In an era when the corporate world sees a high-profile data breach almost every week and smaller incidents basically every day, it's incredibly important that merchants ensure that their data stays secure. Here are six components of cybersecurity that organizations must practice to prevent breaches.
The 2015 Verizon PCI Compliance Report found that every company that experienced a data breach that was investigated by the report's authors in the past decade was not compliant with some requirement of PCI DSS. As this set of compliance rules has been updated, the standards for what is and isn't safe have changed dramatically. For example, PCI 3.1 deemed SSL insecure, as a vulnerability like POODLE can't be fixed – it's a flaw in the protocol itself.
Customer data is a huge target for hackers, so merchants need to minimize what data they have and lock it down. Especially in complex tech stacks, it's possible that data can find its way out of protected areas. Audits should be conducted, more regularly than simply before annual visits from a Qualified Security Assessor, to ensure that the workflows for managing and processing customer data haven't inadvertently made data insecure.
Strong data encryption is the foundation for PCI compliance, but it's also a major key to success in any data security plan. But good encryption is more than just locking down everything with 256-bit AES. Managing the keys to that encryption, where they're stored and who has access to them are enormously important in keeping data secure.
For example, executives often have access to highly-sensitive data, and as a result, those executives are greater targets for data theft than others. But, as Wombat Security showed, a third of executives are vulnerable to phishing attacks. It's important to know who has access to what data and to keep the keys to that data safe in order to enforce a strong encryption strategy.
Customer data inside an IT environment should be tokenized. Tokenization is a simple way to ensure that sensitive data stays out of the hands of those who would abuse it, while still allowing merchants to utilize that information in existing systems. Tokenization makes sure that some of the most valuable data – credit and debit card numbers – stays out of quickly accessible systems, and instead is only ever used to verify a token's authenticity by the token engine.
There is no one silver bullet for perfect security. In a world where breaches are effectively guaranteed, tokenization solves many of the problems of modern customer data security, but it needs to work in concert with other protections in order to be most effective.
Strong security can't be implemented without a comprehensive plan that backs it up. There needs to be an information security strategy that touches every aspect of an organization. For that reason, it can't be just an IT security team forwarding a new policy memo to the office – these strategies need to have managers at every level to thoroughly understand the hows and whys of security policy.
TripWire recommended enrolling employees in a security awareness program that covers the multitude of security topics and possible threats that employees have to deal with. And it's important that all employees take part, because an attack can come from any number of entry points. Security should be an operational priority, not just a corporate one.
Once a top-notch security strategy is in place, it shouldn't stagnate for the next five years with the same policies. Technology changes incredibly fast, and new threats can appear at the drop of a hat. Also, even when a strategy is being used as designed, it needs to be regularly monitored to make sure it's working properly.
Regularly audit security features and employee use of sensitive information, and make sure there is an up-to-date list of who has what access to what data from where and when. Security teams need to have a good image of everything that's happening in a system.
Even the best security systems need to be ready in case of an emergency. When a worst-case scenario occurs, an organization needs to know what happens next. Employees need to figure out what happened, the scope of the damage and how to fix it. A clear chain of responsibility and an up-to-date security strategy – everything that's been previously discussed – is crucial to identify where there was a break in security.
Once a problem has been identified and the problems that caused it are being worked on, figuring out how to repair the damage is important. If an attacker got ahold of personal data, it's important to notify customers and help them with the next steps. If it's damaging to the organization, it's a good idea to manage the problems that caused the issues.