For example how many CEOs are aware that sensitive data within the organisation is visible to everyone from database administrators, developers, and system administrators? How many bank directors are aware that in many cases financial transaction files are sitting in clear text on application servers – a European bank recently fell foul during an external audit when it was discovered that payments being sent to and from a third party payment system where accessible to system administrators, and the bank had no means to control administrator access to the systems, and no way to verify if the file was manually adjusted. And the chances are that if it’s true of this bank, it’s very likely the case in others since they generally use similar systems. And not only are they not aware, they don’t always understand the technical issues involved. Like my accountant and I when we meet – we have these brief conversations where I try to explain what I do, and vice versa, and quite frankly neither of us has any understanding of the other’s profession.

Think about the company who is contracted to carry out research and development for many business partners – do management understand how confidential R&D data is shared with business partners? Or how about the financial company that processes payments for non face-to-face businesses including Internet, mail and telephone – does management know how payment files are delivered to and from merchants? The list is endless.

Regulation means that companies have never been as vulnerable to the consequences of data breaches as they are today. The potential damages resulting from loss of reputation, business, and legal costs can be crippling too many businesses. Not only can it affect the day to day business, but it can also impact long-term M&A strategies. The days of dealing with data breaches “in-house” are gone, and the consequences of being caught trying to do this are potentially worse than simply confessing.


So what should you be doing? Well there are a number of steps to consider. And an excellent guideline to follow is the standard, developed by MasterCard and VISA and also being enforced by American Express, and which is designed to protect cardholder information and must be implemented by members, merchants and service providers. So if you fall into any of these categories, and that will apply to most, then this is important:

1. Build and Maintain a Secure Network – Maybe an obvious comment, but it is important to understand what this means. You need to have a firewall configuration to protect data and not use vendor-supplied defaults for system passwords and other security parameters. In order for firewalls to be effective, all communication from untrusted networks or hosts must be blocked, preventing external sources from interfacing with internal ones. An interesting point to note here is that the requirement for the firewall is to “protect data”, not to secure the perimeter.

Far too often, administrators use the default passwords on systems as important as servers and network devices for ease of use or simply because they forgot to change them. A list of these default passwords can easily be found on the Internet and are often how hackers access the network. To best meet this requirement, it all starts with a formal password control program that expands upon best-practice policies with technologies that enable companies to have the accessibility and security needed for administrative passwords. This type of program marries policies with controls, changes and audits, to ensure best practices.