Perception is reality when it comes to your customers and the security of sensitive information. Identity theft and credit card breaches are the reality for businesses in today's digital age in which a story barely disappears from the headlines before another pops up. For consumers, if the perception exists that their information may be stolen, then that will certainly affect where they do business, no matter what steps are taken to protect sensitive data.
According to SEC filings, Target's security breach in 2013 has already cost them more than $250 million and the fall out continues. The Home Depot breach in 2014 compromised 56 million records. I myself have considered using cash at each of these businesses or avoiding them entirely. But like so many Americans, I almost never use cash and have yet to figure out a way to make it through the weekend without at least one trip to Home Depot. The crux of the issue is that they were hacked, my perception is they're damaged goods, and therefore that is reality, no matter what measures they take to make sure it never happens again.
For many companies, just the thought of trying to plug all the potential security leaks and vulnerabilities can be overwhelming. Keeping your infrastructure and network secure is a challenge, especially when it seems the imaginary finish line keeps moving further and further away. Managing the risks associated with reliance on mobile devices, bring-your-own-device (BYOD) and the introduction of software as a service (SaaS) or cloud hosting into your corporate ecosystem all come with security challenges. So rather than try to solve every problem at once, we suggest starting with a couple of basic measures.
1) Implementing a Network Security Audit
Enterprise security encompasses both internal and external areas of an organization. A security audit typically consists of services such as:
- Penetration Testing
- Web application Assessments
- PCI Scanning
Assessments typically focus on your internal, external (as seen from the internet) and IT environment. The output should identify vulnerabilities and gaps between industry best practices and existing practices within your organization. Once you've identified the areas of concern and approach to remediation, they can be prioritized and addressed.
2) Protecting Sensitive Payment Data
The PCI SSC (Payment Card Industry Security Standards Council) offers comprehensive standards to enhance payment card data security. The keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents.
The PCI DSS must be implemented by all entities that process, store or transmit cardholder data, but unfortunately it isn't as simple as checking a box on an application and paying your membership dues each year. There are standards and of course best practices, but we need to ask ourselves the basic questions when it comes to complex matters like security and the liability that stems from not being 100% compliant. Here are a few simple questions to ask yourself:
Do I need to comply with PCI DSS? If your answer is yes, proceed to question #3. If you're not sure, see #2.
- Do I process, store or transmit credit card data? If you do then you need to be compliant.
- Have I been validated as PCI Compliant? If you don't know the answer then you're not. If you have been validated previously, how long has it been since you were re-validated? This is required on an annual basis to remain compliant.
- I'm PCI compliant, but would I know if I had a security breach? Becoming compliant is only the first step. You can be PCI compliant, but your systems and data may still be vulnerable. PCI protects credit card data, but not other data. Additionally, you still may not have the appropriate Security Event Management in place to monitor and alert of an attack.
A comprehensive enterprise security policy is a must in today's digital environment. The threats are numerous, they come from all angles and they change daily. That moving finish line I alluded to earlier never stops moving, but you can make it feel a little bit closer and more attainable. Start with the basics then expand from there. And most importantly, if you’re not sure, ask for help.
For more information, please reach out to me, Mike Long at firstname.lastname@example.org.