Sometimes, it’s what you don’t do that can get you into trouble.
SecurityMetrics, which helps companies achieve compliance with the Payment Card Industry Data Security Standard, conducted a forensic examination of the ecommerce environments of organizations that suspected a payment card data compromise.
They found that despite the increased awareness of data breaches at well-known companies, insecure remote access remains the largest single origin of compromise.
This intrusion technique was used in more than 39% of last year’s investigated breaches, SecurityMetrics said.
Hackers will likely continue to use that method because it works.
Even companies that take steps to protect their data are often vulnerable because they don’t follow through.
Here are SecurityMetrics' Top 10 actions that will help keep the bad guys out of a company’s data:
1. Protect your system with firewalls. Among companies that suspected a breach last year, 52% said their systems did not have this protection; only 30% did.
2.Use adequate configuration standards. Default passwords that come from manufacturers are left in place by 55% of hacked companies. Passwords are a pain point, but data breaches cause greater pain.
3. Secure cardholder data by keeping the system clean of insecurely stored card data. A shocking 82% of companies investigated don’t do this. Unencrypted payment card data has a way of creeping in where you least expect it. But hackers can’t hack what isn’t there.
4. Secure data over open and public networks. SSL was the internet security standard for encrypting the link between a website and a browser to enable transmission of sensitive information. It is being replaced by TLS (Transport Layer Security). Having SSL encryption or an early version or TLS is very risky to security since they have many exploitable vulnerabilities. Replace them as soon as possible.
5. Protect systems with antivirus and antimalware software. Everyone knows this, but 61% of investigated companies don’t do it.
6. Update systems and patches. Application developers aren’t perfect, which is why we need updates to patch security holes. Once a hacker knows he can get through a security hole, he passes that knowledge on to his friends. Nearly half of companies keep the door open for them.
7. Restrict access to cardholder data and systems. Companies are required to have a role-based access control system, which grants access to card data and systems to individuals and groups on a need-to-know basis, but 85% don’t comply.
8. Use unique ID credentials. Weak passwords and user names are easily broken using a password-cracking tool. It’s best to make them long and complex.
9. Ensure physical security. You’d think this was a no-brainer, but a pathetic 94% of the investigated companies took no steps to protect their assets. Most data thefts occur in the middle of the day, when staff is too busy to notice someone walking out of the office with a server, company laptop or phone.
10. Implement logging and log monitoring. System event logs record actions taken on computer systems like firewalls, office computers and printers. They can alert a company to suspicious activity, but only if they are monitored. Logs should be reviewed daily.
These actions aren’t just recommendations; they are among the steps that companies are required to take in order to achieve PCI-DSS compliance.
SecurityMetrics was selected by Travelport to support its online PCI-DSS certification referral program.
At the request of IATA, Travelport has made the program available to all IATA agencies.