Recent high-profile security breaches have raised public concern about how secure their personal information is. In December 2013, Target reported 77 million customer accounts were compromised, resulting in $24 billion worth of damage. And at Global Payments 46 million VISA and Mastercard numbers were stolen, causing $94 million in losses. These hair-raising examples are just the tip of the iceberg pointing to a rising and troubling trend.
How can you avoid a similar catastrophic event? Softtek has determined six important measures you can take to avoid a security breach, starting with the most critical risks:
1. Implement a formal/documented process for media disposal:
A business should take all reasonable steps to destroy, or arrange for the destruction of, a customer's records within its custody or control containing personal information which is no longer to be retained by the business by (1) shredding, (2) erasing, or (3) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means. (Reference from California Civil Code 1798.81)
2. Establish an annual internal/external IT audit
Suppliers must, at minimum, go through an annual IT audit to ensure that its IT security controls are implemented as expected by the company and also to be able to identify any new security flaws. It is recommended to have an external audit company perform this type of review to obtain the perspective of IT security specialists that are outside the supplier’s company.
3. Implement full disk encryption on company laptops
The trend today is the use of mobile devices to access, handle and store data, so it’s crucial to implement security controls in such devices. For laptops specifically it’s critical to implement full disk encryption to protect everything stored on a disk drive in case the drive is lost or stolen. This can also also protect temporary files, deleted files, and even cached memory files. With full disk encryption, the decision of which individual files to encrypt is not left up to users' discretion. This is important for situations in which users might not want or might forget to encrypt sensitive files.
4. Establish controls for databases and operating systems
Database and operating systems controls cover a wide area of IT controls that a company must have in place, which includes: access controls, auditing, authentication, encryption, integrity controls, backups, monitoring and more. It is recommended to have a penetration test performed against databases to identify any security flaws they may present; this way you can assure that the supplier you are dealing with has the appropriate controls in place or be aware of the controls they are lacking.
5. Document effective process for securing high-privilege accounts
This item is focused on ensuring the supplier has the proper security controls in place for the management of accounts that hold “special” or extra permissions compared to a regular user account (e.g. administrator account). These security controls cover a variety of areas, such as: defined process for provisioning/de-provisioning, ongoing audit process, having a defined password use policy, defined segregation of duties process, and raising employee awareness on the proper use of these types of accounts.
6. Perform external network vulnerability assessment
Some of today’s top security breaches come from within the network and this is based on not having the right security controls in place. This area is very specific by nature and covers many security areas; therefore, it is recommended that the suppliers with whom you do business go through an external vulnerability assessment to ensure that IT specialists can evaluate and report the existing security flaws of the supplier’s network. There are a variety of testing mechanisms (manual & automated) and tools used to perform a network vulnerability assessment, which is why having an independent company assess the supplier’s network is suggested.