How to protect your business from data breach and theft.
(QSA, CISSP, CCNP)
Most wonderful time of year for criminals?Winter holidays are synonymous with shopping. Black Friday, Cyber Monday, last minute Christmas gifts, and the like mean more transactions and more credit card spending. In fact, the Winter holiday months account for 19.7% of annual retail spending in the United States.
While the busyness and bedlam of the holidays can provide cover for cybercriminal activity, there are a few things your business can do to protect against data breaches this holiday season.
Bad security habits plus chaos equals crimes of opportunity. Because cybercriminals continually scan for the “lowest hanging fruit” in terms of exploitable security weaknesses, you can prevent a majority of successful breaches simply by practicing good data security habits:
The organization recently overhauled its guidelines for password creation. They now advocate using easy-to-recall-but-lengthy “pass phrases,” in place of the traditional minimum-length, randomly generated passwords. Long passwords/pass phrases (at least 10 characters) made of common, memorable words are mathematically harder to crack than short passwords with added symbols and numbers. More tips for creating strong pass phrases.
Update software and systems.
Many successful exploits are against unpatched systems or computers. After a vulnerability is known, and a corresponding patch is released, it’s critical that you update your systems. Typically, a critical patch should be updated on your systems within 30 days, but we recommend as soon as possible. Hackers will quickly craft exploits to match the vulnerability, because they know that most businesses won’t install patches in a timely manner—and for those that do, the patch may not reach all computers and devices. It’s good practice to have a member of your IT team assigned to stay on top of updates.
Review security procedures with staff.
Phishing campaigns spike during the holidays because the transaction volumes create an environment of increased susceptibility to being deceived into opening an email and clicking on a link. Employees will likely receive emails (and increasingly, SMS texts) with fake coupons, malicious attachments, even spoofed shipping notifications and party invites. The aim of these schemes is to collect sensitive personal or corporate information or serve malicious malware. Make sure to review email and website security policies, guidelines, and procedures with employees, in addition to your regular security training.
Check for card data with discovery tools.
Storing unencrypted cardholder data on a server poses a risk for the company. Once a hacker gets access to a system, stored unencrypted payment data makes it it’s easier for them to export and sell your customers’ credit card numbers and sensitive information. If you must store cardholder data, it is best practice to encrypt it while it is stored or transmitted. You should use a trusted card data discovery tool to find out if you are inadvertently storing plain text cardholder data anywhere on your systems or devices. If your company takes orders over the phone or mail, you should be sure that if cardholder data is written down, it is properly destroyed in a timely manner.
Companies don’t want to be inconvenienced in the middle of the busy holiday season with an emergency maintenance window in order to fix misconfigured firewalls, remove malware hazards or remote access vulnerabilities. A company should be proactive rather than waiting for a data breach to clue them in. Regular vulnerability scanning is an essential procedure that checks for vulnerabilities and security holes that could enable backdoors, buffer overflows, denial of service, and other types of malicious attacks which ultimately could cause downtime and prevent potential orders from taking place.
Avoid problems—prepare now
Transaction volumes during the holidays add complexity to the task of protecting corporate, customer, and personal data. Even so, industry-wide education and implementation of best practice security measures will go a long way toward minimizing the effectiveness of attacks and preventing data breaches. Sound security principles and proactive best practice implementation, policy and procedures will serve as the foundation for your business’s cybersecurity this holiday season. Avoid snags, upsets, delays—or a devastating breach—by getting into good security habits now.
Michael Simpson (QSA, CISSP, CCNP) is a Principal Security Analyst at SecurityMetrics and has been in the IT Security industry for 15 years. He has a Bachelor of Science in Computer Science and a Masters in Business Administration.