Posts

Accepting Credit Cards? PCI Compliance a Concern for Small Businesses

Sue Poremba, contributing writer to Business News Daily, interviewed security experts on why PCI compliance is a concern for small businesses.  Here are the tips we offered on how to stay PCI compliant:

  1. Identify all business and client data, including any cardholder data, its sensitivity and criticality. Correctly defining the scope of assessment is probably the most difficult and important part of any PCI compliance program. An overly narrow scope can jeopardize cardholder data, while an overly broad scope can add immense and unnecessary cost and effort to a PCI compliance program.
  1. Understand the boundaries of the cardholder data environment and all the data that flows into and out of it. Any system that connects to the cardholder data environment is within the scope of compliance and, therefore, must meet PCI requirements. The cardholder data environment includes all processes, technology, and people who store, process, or transmit customer cardholder data or authentication data, as well as all connected system components and any virtualization components, like servers.
  1. Establish operating controls to protect the confidentiality and integrity of any cardholder data. Cardholder data should be protected wherever it is imported, processed, stored and transmitted. It must also be properly disposed of at the end of its life span. Backups must also preserve the confidentiality and integrity of cardholder data. Additionally, all media must be properly disposed of to ensure the continued confidentiality of the data. Be sure to include not only the hard disks used by company-owned computer systems but also leased systems and the storage included in modern copy machines and printers.
  1. Have an incident response plan in place. When a security incident occurs, it’s important to have a plan to return to secure operations as quickly as possible. This plan should define roles, responsibilities, communication requirements and contact strategies in the event of a compromise, including notification of the payment brands, legal counsel and public relations. This will ensure timely and effective handling of all compromised situations. Ideally, companies should have a certified forensics specialist on retainer who can gather evidence and testify as an expert witness if necessary.
  1. Explain and enforce security procedures. You can never be sure that employees understand best security practices and behaviors that can put your business at risk. It is up to you to make sure everyone within the company, from lower-level employees to IT specialists to management, is educated on security procedures and PCI compliance procedures.

To read the entire article, click here.

The data security threat is complex and constantly changing

by Adam Muspratt, content editor, CX Network, August 16, 2018

Adam Muspratt, content editor for CX Network, interviewed several experts in cyber security. In this report Muspratt delves into data security and discusses how complex the threat is and the fact that it is constantly changing.

Data security in customer experience: Are CX teams cyber-aware?

Going into 2019 and beyond, data security will continue to be a major source of investment across all industries and sectors. The many high profile data breaches throughout 2017-18 – and the customer backlash that followed – have served as a constant reminder that cyber security is something that customer experience (CX) teams must take into consideration.

Jonathan Gossels, CEO, SystemExperts, stated, “There are really two questions we have to consider going into the future where customers are increasingly willing to take extra measures to know that their transactions are secure:

  1. What are the major brands doing to ensure that they are operationally cyber secure?
  2. What level of transparency/impact are they willing to impose on their customers?”

To read the entire report, click here.

Data Loss Prevention (DLP) Technology is Maturing along with Customer Expectations

The following post on DLP is the combined effort of Joe Clapp and Paul Hill in response to a media query asking experts to weigh in on where they see the data loss prevention market going in 2016 and beyond.

The July 2015 Gartner Hype Cycle for Data Security indicates that Data Loss Prevention (DLP) has passed the “Trough of Disillusionment” after being over-hyped and has entered the “Slope of Enlightenment.”  This indicates that the technology is maturing and customer expectations are maturing as well.

In 2016, businesses should expect to see underwriters which provided data loss insurance to require covered entities have DLP in place in order to maintain coverage. A successful implementation of DLP requires organizations to know where protected data resides.  Commonly, organizations know where data “should” be but rarely know to a certainty. There is software available to aid organizations in identifying rouge data and rouge data types. Examples of this include BeyondTrust Retina, Identity Finder, and Encase CyberSecurity, each of which actively audit your environment to identify structured data. With the data identified, it can be disposed of or appropriate controls can be  put in place.

For customers handling structured regulated data such as SSNs and credit card numbers, DLP can be an important tool, if existing processes and technologies allow potential mishandling.  For example, if users have the ability to store such data to local disks or USB drives, even though policies prohibit that behavior, utilizing DLP tools to identify where such data is being stored is a recommended practice.

Similarly, if employees have the ability to copy such data into email messages, implementing DLP to scan outgoing messages is recommended.

Microsoft’s Outlook 365 offers DLP for outgoing email, however, that option is only available under some subscription plans that are more expensive than the most basic offering.

Potential customers should expect more SaaS providers to offer DLP options as service plan options during the next year.
Unfortunately, DLP tools remain more effective when identifying structured data. Identifying rogue data and improper disclosure remains a difficult problem when dealing with unstructured data. To be effective human resources with insight into the data, business processes, and the tools will need to expend time tuning detection rules no matter what tool is selected.

Common Errors SMBs Make When it Comes to Passwords

Passwords continue to be a key topic of conversation among small-business owners. While we have talked in recent blog posts about ways to make passwords stronger, I’d like to discuss some of the common errors SMBs make when it comes to the passwords they pick to protect their data.

Small businesses are less likely to survive the financial burdens resulting from a breach of its computers than large firms.  Many small businesses assume that they will not be the targets of cyber attacks.  However, recent history has clearly demonstrated otherwise.  An HVAC vendor was targeted by cybercriminals in 2013 and its systems and credentials were used to initiate the breach of Target Corporation.

The best defense that small businesses can adopt is to require that all remote access be authenticated using two-factor authentication.  Reliance on only usernames and passwords for remote access should be strongly avoided by all businesses.  The costs associated with using two-factor authentication have dropped somewhat over the years.  Getting a small business to adopt two-factor authentication often poses less of cultural barrier than making such a change in a large business.

