Whether it’s their credit card information, home address or their S.S. number, your customers entrust you with their personal information every day. Learn about what you can do to ensure their information is protected.
By Kate Hand and Tara Remiasz
Conduct a Security Review
Randy Marchany, director of the Virginia Tech IT Security Laboratory a component of the school’s IT security office, is doing his best to ensure that Virginia Tech doesn’t fall prey to a security breach. “The executive VP of the university established funds for an IT security review program. We’re identifying departments on campus that have sensitive data and we go out and do a quick review of the IT assets and how they store data.
“We’re looking for password strength and the physical security of the computers. Are the laptops stored in locked offices? We’re making sure there is controlled access to wherever computers are, local computer security settings. Do you have a firewall, and if you do, is it configured correctly? If you’re running a Web-based application, making sure it doesn’t have vulnerabilities.”
If a department handles credit card transactions, Marchany’s group will do a Payment Card Industry (PCI) review to see if it conforms to the PCI security standards, he says. In doing this internal audit, they hope to catch anything before an external auditor conducts a review. With more than 180 departments on campus, it will take 18 months to complete the full audit, he says. Once that audit is complete, Marchany’s team will begin the process again.
For more information on data breaches, Marchany recommends visiting privacyrights.org, which offers information on data breaches that have happened to real companies and organizations. The site has information on data breaches ranging from educational institutions to retailers to government agencies, he says.
Secure Your Systems
“Secure the path of least resistance,” Marchany says. The key is to use strong passwords that are also easy to remember. “I often suggest that you pick a phrase then pick a syllable or letter from each word and then throw in some special characters. So, if I had as a phrase ‘Use only a PCI compliant vendor,’ the string might be: UOAPCI3. You can also string your family members’ names together or a line from a song or a title of a book, or spell a word backwards. There’s the saying that if a bear is chasing both of us in the woods, I only have to run faster than you. It’s the same with passwords. You’d be surprised how many people just enter their names.”
Your last line of defense should be a firewall that is tailored for your business’s specific environment, Marchany says. It may take some guidance from an IT professional, but it is crucial to have this protective element up and running properly, he says.
It is also important to evaluate how employees are handling sensitive customer information outside of the office, says Cherie Mitchell, COO, LuciData, Inc., in Minneapolis. Often times employees will e-mail work to themselves as an attachment or store it on a USB device so they can work from home, she says. You need to write a very specific set of rules to clarify which kind of information must not leave the office, even on a laptop computer.
Starting point for your policies and procedures document can be found on many Web sites that offer templates for acceptable use policies, Mitchell says. As you create this document, Mitchell also advises that you consult with external counsel. Professional data security consultants can also act as a proactive “insurance policy” as you formulate your data security strategy, she says.
Know When to Use an IT Professional
Before deciding how and when to use an IT specialist, Marchany suggests that you ask yourself the following: What data are sensitive? And where are all of the sensitive data stored? Examples of sensitive data include: credit card info, customer or employee S.S. numbers, employee medical information, etc. “The trick is to find where it’s being stored and then you either get the training to protect it yourself or you contract with an auditing firm,” he says.
“I prefer the ‘training yourself’ method, because an auditor won’t know the nature of your business or the real ins and outs and the political infrastructure,” Marchany says. “There are politics even if it’s a two-person shop. Then, if there’s a problem, you’re the triage. You can call in your IT guys, but you still have to act while the IT guy gets to the problem.”
Perhaps, one of the most important things to remember is that data security is more about common sense than it is about being tech savvy. “Everybody thinks that because it’s on a computer you have to do something really different in the routine. But let’s jump back 25 years, when physical folders with forms were kept in a locked cabinet. Only two people had keys to the cabinet, and there were backup copies in a security deposit box somewhere,” Marchany says. “Nothing has changed in that procedure. Rather than keep information in a locked file cabinet, you encrypt those files. Rather than keep copies in a safety deposit box, you backup your drives in another location. Thinking of it that way, training people how to use the technology is pretty straightforward.”