Think about the company who is contracted to carry out research and development for many business partners – do management understand how confidential R&D data is shared with business partners? Or how about the financial company that processes payments for non face-to-face businesses including Internet, mail and telephone – does management know how payment files are delivered to and from merchants? The list is endless.
Regulation means that companies have never been as vulnerable to the consequences of data breaches as they are today. The potential damages resulting from loss of reputation, business, and legal costs can be crippling too many businesses. Not only can it affect the day to day business, but it can also impact long-term M&A strategies. The days of dealing with data breaches “in-house” are gone, and the consequences of being caught trying to do this are potentially worse than simply confessing.
So what should you be doing? Well there are a number of steps to consider. And an excellent guideline to follow is the standard, developed by MasterCard and VISA and also being enforced by American Express, and which is designed to protect cardholder information and must be implemented by members, merchants and service providers. So if you fall into any of these categories, and that will apply to most, then this is important:
1. Build and Maintain a Secure Network – Maybe an obvious comment, but it is important to understand what this means. You need to have a firewall configuration to protect data and not use vendor-supplied defaults for system passwords and other security parameters. In order for firewalls to be effective, all communication from untrusted networks or hosts must be blocked, preventing external sources from interfacing with internal ones. An interesting point to note here is that the requirement for the firewall is to “protect data”, not to secure the perimeter.
Far too often, administrators use the default passwords on systems as important as servers and network devices for ease of use or simply because they forgot to change them. A list of these default passwords can easily be found on the Internet and are often how hackers access the network. To best meet this requirement, it all starts with a formal password control program that expands upon best-practice policies with technologies that enable companies to have the accessibility and security needed for administrative passwords. This type of program marries policies with controls, changes and audits, to ensure best practices.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.