By Todd Feinman, CEO of Identity Finder
- It's 10:00. Do you know where you data is?
Like good parenting, good IT security requires constant vigilance. Your sensitive data has a tendency to wander out of secure systems each time an employee accesses it. Regularly scan your network's devices hard drives with data-at-rest data loss prevention software to create a detailed data inventory. Having an up-to-date data inventory aids compliance with several regulations, and enables a quick, surgical response in case a breach ever occurs.
- Backups are essential, but expand your security perimeter
Anyone who has ever lost data to a system crash knows the importance of backing up vital corporate information. But beware what you store, and for how long. Wholesale daily backups may inadvertently violate the law if they accidentally store credit card or other sensitive information. Treat each backup with the same level of security as your live data, and remember that each backup expands your security perimeter. Periodically scan backups and remove old sensitive information.
- What's on that old hard drive, anyway?
A major source of corporate breaches is old, forgotten information. Sometimes forgotten servers with sensitive information are accidentally connected to the internet; unsanitized hard drives end up on E-bay; old email attachments sit like landmines on backup drives. Take time to scan old hard drives and every network device to determine which devices contain sensitive information. You'll be glad you did, and surprised at what you find.
- Destroy old hard drives
When retiring a computer, never donate, recycle, or sell the computer without removing and destroying the hard drive. If you must leave the hard drive intact, use scanning and shredding software to permanently erase critical data, including already-deleted data.
- Segment your networks
Building Fire Walls don't prevent fires, but they do limit damage when fire happens. Likewise, proper network segmentation and network firewalls will reduce the scope, cost, and difficulty of a PCI-DSS assessment, and potential liability associated with guarding sensitive personal information. By segmenting users from each other as well as network assets, you limit your exposure to potential malware, or even an attacker. Treat employee computers as untrusted devices whenever practicable.
- “Trust but verify”
Even small retailers may have multiple locations. Even though each location may be required to install standard point-of-sale equipment and adhere to the corporate security policy, not all locations may strictly adhere to the policy. While you must trust branch managers, it is also vital to verify that their networks are not storing sensitive information against corporate policy.
- Encryption is key, but not a silver bullet
Encrypt. Seriously, encrypt. Disk and database encryption protect information while it's stored, ensuring it can’t be read except by someone who has the encryption key. Several States’ laws now require encryption of sensitive information while in motion and at rest. Although data-at-rest encryption is fundamental to any data loss prevention strategy, it won't prevent employees or malicious outsiders from accessing and exporting the information while the hard drive is on.
- Don't forget physical security
Hacking, malware, social engineering and other threats tend to grab headlines, but don't forget to secure your computers with physical locks, or store them in a secure facility.
- Lock your computer when you walk away
Train employees not to leave desktops or laptops unattended. If employees must leave a computer unattended, they should have a habit of logging off or locking the computer to prevent unauthorized access. Use strong passwords with letters, numbers and punctuation, and never share them or store them in easily accessible locations.
Todd Feinman is CEO of Identity Finder.