virna17janmar
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
to employees. Second, it’s possible to protect the rest of the network<br />
from compromised desktops and laptops by segmenting the<br />
network and implementing strong authentication between user<br />
networks and anything of importance.<br />
According to Mortakis, this is the principle of least privilege. No<br />
users should be assigned administrative access unless absolutely<br />
needed. “If someone isn’t in human resources, they shouldn’t have<br />
access to HR files,” he explains. “In addition, there should be controls<br />
in place to alert you when an employee tries to access files<br />
they shouldn’t.”<br />
Another issue that comes with employees is that they want to use<br />
their own devices to access data. “There isn’t a complete solution to this<br />
issue,” Mortakis says. But there are some steps that can reduce the risk.<br />
“With data logging, you know when something has been downloaded,<br />
and remote-access controls can stop them from being able to download<br />
specific types of files.”<br />
Another area of concern is vendors, contractors, and other partners<br />
who use or have access to your company’s data. “Vendors entrusted<br />
with critical data need to have secure storage facilities with access controls,<br />
corporate security policies and testing, and certification, such as a<br />
Service Organization Controls (SOC) audit,” Moody says. “You need to<br />
ask probing questions and have written agreements on standards that<br />
are to be maintained.”<br />
IT Solutions<br />
Of course, there are steps best left to the professionals, beginning<br />
with automatically applying critical security patches (pieces of software<br />
designed to remedy vulnerabilities that have been identified in<br />
software) or updates to all systems and applications by investing in<br />
a patch-management solution. Patch management is a strategy used<br />
to determine what patches should be applied to which applications<br />
and when. Many vulnerabilities are remediated by simply applying the<br />
latest patches to existing systems.<br />
In addition, you must regularly back up data and verify the integrity<br />
of those backups. “Backups are critical in ransomware incidents; if you<br />
are infected, backups may be the best — or only — way to recover your<br />
critical data,” Mortakis explains. “The backups must also be secure and<br />
not connected to the computers and networks they are backing up.”<br />
Examples might include securing backups in the cloud, or physically<br />
storing them offline.<br />
With more data being stored in cloud environments and employees<br />
accessing that data from their own devices, consider implementing<br />
two-factor authentication, Moody says. With two-factor authentication,<br />
employees and other users are required to have not only a password and<br />
user name, but also something that only they have, such as a physical<br />
token. For example, if you have tried to log in to your bank account from<br />
a new computer, your bank may have texted you a code to enter before<br />
granting you access to your account information.<br />
To reduce risk, don’t keep sensitive information if you don’t need it,<br />
advises Mortakis. “Put in place a well-defined retention policy that limits<br />
the amount of time that sensitive data is stored.”<br />
An important step to ensure that data is secure is to test your system.<br />
Penetration testing, ethical hacking, and vulnerability assessments are<br />
useful tools for identifying hidden network and host vulnerabilities. “At<br />
ILG, we have our own team, and we also have a third party on demand,”<br />
Mortakis says. “I recommend performing all types — web and network<br />
layers, internal and external networks — of penetration testing at least<br />
annually. We perform twice-a-year penetration testing, quarterly internal<br />
network-vulnerability assessments, and monthly external networkvulnerability<br />
assessments. And that doesn’t count any additional testing<br />
we undergo for compliance purposes, such as PCI scans.”<br />
Where Credit Goes Through<br />
Because so many data breaches have targeted payment-card information,<br />
that’s an area of particular concern. “Developers should only work<br />
with a payment-card processor that has achieved the Payment Card<br />
Industry Security Standards Council’s highest level of certification: PCI<br />
Certification Level 1,” Moody says. “This certification provides them with<br />
reassurance that the processor can accept, process, store, and transmit<br />
credit-card information on their behalf in a secure environment.”<br />
In addition, if a company accepts credit cards at — for example —<br />
resorts, sales centers, and retail environments, it should have upgraded<br />
to EMV chip readers for credit cards by now. “As of October 2014, if<br />
a merchant doesn’t have EMV in place, they’re automatically deemed<br />
responsible for any breaches that occur,” Moody says. “If you’re still<br />
swiping, it’s way past time to adopt this technology, which has far superior<br />
security.”<br />
Judy Kenninger, RRP, heads Kenninger Communications and has been covering<br />
the shared ownership and vacation real estate industries for nearly two decades.<br />
Resources<br />
At AIFEducates.com, you can watch ARDA International<br />
Foundation’s Learning Center webinar on Consumer Financial<br />
Protection Bureau requirements, Risk Management Strategies:<br />
The Need for a Robust Compliance Management Program.<br />
Open Web Application Security Project is a worldwide<br />
not-for-profit charitable organization focused on improving the<br />
security of software. Similar to Wikipedia, it’s a community that<br />
shares information regarding best practices in software security<br />
and application tools.<br />
owasp.org<br />
The Payment Card Industry (PCI) Security Standards<br />
Council is a global forum for the ongoing development,<br />
enhancement, storage, dissemination, and implementation<br />
of security standards for account-data protection.<br />
pcisecuritystandards.org<br />
Verizon’s 2016 Data Breach Investigations Report<br />
examines more than 100,000 incidents, including 2,260<br />
confirmed data breaches across 82 countries. With data<br />
provided by 67 contributors, including security-service providers,<br />
law enforcement, and government agencies, the report offers<br />
insight into cybersecurity threats.<br />
verizonenterprise.com/verizon-insights-lab/dbir/2016<br />
The Visa Global Registry of Service Providers lists providers<br />
that adhere to strict security standards and are in compliance<br />
with PCI regulations. Visa recommends, “Clients and merchants<br />
should reference the site regularly as part of their due-diligence<br />
process and should only use service providers that are listed<br />
on the registry for outsourcing their payment-related services.”<br />
visa.com/splisting<br />
10
Change language