Like the stock market, the losses grow with each successive data breach; yet the all-important question remains unanswered: Why haven’t we stopped these data breaches altogether? The answer, disappointingly, is because too many companies have yet to take them seriously.
Heartland Payment Systems, TJX, Hannaford, and CardSystems are now linked in the public’s mind as having taken their eyes off the security ball. We know that because none of these companies had any idea they had been hacked until someone else told them.
These incidents indicate a lack of basic internal controls, and while it’s easy to point the finger at these companies, they should ring an alarm bell for every company that handles electronic payments. Every one of us needs to address four fundamental questions:
Where is the data?
Companies need to know where their data is and where it’s going. Data that is stored in too many places is too difficult to protect. Keep your crown jewels in the fewest places possible – it’s much easier to protect that way.
Who has access to the data?
Companies also need to know who has access to the data. Many data breaches are perpetrated by legitimate user ID’s that have been given broad access rights. Pay close attention to all of your user ID’s and what they can do. You may find that fewer all-powerful IDs will increase your overall security.
Also consider using a rolling audit to verify that every user ID has a living, breathing employee associated with it. An unused or unnecessary ID makes for an additional point of access for a criminal. Get rid of IDs you don’t need.
How is the data protected?
Protecting data requires companies to determine whether or not it’s adequately protected. The Graham Leach Bliley Act provides a good model for conducting a risk assessment. It requires that a financial institution identify assets, document all reasonably foreseeable vulnerabilities and document all relevant controls. After going through this process you will be able to see where you may have gaps. This will allow you to determine the most appropriate action plan to reduce your level of risk.
What changed on our network?
This is perhaps the most difficult task on your security list, but it is important. For if you examine the Hannaford and TJX incidents (and, possibly Heartland), it looks as if the criminals used legitimate access rights to install malware on these systems. Unfortunately, finding such activity is like searching for a needle in a haystack. With each additional person who can change your systems, the difficulty increases. You should tightly control what can happen on your key systems and carefully monitor what has happened to ensure it’s legitimate activity.
The overriding theme here is to be vigilant and protective. Your computing environment is very fluid so it pays to restrict access. Once you have restricted access as much as possible, your log review should become easier and you can focus on important events.
The question is not whether we can afford to put this type of oversight into place. The question ought to be: Can we afford not to? â–