Concluding our three-part analysis of the White House’s first Summit on Cybersecurity and Consumer Protection, we turn to some practical advice coming out of the Summit’s afternoon session, including an address by Maria Contreras-Sweet, the administrator of the Small Business Administration (“SBA”), and a panel discussion among financial sector leaders moderated by Deputy Treasury Secretary Sarah Bloom Raskin.
Here are five takeaways for companies large and small:
- Companies are only as secure as their most vulnerable employee. In the course of the panel discussion, Mike George, CEO of QVC, elaborated on how training and constant vigilance were at the heart of QVC’s cybersecurity strategy. George explained that one way QVC works to avoid opening itself to cyberattacks is to conduct in-house phishing expeditions and then link employees who took the bait to training materials for information security. Companies looking for innovative ways to asses potential gaps in their security measures should consider taking similar steps. Accounting for human errors is as much a part of cybersecurity as technical know-how.
- Investing in secure point-of-sale technology is worth it. While tokenization (the process of substituting credit card numbers with randomly generated tokens for financial transactions) and EMV (or “chip”) cards might seem like matters outside the ken of businesses that are not in the credit card or financial industry, they ought to be of interest to anyone whose company accepts credit card payments as part of their business. Alex Gourlay, President of Walgreens, noted that his company’s recent and substantial investment in modernizing its point-of-sale technology was worth every penny. Gourlay explained that taking steps to reduce the potential for confusing or frustrating customers with preventable financial fraud or data-leaks helps to cement customer relationships based on trust and ultimately benefits companies that are not in the credit card business.
- Failing to invest in secure point-of-sale technology will result in substantial liability for companies that are behind the curve. The SBA administrator, Maria Contreras-Sweet, emphasized the dramatic nature of the coming change to the law as it relates to smart cards and financial transactions. Beginning in October 2015, any card payment fraud that could have been avoided through the use of an EMV terminal will become the responsibility of the business accepting payment, rather than the credit card company. That means that businesses will have to either invest in secure point-of-sale technologies or risk liability for a host of common types of financial fraud. Spending for an ounce of prevention now may be substantially less expensive than a pound of cure eight months from now.
- Sharing information, even among fierce competitors, can pay huge dividends. Echoing many of President Obama’s remarks, the panel discussion among financial industry leaders emphasized the value of information sharing among and between companies that are used to thinking of themselves as competitors. Richard Davis, CEO of U.S. Bancorp, told listeners that sitting down to work with rivals to develop response plans for cyberattacks was a novel, but worthwhile endeavor. Davis suggested that the plans biw in place in the financial sector, including up-to-the-minute data sharing on cybersecurity issues, could serve as a template for other industries looking for a way forward on collective security risks. Templates and guidance documents to be developed later this year by the Department of Homeland Security may shed light on how this kind of collaboration can be made safer, faster, and easier in other industries facing cyber threats.
- Multi-Factor Authentication is a must. Replacing passwords as our primary means of security online is long overdue. While approaches relying on biometric technologies such as facial, thumbprint and voice recognition, might not yet be the standard, they are increasingly common and companies looking to get ahead of the game will want to focus on securing their data with something more challenging to circumvent than “abc123.”
Taking action on these issues will require a substantial investment of time and resources upfront, but those prophilactic efforts are ultimately less expensive and less disruptive than cleaning up after a cyberattack. As PayPal CEO Dan Schulman said last week, the only way to completely eliminate the risk of a cyberattack would be to stop doing business. Resiliance in the response to attacks is just as important as prevention efforts.