The U.S. Congress will be debating an issue soon that is critical to our national security and the well-being of our economy: cybersecurity.

While you and I may disagree with a few provisions in the cybersecurity bill, both sides of the political aisle agree on the urgent need to address the issue. I couldn’t agree more with all of them. It’s time. President Obama recently called cyberattacks a “national emergency,” and the cybersecurity legislation has moved through the Republican-controlled Congress relatively quickly because leaders from both political parties recognize that cybercrime threatens us all in a very big way. Now.

ADVERTISEMENT

Cybercrime is spreading across the globe faster than eBola, SARS, and the bird flu combined. It’s bankrupting everyday people and small business owners in every corner of the world. The costs are enormous, and they are only growing. The number of detected cyberattacks skyrocketed in 2014 — up 48 percent from 2013.  Those are only the ones that were caught. According to a PricewaterhouseCoopers study, 42.8 million cyberattacks are expected this year. Those attacks aren’t only going to be against big business or governments, they’re coming for our personal information, about our kids and our parents. That’s roughly 117,339 attempts each day to steal from us!   Cyberattacks cost the U.S. economy an estimated $100 billion a year and is currently costing the global economy $575 billion annually.  And those numbers are expected to grow in 2015.

The dialog over cybersecurity is especially critical now because 2015 will be the most important year in recent memory for cybersecurity.  Along with a more pro-active role from the federal government, including the current Congressional action, 2015 will be a landmark year as the United States transitions to EMV Chip technology on all credit cards.  This technology has been in use throughout Europe and other parts of the advanced world for years. It’s essentially a computer chip on every one of our credit cards.

America is late to the game in adopting EMV Chip technology but now has a tremendous opportunity to use valuable lessons we’ve learned from Europe’s model.  EMV Chip technology led to a significant drop in Europe’s face-to-face payment transaction fraud. But cyberattacks are now shifting to more vulnerable sources like online transactions.  Because EMV chips can’t be scanned with online purchases, Europe’s rate of online payment-card fraud hit an all-time high last year.  The thieves just shifted their targets. So EMV Chip technology is good, but it is not the only fix we need.    

The good news is that we know what works and what changes we need to improve data security.  For starters, improvement begins with a new, sharper mindset about our personal, business and governmental responsibilities toward data security.  Data security cannot be seen as just a compliance issue that we need to check off once or twice a year during a security audit.  Today, with so many attacks coming all the time, following smart security standards and protocols must be a 24/7 priority.  Simply put, it must be an all-day, every-day good habit.  

A recent report by Verizon confirmed what we at the PCI Security Standards Council have known for years: most data breaches are not very sophisticated and were entirely predictable.  In fact, the Verizon forensics team that compiled the report investigated 10 years of data breaches and found not a single organization was compliant with PCI Data Security Standards at the time of the breach.  Security standards work. They are the best defense against breaches, but only if we use them all the time. We have to keep our people on guard, our gates up and water in the moat at all times.   

Something as simple as a lazy password can open us up to catastrophic attacks. A study by Trustwave reported that the most popular numeric password used by the American business community is 123456.  It wouldn’t take a very sophisticated hacker to crack that code.

While a lot will happen in 2015 -- EMV Chip technology, federal legislation, Executive Orders, and more information sharing by the private sector--we should not be fooled into believing there is a magical technology or set of regulations that eliminates data security threats. 

Data security is national security, and it is economic security. It must be an ongoing and ever-evolving effort.  With government, business, non-profits and trade associations working together, we can be smart about our approach to protecting the things that matter. Our jobs, our families and our place in the world as leaders.        

Orfei is general manager of the PCI Security Standards Council.