Titania Report Reveals Less Than 40% of Senior Cybersecurity Decision Makers Effectively Prioritize Risks to Payment Card Industry Data Security Standard (PCI DSS) 4.0 Compliance
Date published: 29 Mar 2023
Titania, specialists in continuous network security and compliance, today launched a new independent research report that explores Payment Card Industry Data Security Standard (PCI DSS) 4.0 risk within U.S. commercial critical national infrastructure (CNI) organizations.
The study, ‘Organizational approaches to quantifying the levels of security and PCI DSS compliance risks in the US Commercial CNI sector’, highlights that oil and gas, telecommunications, and banking and financial services organizations are prime targets for threat actors that exploit vulnerable network device configurations to scale their attacks. The study also reveals only 37% could ‘very effectively’ categorize and prioritize compliance risks that undermine the security of their networks.
Almost all organizations (96%) reported not analyzing switches and routers when checking for misconfigurations and that checks are typically performed annually. However, most agreed that continuous (daily) risk assessment of every firewall, router, and switch is the most robust strategy to secure networks and maintain compliance.
Most (+80%) also agreed that their organization relies on compliance to deliver security. Specifically, all banking and financial services sector respondents are confident that they are meeting their corporate security and external compliance requirements, compared to most oil and gas (98%) and telco respondents (96%). This data demonstrates a disconnect between the perception of network security and compliance, and the reality.
“Complex networks, large customer bases, and long supply chains make these industries highly susceptible to attacks. The study reveals that given the current organizational approaches to network security, companies cannot be continuously compliant, and as a result carry with them unquantified levels of risk to the confidentiality, integrity, and availability of systems and data.” said Phil Lewis, CEO, Titania.
“A determined attacker will try a combination of approaches to access a network until they gain entry, and known vulnerabilities or misconfigurations are an easy way in. Companies must adopt both a Zero Trust mindset and network security best practices, to minimise the attack surface, inhibit lateral movement, and prevent intruders from meeting their goals.” continued Lewis.
The research, which asked how organizations currently detect and mitigate vulnerabilities in the specified part of the network and how confident they are that devices maintain a secure configuration at all times, also revealed:
- 100% of respondents reported that their network security tools meant they could categorize and prioritize compliance risks effectively, but 74% of oil and gas, 67% of telcos, and 67% of banking and financial services respondents listed an inability to prioritize remediation based on risk as a top challenge when meeting security and compliance requirements.
- An overwhelming majority report that while budgets increased year over year, this has little to no impact on the volume of critical misconfigurations detected on their networks. Just 3.4% of IT budgets are allocated to identifying and remediating misconfigurations.
- 45% reported that critical network configuration security risks are responded to and resolved within 1-3 days.
- Banking and Financial Services reported the most frequent checks of all Commercial CNI respondents, with 62% falling in the bi-weekly to once every six months category.
- The oil and gas sector reported the highest misconfigurations detected in the previous 12 months.
- Telecommunications is the only sector that doesn’t have 100% automation of configuration security reporting.
The PCI Security Standards Council recently released the most significant changes to its standard since 2004, promoting effective network segmentation, security as a continuous process, and enhanced validation of compliance to address the increases in risks that commercial enterprises need to mitigate. According to Verizon’s 2022 Payment Security Report, PCI DSS 4.0 Requirement 11, which requires organizations to ‘regularly test security systems and processes’ has been the worst-performing individual requirement for sustainable compliance for the last 10 years running. Just 60% of organizations are able to demonstrate that they fully meet this requirement. This is consistent with the findings of the research study, which also indicates that ‘inaccurate automation’ and an ‘inability to prioritize remediation based on risk’ are the main challenges with meeting corporate security and external compliance requirements for nearly half of all organizations.