Protecting Data From Theft: Too Important to Chance

It was reported in December that Target suffered a security breach when credit/debit card information was stolen from approximately 40 million customers. 

This incident is a reminder to those of us who are responsible for data security that we should be diligent to protect our information and actively look for ways to improve our security. 

We know bad guys are trying to access our systems. Target is a wake-up call that these bad guys succeed sometimes. We’re surrounded by malicious threats to our data, if there isn’t an actively managed security plan in place. Here are a few important factors to consider while you’re developing a plan.

Password changes should be enforced every six months for 12-character passwords and more frequently for less complex structures.

This next guideline is common sense. Never share your password and always log off your applications. You may consider using a password-manager application to help out.

Restrict user access to only the systems required to perform each job and avoid configurations where one account has access to everything. 

Finally, regarding mobile devices, a well-thought-out and enforceable guideline should be adopted.

Two questions to ask are: 1) Do you allow staff to access company information via personal devices and, if so, how do you protect privileged information? 2) How do you address separation of an employee/vendor or the loss/theft of a device containing privileged information?

Monitor Activity — Creating an audit trail and multi-layer access to key systems provides visibility into system activity.  Also, any system changes should go through an approval process to validate that these changes meet their objectives, as well as security requirements. 

Minimize Entry Points — Every system has openings, such as the Internet, Wi-Fi connections, open network jacks, Web email, File Transfer Protocol servers, Virtual Private Networks, USB desktop ports, and CD-ROMs with auto-run enabled. 

Common entry point security good practices include changing default admin passwords, usernames and network names; enabling encryption; activating address filtering; assigning static Internet protocol addresses to devices; and establishing a secure guest account for wireless access.

A few other tips include employing and managing multi-vendor hardware and software security measures, keeping all software current and complying with industry regulations like PCI and HIPAA.

Physical security is a huge part of any data security plan. If you allow physical access to any device that has access to your network, you have an exposure. 

Do you allow outside parties, such as vendors, to access your network?  Are you familiar with their security standards? For this reason, it’s considered best practice to disable vendor access by default and only enable access when required.

 Limiting access doesn’t provide ironclad security, but it’s considered an acceptable risk since it closes an external door.

The only way you can absolutely know an outside party is taking the required precautions is by using Network Access Control (NAC), but it can be complicated and costly to set up and maintain.

Because implementing NAC between your network and an outside party can be problematic, an alternative is to use technologies like remote desktop.

Also, because you can’t control the device an outside party uses, you risk exposure to malware or keystroke loggers on that device, and passwords or usernames might be leaked. One solution is to use two-factor authentication, such as password token fobs or apps like Google authenticator, on every external access point.

In the end, you have to weigh the value of your data against the security costs. However you proceed, get another set of eyes to review your security. Your data and customer trust are too important to leave things to chance. 

Daniel Weatherly is director of IT with Mainstream Technologies Inc. in Little Rock. Mainstream provides managed services, custom software and hosting to businesses throughout the U.S. He can be reached at 501-801-6706 or by email at [email protected].