Data Security: Be Proactive in a Reactive World
Security must be a proactive effort instead of a reactive one.
By Ryan Nichols ,
Security. Data security. Millions of words written, and we hear of data losses seemingly every week. According to Wikipedia’s page on data breaches (bit. ly/2I4T3Iy), the majority are hacked or due to poor security.
Security must be a proactive effort instead of a reactive one. That means, we need to enhance our security measures before a problem occurs. Often, in today’s profit-squeezed businesses, security teams are challenged selling security fortification to the financial executives who approve the expense. Security rarely solves a current, visible problem. Perhaps, the resistance comes from operations, where enhancing security can complicate existing processes. After all, nobody likes change, particularly when the justification is often intangible.
The approach to security is different from hiring staff or purchasing hardware. If we handle credit cards, it is even more imperative to be ahead of the game. As technologies evolve, so do the malicious strategies and efforts of the bad actors.
SISA, a payment security specialist organization, conducted 30 major payment card industry (PCI) forensic investigations for compromised entities in 2018.
The top three findings from these investigations are:
1. Data compromises continue to happen without notice. Only one in 30 investigations had the victim initiate the forensic investigation proactively. This indicates that detection mechanisms are not working.
2. Compromised organizations did not have control over the storage of data. This means that your scrutiny of the third parties to whom you trust data is critical. For credit card handling, the highest security validation of the PCI Security Standards Council is “Service Provider Level 1.”
3. Organizations are not identifying a complete set of risks that impact their cardholder environment.
As the SISA CEO wrote, “I urge our customers to address the above three findings and draw up an action plan for the same.”
Many companies rely on multiple layers of protection. If one layer is breached, the next still protects. And each layer must have the ability to alert when its protection is violated. And each company must have the resources assigned to monitor those alerts so action can be taken quickly to minimize impact and identify the method and possibly the actors.
As our business livelihoods rely on data security, we need to allocate the necessary resources to stay ahead of the bad actors.
The bad actors are out there. Only good actors with tools and monitoring can stop them. Be a good actor.
Ryan Nichols, Curbstone’s operations manager, is certified by the Payment Card Industry as a Qualified Integrator, qualifying him to assist in secure implementations of our payment technology. Ryan manages Curbstone’s hardware infrastructure, network fabric and oversees security audits.
About Curbstone Corporation
Curbstone has reduced the cost, complexity, vulnerability and fragmentation of credit card processing for order entry applications based on IBM i. Learn more about our solutions →