9% of total global purchase and cash volume. U.S. fraud reached 11.76¢ per $100 in 2015, according to the company. In 2018, roughly four years after the adoption of EMV, counterfeit card fraud has declined about 70%. While overall fraud is still high due to increased spending online, fraud as a percentage of sales has dropped.
To further illustrate this point unrelated to payments security, one of the most damaging cyberattacks ever occurred about five years ago, when the federal government’s Office of Personnel Management (OPM) was breached. Officials confirmed they suffered multiple attacks, and the second OPM breach snared security clearance files of current, former and prospective federal employees. The data included electronic forms, containing intimate details on those individuals, their contacts and families. Unconfirmed estimates of those affected by the data breach grew to as many as 14 million government employees and their families. An intensive security upgrade program known as the “cyber-sprint” was employed shortly after this happened to upgrade the security of federal networks and to implement two-factor authentication for logical access security. Now, every federal agency has deployed two-factor authentication to eliminate the risk of criminals using stolen passwords to access sensitive systems.
Unfortunately, the vast healthcare IT market is poised to be the next big target for cyber criminals. Now that electronic health records have become the norm for managing personal health information, the thin ranks of IT security professional who protect thousands of hospitals, outpatient clinics, and insurance networks are the only line of defense protecting our information. Two-factor authentication is rarely in place. Just like the payments industry and the federal government, it is going to have to get bad before it gets better. Here’s hoping that it doesn’t take a national crisis before that happens.