Many small businesses are also reluctant to require the use of passwords longer than  8 characters or require complex passwords that require a mixture of upper and lower case letters, at least one number, and at least one special character.  The reality is that anyone can purchase rainbow tables for less than $1000 that enable easy cracking of any combination of 7 or 8 characters if the attacker can obtain a copy of a user’s hashed password.  Criminals that can’t afford $1,000 are likely to be able to find someone that does have the necessary tools and are willing to use them on some hashed password for a much lower prices.

A recent report from SplashData  indicates that the 5 most common passwords revealed during 2014 were: 123456, password, 12345, 12345678, and querty. Four of those were also in the top 5 position in the 2013 report from SplashData. It is likely that a clever lawyer could argue that reliance on short, easily guessable or crackable passwords is a negligent practice.  If a small business tries to obtain cyber-insurance, it is likely that better practices would have to be used in order for a claim to be paid.  If a small business wants a chance  to limit liability, it must use strong passwords longer than 8 characters.

27 Data Security Experts Reveal The #1 Information Security Issue Most Companies Face With Cloud Computing & Storage

Digital Guardian, November 12, 2014

”What is the number one issue most companies face with cloud computing and data security, and what can they do to address the issue?”

Cloud computing is quickly becoming a mainstay for many technology companies today because of its superior flexibility, accessibility, and capacity compared to traditional online computing and storage methods. But just like traditional storage and data sharing methods, cloud computing comes with its own set of data security issues.

At Digital Guardian, our mission is to provide data security solutions and services to help businesses protect their most valuable digital assets. In doing so, we follow the top data security issues facing companies in today’s digital world and work with security experts from all around the industry. As cloud security risks grow, we wanted to compile some tips from data security experts on the most common (and avoidable) issues companies face when it comes to the cloud and securing their data. 

We’ve collected and compiled their expert advice into this comprehensive guide on safeguarding your company from cloud computing and data security issues. Click here to see the full article.

Paul Hill

Paul Hill is a Senior Consultant at SystemExperts, a security and compliance consultancy. Paul has worked as a principal project consultant at SystemsExperts for more than twelve years assisting on a wide range of challenging projects across a variety of industries including higher education, legal, and financial services.

For companies purchasing cloud services, the number one priority should be…

How to evaluate the risk of using a particular vendor.

Many companies don’t have a solid process for determining how to evaluate a third party cloud vendor for risks nor how to assess the likelihood of a breach at a third party. Too often, if a company attempts to assess the risk, the task will get delegated to someone who will concentrate on a very narrow aspect of the service provided.

For example, someone might only validate if the data is encrypted during transmission, or the decision might rely on determining if the system is multi-tenant versus a dedicated host. In order to properly assess the risk, companies should be using mature frameworks such as ISO 27002 or the emergent Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA). These frameworks look at a broad range of controls including HR practices; physical security; environmental controls; authentication policies, procedures, and mechanisms; access controls; cryptography usage; and key management.

The current version of ISO 27002 examines over 130 different aspects of an organization’s overall security. The CCM has similar granularity. A small number of organizations with mature IT departments use ISO 27002 or a similar framework to assess its third party vendors, including cloud service providers. Some cloud vendors perform an annual assessment and publish compliance information about the assessment.

However, too often these diligent practices are the exception rather than the standard practice. One area that ISO 27002 does not address is breach notifications by third party vendors. When purchasing cloud services, companies should include terms and conditions that address the definition of a breach, the timeliness of notifications upon learning of a breach, and what information will be communicated about a breach.

#1 Issue Companies Face with Cloud Computing and Data Security

For companies purchasing cloud services, the number one priority should be how to evaluate the risk of using a particular vendor.

Many companies don’t have a solid process for determining how to evaluate a third party cloud vendor for risks nor how to assess the likelihood of a breach at a third party.  Too often, if a company does attempt to assess the risk, the task will get delegated to someone that will concentrate on a very narrow aspect of the service provided.  For example, someone might only validate if the data is encrypted during transmission, or the decision might rely on determining if the system is multi-tenant versus a dedicated host.

In order to properly assess the risk companies should be using mature frameworks such as ISO 27002 or the emergent Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA).  These frameworks look at a broad range of controls including HR practices; physical security; environmental controls; authentication policies, procedures, and mechanisms; access controls; cryptography usage; and key management.  The current version of ISO 27002 examines over 130 different aspects of an organization’s overall security. The CCM has similar granularity.

A small number of organizations with mature IT departments use ISO 27002 or a similar framework to assess its third party vendors, including cloud service providers.  Some cloud vendors perform an annual assessment and publish compliance information about the assessment.  However, too often these diligent practices are the exception rather than the standard practice.

One area that ISO 27002 does not address is breach notifications by third party vendors.  When purchasing cloud services, companies should include terms and conditions that address the definition of a breach, the timeliness of notifications upon learning of a breach, and what information will be communicated about a breach.

 

How to Avoid the Seven Deadly Sins of PCI DSS Failure

by Daniel Humphries, Managing Editor IT Security at Software AdviceMay 30, 2014

If you’re reading this, then you probably already know that PCI DSS stands for the Payment Card Industry Data Security Standard: a set of compliance regulations applying to every business that accepts, processes, stores or transmits credit card data.

PCI compliance regulations (mandated by the Payment Card Security Standards Council) are so detailed that fulfilling them is a challenge for many businesses.

SystemExperts’ Jeff VanSickel was recently featured in an article by Software Advice Managing Editor, Daniel Humphries, on the Seven Deadly Sins of PCI. In the article, Jeff, along with other thought leaders in the IT Security community, help describe the ways in which businesses tend to fail when it comes to PCI compliance, as well as the ways in which each failure can be solved. Click here for full article.