If you are responsible for cybersecurity or data protection in your organization, stop what you are doing and read this report. Actually, first, go patch your servers and applications and then read this report.

Much like Verizon’s Data Breach Investigations Report (DBIR), the Payment Security Report (PSR) is a must-read for security professionals. While it focuses on the PCI DSS standard and reviews compliance related to its 12 requirements, it is much more than a review of how companies are doing regarding PCI compliance.

The compliance statistics are informative and show some alarming trends about how well companies are protecting payment card data. Those trends should cause any CISO to look closely at how their organization is handling data protection – and not just for payment cards. Critical data needs protecting regardless of how it is used. The PCI standard is broadly applicable, and the controls are just as effective for PHI, PII, and other sensitive data.

Key Finding – Companies Aren’t Doing Vulnerability Management

For me, the key finding in the report is this: organizations are failing to implement a vulnerability management program. According to the report, over one-third of companies are not ensuring that vulnerability scans are running or are not examining those reports when they do run. Those companies may not be scanning at all, and even if they are, those scans aren’t doing any good. Further, a full 28 percent of companies aren’t ensuring that system components are protected from known vulnerabilities. This tells me that companies don’t know about vulnerable systems in their environment and are therefore not doing anything to protect themselves against exploits and data breaches.

This is surprising because scanning, reviewing, and patching are relatively simple processes to implement. That isn’t to say they are easy, but given the positive impact vulnerability (Read more...)