Last week, I sat in on a webinar that the PCI Security Standards Council (PCI-SSC) presented to outline the training opportunities they offer to merchants, IT professionals, and auditors. During this event, they mentioned the top five mistakes that they’ve seen that can lead to security vulnerabilities. These resonated with us because of security breaches that we’ve seen over the last year or explanations we’ve given about overall compliance to ChargeLogic customers and Dynamics NAV users.
Here are the top five mistakes that they mentioned:
1. Lack of firewall maintenance
Hackers exploit vulnerabilities in your system. If your system is not kept up to date, if you don’t upgrade your systems, those holes will be found. Credit card numbers are a good payoff to those breaking into your network.
2. Lack of password management
We’ve all seen the articles listing the most common and least secure passwords. Merchants must have a policy ensuring the usage of strong passwords (in other words, no “password123”), rules for changing hardware and software default passwords, and for restricting access to only those who need it. See the PCI Security Standards Infographic.
3. Lack of employee education
Employees must be trained to use your system in a secure way. Using PA-DSS validated software is a good start, but educated users are a vital part of its strength. Look at secure software as a top-notch burglar alarm. It’s useless if no one turns on the alarm or leaves the back door open for their friends and whoever else decides to walk in.
4. Third party vulnerability
Merchants must look at their entire environment. Again, using validated software and firewalls are vital, but anything and anyone who is part of the system and has access must be considered as a potential vulnerability. Some reports of the Target data breach suggest that hacker access was gained through a vendor account that had improper system-wide access.
5. Slow response to vulnerabilities and incidents
Vulnerabilities must continually be assessed and merchants should have a plan in place to immediately address them. Home Depot was roundly criticized for its sluggish, and sometimes nonexistent, response to vulnerabilities pointed out by its employees well before the breach.
No one can promise that a system will never be breached, but it’s common sense to close the known holes and be able to focus energies on preventing or mitigating the unexpected. Locking your house and car doors might not ultimately prevent someone from breaking in, but leaving your door open will make you an easier, and more likely, target than someone who has taken steps to secure themselves.