On July 31, 2014, the U.S. Department of Homeland Security issued an advisory warning retailers about a type of malicious software attacking point-of-sales systems, dubbed “Backoff” and undetectable by most types of antivirus software. A string of high-profile security data breaches at retailers such as Target and Neiman Marcus, restaurant chain P.F. Chang’s China Bistro, and now shipping company UPS, has many businesses wondering if their network is secure. There are hackers around the world searching systems to find the one vulnerability that gives them access to a company’s most valuable information – from credit card numbers and expiration dates to customer names, addresses and even social security numbers.
From breach investigation and remediation to policy and procedure development, if your company accepts credit cards, you should consider a proactive approach to compliance in order to minimize the risk of a security breach. This typically starts with a data security risk assessment.
WHAT SHOULD I EXPECT FROM A DATA SECURITY RISK ASSESSMENT?
An assessment typically begins with a vulnerability review of your internal and external network environment, and identifies holes and vulnerabilities in your systems. If vulnerabilities are discovered, then a penetration test would come next. Penetration testing identifies exploitable vulnerabilities in your data security which can be compromised by hackers. Tests are run on software and devices within your system to inspect web applications and databases, and to search for malicious intrusions, such as adware and spyware. Tests are also performed on various data security measures including firewalls, anti-virus tools, patches, internal controls, remote access and more.
WHY SHOULD I INVEST IN A DATA SECURITY RISK ASSESSMENT?
- Any business that accepts credit cards is required to meet the requirements of Payment Card Industry Data Security Standard compliance (PCI). The extent of the requirement is based on the number of transactions made each year. The lowest requirement is level four, which is 20,000 or fewer transactions a year. This requires you to complete an online Self-Assessment (SAQ) and pass a quarterly vulnerability scan. We have found that many companies aren’t following the basic requirements.
- Data breaches cost organizations an average of $3.5 million last year.* If you can stop the breach before it happens, you’ll be better off.
- Penalties from PCI, can put a significant dent in a company’s earnings, but they are nothing compared to the damage that a data security breach can do to your business and its reputation. If your security is compromised while out of compliance, you run the risk of losing your merchant account, which means you’ll be unable to accept credit cards.
WHAT SHOULD I DO?
It’s important to have trained professionals to conduct the assessment and provide you with an executive summary detailing the most critical areas of improvement, plus a more detailed report listing all vulnerabilities found. It’s also important to choose a partner that will meet with you to explain the findings and make suggestions for remediation steps.
If you are interested in more information on how you can take a proactive approach to the recent network security breaches, contact your Warren Averett advisor for more information.
* 2014 Cost of Data Breach Study: United States, IBM/Ponemon Institute.