A survey of 800 British, French, German and American consumers conducted by database security leader, Guardium, an IBM company, has suggested that 78 per cent were either ‘concerned’ or ‘very concerned’ about the security of their credit card information.
In the UK, despite banks being cited overall as the ‘most trusted’ organisations by British respondents, more than two thirds (72pc) of these respondents were concerned over their banks’ ability to safeguard financial data from internal threats and disgruntled employees. In the US, 54pc) of respondents said they thought they were more likely to be a victim of identity theft than to have their car stolen.
The survey, conducted in Berlin, London, Munich, New York and Paris, asked individuals to share their views on fraud, identity theft and the safety of credit card and personally identifiable information (PII) such as US Social Security Numbers and regionally relevant personal data such as French ‘Carte Vitale’ and German ‘Krankenversicherungskarte’ health cards. It also uncovered differences in regional consumer attitudes over the security of personal and financial data held by government organisations, banks and retailers.
Types trusted
Retailers: Retailers did not fare well across any region. In Germany, retailers were seen as the least trusted in protecting consumers’ data, as outlined by 64pc of respondents. Retailers were also highlighted as the ‘least trusted’ by French respondents (with 88% stating concern). In the US, 38pc of respondents said retailers were the organisation type they trusted the least to protect their financial data, although a further 28pc said they had no trust in any type of organisation, including retailers, banks and government organisations.
Government: In Britain, respondents said they had the least trust in their own government, with only 2pc stating they had ‘complete trust’ in government organisations to keep their data safe—a stark comparison to the US, where 40pc of respondents said they had the ‘most confidence’ in government organisations to protect their data. In France, 30pc of respondents said they were ‘not concerned’ with the safety of personal information held by the government, with fewer respondents expressing the same confidence about banks and retailers.
Banks: In the UK more than half of all respondents (55pc) said they had some worries over banks’ ability to protect financial card data from external hackers, and more than two thirds (72pc) were concerned over their bank’s ability to safeguard data from internal threats such as disgruntled employees.
In Germany, respondents had the highest level of trust in banks, with 44% of respondents saying they trusted banks over retailers and government organisations. In France, 27% of respondents said they had no concern over their bank’s ability to protect their financial data.
Concerns
The survey found consumer concern goes beyond credit card information. In Germany, 51pc of respondents were concerned about the security of personal information on their ‘Krankenversicherungskarte’ health insurance cards. Meanwhile, 88% of Americans were concerned with the security of their Social Security number. In France, nearly three quarters (70pc) of respondents said they were concerned about the security of information related to their Carte Vitale, the French health insurance card.
What can be done?
Part of the public’s concern about its sensitive information can be attributed to developing awareness on the subject. Industry must respond by transparently assuring clients about the depth of their data security precautions. To close the gap between perception and reality, organisations need to inform the public about how and why breaches occur, and what they’re doing to prevent them in the future. Restoring public confidence is challenging but not unrealistic.
To truly win back confidence, organisations must do more than bring good news; they must educate their employees about data security, and they must maintain a secure data infrastructure. Too often, management is lulled into a false sense of security because they’ve deployed traditional perimeter defences such as firewalls, and they’re passing their audits. However it’s clear that this is no longer sufficient. In 2009, Heartland was the victim of the largest data breach in history, due to a SQL injection attack by cybercriminals operating in the US, Latvia, the Ukraine and the Netherlands, that ultimately resulted in the theft of 130 million credit cards– yet Heartland had deployed standard firewalls and anti-virus systems and had even recently passed their audit for the Payment Card Industry-Data Security Standard (PCI-DSS).
Phil Neray, vice president of security strategy at Guardium, said: “In order to protect themselves against 21st-century threats such as cybercriminals and rogue insiders, organisations need to implement continuous, real-time monitoring of all access to sensitive data, including access by “superuser” employees and outsourced personnel. Most organisations still rely on manual review of logs to identify unauthorized activities, but this is time-consuming and inefficient. More importantly, it’s also ineffective in spotting breaches in a timely manner, because identifying suspicious activities in data centres with high transaction volumes is equivalent to trying to find the proverbial ‘needle in the haystack.’”
He continued: “New database activity monitoring (DAM) appliances analyse all activity with minimal reduction in performance and without requiring changes to applications or databases. Any suspicious or malicious behaviour can be immediately spotted by continuous comparisons to normal activity baselines and corporate security policies. If any security problems develop, security personnel can stop them before they start or proceed too far.”
