Only human: how to protect against data breaches
I was looking at some TripAdvisor reviews of hotels, when I was struck by a review singling out a particular hotel front desk for its lack of PCI compliance.
What was the crime? The front desk operative made a copy of the reviewer's payment card, and then, instead of destroying the information, placed it in the guests' folder upon checkout.
Same is true of phone reservations that elicit cardholder data, which could be jotted on a piece of paper, and then sent to the trash basket. So much for protecting sensitive information.
These events make you wonder what procedures organizations have to train their staff in security awareness, so that they can determine when they are in PCI scope and when they are not. Because the truth is, human error is a major cause of data breach – some 25%, according to the Ponemon Institute (www.ibm.com/security/data-breach/) and an amazing 62% in the UK, according to the Information Commissioner's Office (ICO).
Here are just some ways that innocent human error can lead to serious data breaches, and how you can guard against them:
Emails. You would think people would still be wary of opening emails with suspicious wording in the subject heading. If only this were so. Phishers know human nature, and they know you'll react to a subject line like "verify your account," with a link that takes you to a website to fill out a form with your personal information; unfortunately, that's all it takes to initiate a security data breach.
-- Remind employees not to open attachments from sources that they’re not familiar with
-- Let them know that the company only uses the corporate website to convey any sensitive or personal account information – never via email
-- Ensure they have virus and spam filters on corporate emails and web filters to block potentially damaging sites and links
-- Encrypt sensitive company or personal identifiable information
-- Simulate phishing emails so that employees can recognize them
Social media. Phishers get more sophisticated here, resorting to spear phishing. They search sites like LinkedIn for specific people and then send out mails, ostensibly from a colleague, or requesting the unsuspecting recipient for advice, an invitation to a meeting, or similar request. There's invariably an attachment that the recipient must click on.
But when the person clicks; nothing seems to happen. Under the hood, the workstation has been infected with malicious software.
Solution: Limit the information that employees can place in their corporate LinkedIn profile. No emails, no phone numbers.
Carelessness. Why would anyone leave their laptop or device in an unlocked car? And yet, they do, providing less scrupulous people a golden opportunity to gain access to your corporate network. The same problem arises when
-- Employees send corporate material to their own email, store in public storage sites, or copy into thumb drives
-- Equipment is simply thrown away
Solution: Install a remote wipe system that can remove all sensitive information from any corporate laptop.
Erroneously sending sensitive data to the wrong address. The ICO says that in the UK, this misstep represents the most common breach, about 17% of overall data breaches.
-- Undo send: Some email programs incorporate an "undo send" alert, with a specified time delay before it's sent; ut people tend to ignore the warning
-- Encryption: Although much more complicated, this method ensures that even if an email gets into the wrong hands, it'll be indecipherable.
Default passwords. Default passwords are generally built into an operating system, database or software pre-configured and are a necessary evil for installation. But these default passwords are often left in place, which can be a major mistake, allowing unauthorized people to gain access. How easy would it be to crack your system?
Solution: Change the password. Immediately.
Throwing paper files into a garbage can. How many movies have you seen where you see enterprising thieves dumpster diving, not for old furniture, but for those pages of sensitive information?
Solution: Remain out of PCI scope by
-- Cross-shredding documents, turning paper into confetti-like forms that cannot be reconstructed
-- Burn hardcopy
-- Turn it into pulp
Certainly there's a lot more to deal with, but you have to start somewhere. If you have not already instituted some type of employee security awareness program, check out this engaging, free playbook by the barkly runtime malware defense company.
And then maybe you won't be faced with PCI compliance breaches next time an employee handles payment card data.