Blog

Tag: PCI

Fasoo talks about cyber security and protecting sensitive data in the finance industryRon Arden, Vice President and COO of Fasoo, Inc., participated in a panel discussion on cyber security priorities in the finance industry at FinCyberSec 2016 at Stevens Institute of Technology in Hoboken, NJ on June 1, 2016.  Ron was joined by Alan Brill, Senior Managing Director from Kroll, and Michael Frank, President of Secure Business Strategies.  The panel was moderated by Dr. Paul Rohmeyer, who organized the conference.

The first topic of discussion addressed the challenges of cyber security in the financial services industry.  Dr. Rohmeyer asked if there are unique priorities of CISOs who are operating in different industries or if they are similar?  Ron mentioned that people either want to disrupt operations or steal data when you experience a cyber security event.  Regardless of industry, the general goals are the same.  There are clearly unique processes in financial services that may not be in other industries, but the basics are the same.

Michael Frank mentioned how the lack of security basics is hurting the financial industry and many others.  We rely so much on technology and assume that everything works that we frequently neglect simple things.  Systems that use default passwords or assume that someone is who they say they are with minimal confirmation are common issues.  Another example is the risk that a typical printer poses to a company if a user can print any sensitive document.  Uncontrolled printing lets anyone print anything and take it out of the business.  We are so focused on protecting the perimeter of our companies from hackers, that we are ignoring the trusted insider who can steal valuable information on a piece of paper.

Fasoo sponsors FinCyberSec 2016There was also discussion on the risk posed by insider threats to unstructured data – typically files and documents.  Most of the data breach headlines focus on hackers stealing information from databases, yet most of the intellectual property inside a business is in documents we work with every day.  Encrypting these documents and restricting their access through persistent security policies is the best way to ensure that only authorized users can access the sensitive information inside.

Another topic for the panel was “Where are we off target?”  Are companies focusing in the wrong areas when it comes to cyber security?  Discussions again focused on securing the valuable data in your company and ensuring that you follow business processes.  Too much emphasis is placed on technology as the silver bullet without thinking about the people side of things.  One example was a major financial transaction where the person executing the transaction got an email from the CEO asking him to transfer a large amount of money to another bank.  While this may be normal, there is a process to verify this through a phone call.  The email looked legitimate, but was actually a phishing email that looked close to the real thing.  A simple phone call verified it was bogus, but most people just accept that the technology is working.

During Ron’s closing remarks he mentioned that just because a company is compliant does not mean it’s secure.  A perfect example is Target from a few years ago.  Target was PCI compliant, but they still had a major data breach.  Cybercriminals exfiltrated large amounts of unencrypted data that caused major problems for the company.  Regulations frequently have guidelines that meet minimal requirements for data security, but do not specify technologies or processes.  That is changing and newer laws are mandating encryption and permission controls as ways to ensure that sensitive information remains safe from all unauthorized users.

This conference was a very successful event and I expect it will continue as more emphasis is placed on practical approaches to increasing security in the financial industry.

Fix a broken chain of custody of your confidential dataCompanies share a lot of confidential data with third parties.  Who is responsible for keeping that data secure?  Is it the originating company or the third party?  Or both?

This week American Express sent letters to card holders about a possible data breach.  According to reports “an unauthorized person or group accessed the system of a third-party service provider prompting American Express to warn customers that card member information may have been compromised.” The company said, “It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure.”  So is American Express to blame for this incident or is the service provider to blame?

This breach is another example of a broken chain of custody with confidential data.  American Express may have strong protections for its confidential data, but when it relinquishes control to another party that has weak controls, hackers know how to exploit the situation.  This is the same issue I talked about last year on the weakest link in the supply chain.

Think about the vulnerability of your data within your supply chain.  You may have the best security that money can buy, but once it leaves the confines of your environment, the information is out of your control.  You have to rely on the security systems of your partners to protect your information.  Unless you’ve done a security audit on those partners and are satisfied they will maintain your confidential data safely, you are vulnerable.  Hackers prefer to target the weakest link in the chain and they know smaller providers of large companies are easier targets.

This is where persistent security comes into play.  If you have strong encryption and permission controls on your confidential data, you can limit access to it regardless of where it is.  One of our customers uses our applications to exchange PCI with a third party.  The file can only be accessed a limited number of times on specific computers.  After that, the file is useless.  If someone tried to steal the file, they can’t read the data inside.  The result is no data breach.

Ultimately American Express is responsible for its card holders data, regardless of where it is.  You can best protect your confidential data throughout your supply chain by encrypting it and controlling its access at all times.  That’s better than welding your broken chain.

 

Photo credit Brian Smithson

Categories
Book a meeting