Blog

Tag: PCI compliance

Bill Blake shows ISACA how Fasoo protects sensitive dataBill Blake, President of Fasoo, Inc., spoke to members of the Western NY Information Systems Audit and Control Association (ISACA) at the Hilton Double Tree Hotel in Rochester, NY on May 10, 2016.  Bill delivered a presentation on “Closing the Threat Gap – A 21st Century Approach to Minimizing Risk” to this annual event and showed attendees how to use Fasoo’s enterprise digital rights management to protect sensitive information from insider threats and external attacks by hackers.

Given the constant barrage of news on data breaches and cyber security incidents, the attendees were very interested in how to protect sensitive information in their organizations, since ensuring proper controls and managing risk are the main focus of this group.  One statistic that Bill shared was from the 2016 PwC Global State of Information Security survey which found that 81 percent of respondents attribute security incidents to existing staff, vendors and customers, with current employees the most cited source of incidents.  This was an eye opener for many, since most of us tend to focus on external threats.

A number of attendees came up after Bill’s presentation and asked about print-related security risks.  This is an area that many companies don’t think about since most of us focus on digital data.  One recent survey found that 70 percent of businesses admit to experiencing one or more print-related data breaches.  Most of these go unreported and according to the Identity Theft Resource Center, paper breaches seldom trigger state breach notification laws.

Auditors and risk management professionals are very concerned about meeting regulatory compliance, but also following internal audit and security rules.  There is always the issue of security versus compliance.  As one person mentioned, you can meet PCI compliance requirements, but still having a data breach.  A case in point is the major breach at Target in 2013.  The company met the requirements, but was still vulnerable and lost data.  As one of the speakers discussed, people are still the weakest element in security.  Just because you are compliant, doesn’t mean you are secure.

Another major discussion area was using analytics to understand what is normal behavior in your organization, so you can determine what is abnormal.  There are weaknesses in controls around data access for many companies and it is challenging to separate the noise from the important details as IT and auditors review logs from security tools.  Organizations need to establish a baseline of normal data access and then look at how activities deviate from the norm.  This will help pinpoint insider threats as well as suspicious activity from compromised systems.

The event showed the growing need for data-centric security solutions as companies try to mitigate the risk of both external hackers and insider threats to their most sensitive data.

Home Depot to Pay Big for Data BreachData breaches are beginning to cost companies a lot of money.  This isn’t potentially lost revenue or brand damage, which may be hard to measure.  This is cold, hard cash.

Home Depot has agreed to pay as much as $19.5 million to compensate consumers for the data breach it suffered in 2014 that affected more than 50 million cardholders.  That figure includes $13 million to reimburse customers for losses and $6.5 million for a year and a half of identity protection services.  They have also paid out or plan to pay $161 million in total for costs related to the breach.

As part of the settlement, the company agreed to improve data security and hire a chief information security officer (CISO).  That’s good.  As is common in these cases, the company did not have to admit it did anything wrong.  Not good.  I understand this is common in these settlements, but I find it unfortunate, since the customers are affected by the negligence of the company.  To me this is like saying that if I left my front door open and somebody came in and robbed me, it isn’t my fault.  Companies must take data security seriously, but many of them do not even do the basics of locking the front door.

The standard approach to help those affected in these breaches is to offer identity protection services to the victims for a period of time.  That sounds great, but what happens after that?  Cyber criminals are smart enough to know they can hold on to personally identifiable information (PII) for just a little longer and then use it.  Of course I can change my credit card number, but I’m not going to change my name and address.

A very common cyber attack today is phishing, which tricks someone into clicking an email link or going to a fictitious website.  The goal is to steal information the criminal can use to get money, defraud someone or get something else of value.  Having identity protection services may help monitor your credit cards or bank accounts, but does little if someone tries to pose as you to get healthcare, uses your name to defraud a relative or makes small purchases that fly under the radar.

If you handle regulated or any sensitive data, you need to encrypt it and control its access.  That doesn’t mean only control access while sitting on a file server or in a database.  These breaches prove that hackers can get past those security layers.  You need to provide strong encryption on the data itself that requires multiple authentication factors before allowing someone to access it.

I think these large settlements may finally be a wakeup call for organizations that handle PCI regulated data and any PII or PHI.  Hopefully Home Depot and other organizations will heed the advice from security experts and the FTC and improve their data security practices to prevent data breaches in the future.  Nothing spurs action like a hit to the bottom line.

 

Photo credit Mike Mozart

Ron Arden Shows Rochester IIA ISACA IT Conference How to Protect Sensitive DataRon Arden, Vice President of Fasoo, Inc., spoke to members of the Rochester Institute of Internal Auditors (IIA) and Information Systems Audit and Control Association (ISACA) at the Hilton Double Tree Hotel in Rochester, NY on December 10, 2015.  Ron delivered a presentation on “Data Protection of Sensitive Information” to this annual event and showed attendees how to use Fasoo’s enterprise digital rights management to protect sensitive information from insider threats and external attacks by hackers.

Given the constant drum beat of news on data breaches and cyber security incidents, the attendees were very interested in how to protect sensitive information in their organizations, since ensuring proper controls and managing risk are the main focus of this group.  A number of attendees came up after the presentation and asked about protecting very sensitive documents in their companies.  I spoke with a gentleman from a retail company who was concerned about protecting contract information with their suppliers and since they have such high employee turnover, was worried about people moving to competitors with sensitive information.

As discussed during the event, auditors and risk management professionals are very concerned about meeting regulatory compliance, but also following internal audit and security rules.  During one of the panel discussions, attendees and panel members talked about security versus compliance.  Someone brought up meeting PCI compliance requirements, but still having a data breach.  A case in point is the major breach at Target in 2013.  The company met the requirements, but was still vulnerable and lost data.  Since many regulations are somewhat vague about how to be compliant, the group talked about using cyber security frameworks from NIST and RSA Archer as ways to ensure security that goes beyond compliance.  Just because you are compliant, doesn’t mean you are secure.

Another major discussion area was using analytics to understand what is normal behavior in your organization, so you can determine what is abnormal.  There are weaknesses in controls around data access for many companies and it is challenging to separate the noise from the important details as IT and auditors review logs from security tools.  Organizations need to establish a baseline of normal data access and then look at how activities deviate from the norm.  This will help pinpoint insider threats as well as suspicious activity from compromised systems.

The event showed the growing need for data-centric security solutions as companies try to mitigate the risk of both external hackers and insider threats to their most sensitive data.

Categories
Book a meeting