Asked why he robbed banks, Willie “The Actor” Sutton is reputed to have said “Because that’s where the money is.” The same logic may explain why hackers went after heavily protected customer data at Target: big challenge, big prize! In retrospect, Target’s logo now seems to have been the bull's-eye thieves went after looking for a monumental payday, but you don’t have to have tens of millions of customers’ credit cards and personal data to become the next ”target.” Here at Consolidated Communications we see lots of customers, both large and small, who face the same kind of risk. The asset can be company data, customer data, protected medical information, or third party information of all kinds. And the attack can occur via an in-house computer, the network, an unencrypted laptop, a phone or tablet, or even a customer device. We’ve seen attackers talk employees into giving out sensitive passwords and a penetration tester, who showed up dressed as a power company representative, was escorted into the computer room, and walked out with one of the company’s servers. Data security has never been more important than it is now, nor has it ever been harder to maintain. When your data storage is provided by Enventis, we work tirelessly to secure your data and prevent any telecommunication mishaps.
John Harmon is a sales consultant with FRSecure, a Waconia, MN-based security company that works with Consolidated Communications customers. “It’s always a challenge to know how much effort and resources to put into security,” says Harmon, “so it’s easy to understand why many companies use regulatory compliance as their standard, but that may not be the right answer. A company like Target was almost certainly compliant with every pertinent regulation, but in their case it wasn’t enough.”
Using a third-party processor for credit cards can also give a false sense of security no matter how secure the processor’s operation is. Information can be compromised at any step of the process. For example, in the U.S. we typically hand our cards to the server in a restaurant and receive back a slip to sign. In Europe it’s more common for the server to bring a card reader to the table, where the diner swipes the card without ever giving up possession.
The problem for IT departments, according to Harmon, is that they have to make information readily available to those who need it, both within and outside the organization. Security is the antithesis of availability, so balancing the two becomes a challenge. And since IT departments get saddled with a lot of responsibilities, if security seems to be working their attention goes elsewhere. The problem is that security always works until it doesn’t.
Harmon recommends that companies implement a security plan and then review it on a regular schedule. “It could be monthly or quarterly,” he says, “but the threats keep changing, so if you aren’t reviewing your plan regularly it could be a sign that you need help. You need to look at all openings through which your data can be attacked. If you are a defense contractor or healthcare provider and you keep sensitive data on laptops, those laptops are required to be encrypted. If you start allowing employees to use their own devices to access data you need to incorporate those into your plan. And we strongly recommend that you not simply use compliance as your standard. Regulations are aimed at preventing ‘last year’s’ problems, and as soon as compliant organizations start getting hit, the regulations are likely to change. If you’re going to have to step up to new regulations anyway, it just makes sense to anticipate them and be protected. It’s like the two guys being chased by a bear. One of them says to the other 'It’s no use; we can’t outrun a bear,' and the other one replies 'I don’t have to outrun the bear; I just have to outrun you.' Similarly, your security doesn’t have to be perfect. It just has to be good enough to make thieves look for an easier target.”
There are no black-and-white answers. Everything has costs and benefits and you have to make business decisions that are right for you and your organization. Your organization may be well equipped to evaluate your risks, define a response that fits your needs and budget, and manage your response, in which case the recent events at Target may be the motivation you need to update your plans. If not, there are outside resources with the expertise to help you create, update or implement your plan.
We’d welcome the opportunity to tell you more and discuss specifically what we could do for you and your organization.
Chris Bloomquist
Director of Engineering and Operations
Enventis