Ransomware Readiness: PCI DSS Compliance and a Sound Backup Recovery Strategy

Héctor Guillermo Martínez, President and Board member | GM Sectec

Nov 2, 2021

Leading a multinational cyberdefense firm with a presence in over 50 countries has its fair share of ebb and flow. One item that I see as consistent though is the “reactiveness” of having proper security controls in an organization.

In the past 20 years, looking at security through a geographical lens from Singapore to Sydney and Bangkok to Buenos Aires, the message that always emanates is, “How are we going to finance this?” Security, at its core, is seen as a cost center, rather than a profit center. This tune changes once an incident or breach occurs. Preventing a security event is a theme that is gaining momentum, as security is taking a front seat in today’s digital world.

Focusing on prevention is an important tenet that is rooted in preparedness, good judgment and, most importantly, understanding that security is a continuing process, rather than an end state. The exact strategy for an efficient security program varies due to industry and nation-state regulations, which have a direct effect on proper and continuous business practices.

Thus, before you have a proper conversation on cybersecurity, it is important to know that this is a highly fragmented market, and asking for cybersecurity is akin to requesting European food — exactly what are we looking for?

For starters, in my experience, it is important to define an incident versus a breach. The “Verizon 2021 Data Breach Investigations Report” says an incident is a security event that compromises the integrity, confidentiality or availability of an information asset. A breach, on the other hand, is an incident that results in the confirmed disclosure — not just potential exposure — of data to an unauthorized party.

In the past few years, many entities have had an abrupt cybersecurity conversation after an incident or breach. A popular topic as of late is the state of ransomware variants affecting multi-vertical organizations all over the world. A compliance baseline such as the Payment Card Industry Data Security Standard can help inform these conversations.

Typically speaking, PCI DSS is directed at entities that process, store or transmit cardholder data; however, given its maturity, many organizations outside of the payments space leverage the standard as a powerful security standard that evolves with technology iterations. PCI DSS has 12 requirements to become compliant. As the payments industry sets its sight on the next version of the standard, it is important to look at where you are now as a baseline for continuous improvement in your security posture.

As I think about all 12 requirements, I ask myself, “What is the best way to align?” It’s important to ponder how you can best optimize your security practices in all 12 areas here. For those unfamiliar with these requirements, I’ve distilled them to more memorable terms and phrases to help you better visualize their purpose.

1. Firewall: Are you locking your doors and checking your windows?
2. Default values: Lazy hands make for poverty and disaster. Don’t be lazy!
3. Safe storage: Guard what is most dear.
4. Safe transmission: Loose lips sink ships!
5. Antivirus/anti-malware: Even a bad shield is better than no shield.
6. Patching updates: Don’t go into battle without your armor.
7. Privilege and users: No snowflake in an avalanche ever feels responsible. Always be vigilant.
8. Authentication: Let him show by his good behavior.
9. Physical access: Possession is nine-tenths of the law and 100% of a breach. Lock it up or lose it.
10. Log monitoring: You can’t manage what you don’t track.
11. Testing: Never stop testing, and your knowledge will never stop improving.
12. Security awareness and incident response: Plan for what is difficult while it is easy; do what is great while it is small. Train what you expect.

The ransomware epidemic we face as a society today has a light at the end of the tunnel; with proper controls and preparedness in place, we can be ready and aligned.