Laura Haight writes the Digital Maven column published in the Upstate Business Journal in Greenville, SC. This column was originally published in UBJ on Nov. 9, 2012.
By Laura Haight
South Carolina taxpayers and businesses are facing a lifetime of vigilance to protect themselves and their clients following the major data breach of the state Department of Revenue.
Although the state has provided a year of monitoring protection for individuals and other business-specific services for companies via Dun & Bradstreet, the responsibility for monitoring your credit, your identity and - for small businesses - your clients’ sensitive information will fall squarely on your shoulders.
Cyberattacks and cyberterrorism are a huge risk for businesses and government. A 2012 survey by Deloitte and the National Association of State Chief Information Officers (NASCIO) found that 92 percent of state CIOs feel that cybersecurity is critical to their state, but only 24 percent are confident that they can protect against external threats. Part of the reason for that low-level of confidence is that only 14 percent say that they get the appropriate commitment and funding.
So here are five areas that your business - no matter how big or small - should be addressing right now.
1. Authenticated Users. Access to the state’s database came because the hacker had stolen credentials of an authenticated state employee. Your users are the last line of defense. Users will complain bitterly about the intrusive demands of IT, but those demands are a critical part of your protection. If you are big enough to have an authentication server - such as Microsoft Exchange - either onsite or via an online service, you can implement a requirement that users must have strong passwords, and that those passwords be changed frequently - every 30 days is not extreme in today’s environment.
A strong password should be at least 8 characters, make no English-language word and contain numbers, letters in both upper and lower case.
It appears that the first breach of the state database was back in August; had the state enforced this very basic requirement of changing passwords every 30 days, the hack wouldn’t have been prevented, but it would have been curtailed two months sooner.
2. Division of responsibility. Once the credentials were stolen, the hackers had the keys to the kingdom because the user had access to everything. Divide access and responsibility as much as you can. If your business is small and one person does everything and that can’t be helped, then enforce even more frequent password changes and consider having an independent consultant come in and review your operations at least once a year.
3. Encrypt sensitive data. There are many layers of encryption that you can consider. Does your company take credit cards? If so, make sure the credit card information is maintained on your merchant gateway account NOT your computers. Credit card companies and those that provide merchant accounts are subject to PCI compliance that requires that a credit card number be encrypted, that only the last four digits are visible and that the entire card number never resides in the same database in an unencrypted state. Unless you are a health provider, you should have no reason to have your clients’ Social Security number, so don’t ask for it. Why burden yourself with the responsibility of protecting it?
Do not ever send or receive unencrypted credit card numbers via email. Even the smallest business can purchase PGP - a public key encryption program - that will protect files like spreadsheets or documents with a dual key encryption. If you have to send files over email use a program like this to encrypt it on both sides and, of course, never send the encryption key in the same email with the file itself.
4. Maintain your hardware and software. The state’s servers and network infrastructure have been reported to be several generations old, but upgraded. While you can add storage and RAM to older hardware, you cannot add processing speed and the disk access capabilities required of new software. You certainly don’t have to buy new servers every time a new Windows Server version comes out, but if you are running 10-year-old servers it is probably time to upgrade. As new software is written to combat the threats to your databases and systems, it often must run on newer, faster hardware and operating systems. If your systems aren’t capable, you may be stuck with less effective software.
5. Test and Verify. No doubt, this is the most often overlooked step in any plan. The only way to be sure the steps you put in place are working is to test them, to make sure they are actually being done, to ask questions, and review security reports on a monthly basis as part of your regular close procedures. If you think that’s unnecessary, ask yourself if you are certain that the last person who left your employ - whether you let them go or they resigned - still has an account on your system.