After 20 years without a breach in my identity or personal information I was a recent victim of the Adobe breach.
I did all the right things. I never used the same password for any two sites, and I made it long and strong. I didn’t share the fact that I had an Adobe account on any social networks, and I used a specific credit card that could be easily canceled in the event something happened.
But this raises the question: Did Adobe do all the right things to protect my data? Are your customers wondering the same thing about you?
As I’ve preached for over 20 years, security is a process – not a destination. You don’t wake up one morning and arrive at a place called, secure. It’s a continuous, ongoing process of always staying one step ahead of the threats.
The Weakest Link
Does your company have a system in place that provides for constant balances and checks?
This means a security team that constantly reviews procedures and checks periodically to make sure they’re being followed. Do you even have a network or security policy? Better still, do you have a security team?
In technology, as well as security in general, there’s the axiom of the ‘weakest link.’
You could have the top of the line Internet speed of gigabits per second (Gbps) but if your router will only process 100 megabits per second (mbps), guess how much speed you’re going to get? That’s right, the 100 mbps because it’s the weakest link.
Similarly, your staff is usually the weakest link in your security chain. They leave their workstation logged on when they walk away for lunch or break. They open email attachments from unknown senders that they should have deleted. They surf social media exposing your network to a plethora of malware goodies.
But they’re not the only weak link in your organization!
What about your vendors? Do your vendors have access to your network from within or without? All it takes is one contaminated USB flash drive inserted by a vendor to wreak havoc or provide a back door into sensitive data customer data.
Defend Your Perimeter
You don’t need a professional to conduct a security audit to find out if your network is wide open. There is a simple test you can perform right at your desk, right now.
Go to: http://whatismyipaddress.com and write down the number you see on the screen.
Then, put that number in your web browser with the http:// in front of it. If your router login pops up try using the basic default username and password to login. They are: admin and password respectively.
And you could try other possibilities too. In fact, you could have fun trying to hack the password.
You would be surprised how many big companies fail to change the default user name and password in their router! A few years ago, there was a breach at a power plant of a public utility in the U.S. because the hacker used the default router username and password. It had never been changed.
Large companies have their hands full with staffing issues and sometimes the tech department is stretched beyond its limits. And this is the reason why simple security procedures get lost or bypassed.
Protect Important Data
Giving your customer data the security it deserves means you need to protect that data at all costs.
Another poorly followed security rule is the “least access” rule. Certified security professionals and network administrators are taught to assume no one should have access to anything. Then, you add permissions based on need.
Does Jill the receptionist really need access to those payroll records? Does Bruce the admin really need access to customer billing and credit card records?
It doesn’t take high powered administration software to allow and deny permissions to user groups. Nearly all operating systems have it installed already. And if not, there are many free open source or inexpensive alternatives available for securing your network.
It’s up to you to protect the important data your customers have trusted with you. And with big data, comes big responsibility.
Who’s Minding the Logs?
Even the smallest intruder leaves a footprint and that footprint can be found in logs. Server logs, router logs, firewall logs, and a host of other logs. Is your company keeping logs? Is someone reviewing them regularly?
A breach usually doesn’t happen on first access. There are usually telltale signs that someone has been snooping around your network first. Would someone in your organization be able to spot it?
I’d like to leave you with a few brief tips to help ensure you’re giving it your all when it comes to protecting your customers’ data.
- Find your weakest link. Whether it’s not having a security policy, security team, policies or procedures, or untrained staff, find your weakest link and take steps to remedy it.
- Defend your perimeter. Make sure your router is secure and the firewall is enabled and keeping a log. Have someone periodically review the log for signs of trouble.
- Don’t dismiss the obvious. As with the default user name and password in the router, don’t assume the basic security procedures are being followed or maintained. Have a system of balance and checks in place to make sure the most ridiculous, basic security procedures are being met.
- Protect your sensitive data. Only those on a need to know basis should have access to sensitive customer data. Develop a ‘least access’ mindset.
- Mind the logs. Set up, maintain and regularly review logs from the raw server logs through the firewall and Operating System logs. Anything out of the ordinary needs to be looked at closely.
Remember, security is a process, not a destination and your customers are counting on you to give it your all in protecting the information they’ve entrusted you with. Don’t make them regret doing business with you.
About the Author: Debbie Mahler (@DebbieMahler) is the CEO of Internet Tech Specialists. She’s an online instructor for Ed2go, a division of Cengage Learning and a global education provider. She teaches Introductory and Advanced PC Security courses for all English-speaking colleges and universities.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Overusing the Term Hacking Impacts Security Awareness
- Give Me the Finger – Biometrics, That Is…
- Startup Security: Minimum Viable Product Shouldn’t Mean Minimum Security
- Securing WordPress: Hardening Basics
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock