- I tested the cheapest Surface Pro 11 model: 3 main takeaways as a Windows expert
- El Capitan bumps Frontier to claim world’s fastest supercomputer title
- From cloud spend to cloud value: The power of Cloud Unit Economics
- Is Perplexity Pro worth the subscription? This free shipping perk just might convince me
- Perplexity AI's new shopping assistant is ready to tackle your holiday gift list
Protecting Sensitive Data from Insider Threats in PCI DSS 4.0
Safeguarding sensitive data is a huge concern for organizations. One of the biggest challenges they face is the threat posed by insiders who work for the organization. In fact, a report found that 74% of organizations are at least moderately vulnerable to threats from insiders.
This has increased spending towards protecting against insider threats by more than 76% between 2018 to 2022, according to a global report by the Ponemon Institute.
Safeguarding sensitive data from insider threats is crucial in the environment of PCI DSS, especially with the release of PCI DSS 4.0. But first, let’s understand what an insider threat is, the different types, and how to prevent them.
What Is an Insider Threat?
Have you heard the phrase “the enemy within”? It perfectly describes an insider threat within an organization.
An insider threat is a security risk that originates from individuals within an organization, such as employees, former employees, contractors, or business associates. These individuals have access to sensitive information and knowledge of the organization’s security practices, data, and computer systems, which can potentially be used to cause harm.
Why are Insider Threats Dangerous?
Insider threats are dangerous and pose a risk to an organization. These include:
- Malicious insiders: These are individuals who intentionally cause harm to the organization, such as stealing sensitive information or sabotaging systems or data.
- Negligent insiders: These are individuals who unintentionally cause harm to the organization, such as accidentally sending sensitive information to the wrong person or failing to follow security protocols.
- Compromised insiders: These are individuals whose accounts or systems have been compromised by an external attacker, allowing the attacker to carry out malicious activities from within the organization.
Real-life Example of Intentional Insider Threat:
An employee at a Credit Union, remotely accessed the company’s file server and deleted 20,000 files and 3,500 directories, totaling 21.3 GB of data. This included mortgage loan application documents. The perpetrator also opened confidential files, breaching privacy and security boundaries, and bragged about the illegal actions in text messages to a friend. The crime cost the Credit Union $10,000 to clean up the damage.
This example demonstrates the real-world consequences of intentional insider threats. Organizations need to be vigilant and have robust measures in place to detect and prevent such incidents. Insider threats can cause significant harm to an organization, including financial losses, reputational damage, loss of customer trust, and legal consequences.
An Introduction to Insider Threats in PCI DSS:
Insider threats can severely affect sensitive data, making the payment card environment a soft target. Organizations that offer payment services must adhere to Payment Card Industry Data Security Standard (PCI DSS) to ensure security and compliance. This latest version of the Standard improves security, simplifies compliance, and keeps pace with new technology.
In the context of PCI DSS, insiders can include employees, contractors, or business associates who have access to sensitive payment card information. To protect against threats, organizations should implement measures to keep data safe. For example, a malicious insider could steal payment card information and sell it on the black market, while a negligent insider could accidentally cause a data breach.
PCI DSS v4.0 has the same six goals and 12 requirements as its earlier version but also includes significant updates to compliance assessments to keep up with new technology.
Best Practices for Protecting Sensitive Data from Insider Threats in PCI DSS 4.0 Compliance
Document and confirm PCI scope
Requirement 12.5.2 of PCI DSS 4.0 states that organizations must document and confirm their PCI scope annually and upon significant changes to their environment. This includes identifying all data flows, system components, segmentation controls, and connections from third parties with access to the cardholder data environment (CDE).
While this requirement does not specifically mention insider threats, it is important to note that PCI DSS as a whole is intended to protect against all threat actors, including insiders. By documenting and confirming their PCI scope, organizations can ensure that they are aware of all potential areas of risk and can take appropriate measures to protect sensitive data, such as implementing security policies and procedures for all personnel as outlined in Requirement 12 of PCI DSS.
Assign roles and responsibilities
Defining roles and responsibilities is crucial for protecting sensitive data from insider threats under PCI DSS 4.0 compliance. Organizations should clearly document and assign the roles and responsibilities of all personnel involved in PCI DSS compliance, including IT staff and employees in other departments who handle or have access to cardholder data. By ensuring that these roles and responsibilities are understood, organizations can reduce the risk of insider threats. Additionally, providing training and education can help create a culture of security and further prevent insider threats from compromising sensitive data.
Implement network security controls
PCI DSS 4.0 Requirement 1.3.3 indicates that organizations implement Network Security Controls (NSCs), such as firewalls, between all wireless networks and the Cardholder Data Environment (CDE), even if the wireless network is part of the CDE. This helps protect the CDE from unauthorized access, including access through wireless networks.
Wireless networks can be vulnerable to attacks and, if not properly secured, can provide an entry point for threat actors, including insiders, to access sensitive data. By implementing NSCs, organizations can prevent unauthorized access to their CDE and protect sensitive data from insider threats. Regular monitoring and testing of wireless networks and NSCs can further reduce the risk of insider threats.
Prevent unintended receipt of cardholder data
PCI DSS 4.0 Requirement 4.2.2 states that organizations implement measures to prevent the unintended receipt of cardholder data. This helps prevent accidental exposure of sensitive data by insiders, such as employees or contractors, who may accidentally send cardholder data to unauthorized parties due to human error or lack of awareness of security policies.
Measures to prevent unintended receipt of cardholder data can include implementing technical controls, such as Data Loss Prevention (DLP) software, and providing employee training and education. By implementing these measures, organizations can reduce the risk of insider threats and help protect sensitive data.
Implement multi-factor authentication:
PCI DSS 4.0 Requirement 8.4.3 specifies that organizations implement Multi-Factor Authentication (MFA) for all remote access to the CDE. This helps prevent unauthorized access to the CDE using stolen or compromised credentials, including by insiders who may have knowledge of an organization’s systems and security measures.
Organizations can reduce the risk of insider threats and help protect sensitive data by implementing MFA regularly monitoring and testing their MFA systems, as well as having policies and procedures in place to ensure only authorized personnel have access to administer the MFA systems.
The Consequences of Non-Compliance with PCI DSS Standards and Insider Threats:
Recent studies have highlighted the worrying prevalence and high cost of insider threats faced by companies worldwide. According to a report by Sisa Infosec, over 34% of companies globally are affected by insider threats every year, costing each company an average of $8.76 million. This highlights the need for organizations that manage cardholder data to be knowledgeable about PCI DSS compliance, particularly in protecting against insider threats.
To avoid similar consequences, businesses must comply with PCI DSS standards when handling payment card data, with insider threats being a particular area of concern. Failure to comply may result in lost customer trust, reduced sales, fraud losses, legal fees, and the inability to accept payment cards.
Additionally, non-compliance can lead to severe penalties ranging from $5,000 to $100,000 per month, depending on factors such as the severity of the breach and business payment volumes. Following PCI DSS guidelines can minimize the risk and consequences of insider breaches.
Conclusion
Keeping sensitive data safe from insider threats is a big challenge for companies in all industries, especially when it comes to PCI DSS. Failure to adhere to the Standard can have serious consequences. With more and more insider threats happening, companies need to have good access controls, employee training, contingency plans, and risk assessments. Along with these efforts, following the rules in PCI DSS v4.0 can lower the risk of insider threats and keep important information safe. It’s really important to know how serious insider threats can be, and to take steps to keep payment card data secure.
About the author:
Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, SLCA, SSFA and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services, which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2, PDPA, and PDPB, to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.