If you are anything like me, you are constantly rethinking your data security strategy due to the constant influx of new threats. It seems like every day we hear reports of new data security breaches and leaks. Data loss and theft rates have been rising dramatically each year. In fact, according to The Register, more data was stolen in the first half of 2017, than for the entire year in 2016.
The Breach Level Index reports that over 14 billion data records have been lost or stolen since 2013 and that only about 4% of those were secure breaches which are where the data was encrypted and thus useless. With the significant increase in threats and leaks, it isn’t a matter of IF you will have to deal with a breach, but WHEN. When it does happen, you have to be prepared so that you can be a part of that 4% of secure breaches.
PCI Compliance
At iSeatz, we take our security seriously. Our data security practices are constantly evolving. This secures our environments so as to protect our data, as well as our clients’ data. Part of the process of this is to maintain PCI/DSS compliance. PCI/DSS (Payment Card Industry Data Security Standards), is a data security standard centered around companies that handle payment card data. It was created to increase security and controls around cardholder data and help prevent credit card fraud.
PCI/DSS has many requirements in order to obtain compliance. These requirements are centered around the main control objectives such as building a secure network, vulnerability management, monitoring and auditing systems, and strong access control. The process makes sure that all aspects of your practice, from the physical and virtual environments, coding practices, testing etc. meet the minimum guidelines to secure cardholder data.
PCI Standards for Data Security
Using the PCI standards as a start for setting up or refactoring your environment is just one way to get ahead of common issues, even if you are not handling credit card information or storing card data. Of course this should only be used as a baseline, or one of the first steps in your data security process. One thing to keep in mind is that compliance is just a minimum standard to meet. Using these standards by themselves does not ensure that your data is safe. It is essentially just one piece of a large puzzle.
We should always be looking for ways to expand upon this to further secure our infrastructure, protecting from new vulnerabilities, checking that new code still complies with security procedures, and not become complacent with our current security model or we find it becoming out of date quick. There are many things you can do to keep up to date and start expanding beyond your initial compliance.
- Listen to the experts - There are some great blogs, podcasts, and articles regularly posted about threats and provide good information on cyber security. Some of my favorites are Brian Krebs, Paul Asadoorian, The CyberWire podcast, and Darknet. Find several that post regular content and follow them.
- Training - Commit to ongoing training for your entire organization. Security professionals should have a continuing education plan to keep them up to date with new tactics and strategies. Regular training should also be give to non-security employees. Training will keep them diligent in how they maintain data security within their position. This can come from periodic online training relevant to their position and the workplace, in addition to something less formal like regular lunch and learn sessions with their security team.
- Vulnerability Tracking - This is not the regular vulnerability scans you should already be doing, but following the latest advisories to keep you from becoming a victim of an exploit. US-CERT, The National Vulnerability Database, CERT/CC, and OWASP are good resources for these. Not knowing about new vulnerabilities makes it more difficult to protect against them.
- Make data security a priority - The technology we use is such a major factor in businesses today, if not the biggest. Invest time and money into securing it from the start, and you will save in the long run.
Data Security Resources
As a data security professional, it is my primary duty to implement measures and protocols to protect from vulnerabilities and to constantly seek out new and better ways to protect data. In reality, data security is the responsibility of every team member. A security policy is only effective if it is understood and implemented by everyone. This isn’t to say that every member of a team should be aware of the latest in encryption standards, or monitoring servers for suspicious activities, or all of the other things you imagine when thinking of data security, but there are a number of ways everyone can help, such as:
- Secure coding practices - developers should know how to code around known vulnerabilities.
- Securing personal space - not leaving anything with personal data, or client data on your desk, locking your computer when getting up.
- Vigilance - Noticing and reporting any possible issues.
To truly protect our data, our clients, and ourselves, we have to shift the paradigm of the security role away from the singularity of one person or one team. We enlist everyone's help in the security measures. Make security a mindset for the entire team in addition to a standard security role. Only then can you truly rest easily, knowing that your environment is secure.