Improving protection of customers' personal data

three security policies. There should be one for non-IT users for your company’s network usage policies and one for IT staff that details their responsibilities for being trusted with all of the data and networking resources. File both of these policies with Human Resources. The third and most important security policy is really more of a standard operating procedure. This is a post attack action plan that specifies what to do and whom to contact if a hack is discovered in your network. This should be a simple-to-follow document so that all steps it describes are followed. Place this action plan in multiple locations where everyone can access it in hard-copy form. Make sure your IT staff has monthly refresher training about how to use this action plan.

* Use a behavior-based desktop client: This is software your IT staff should install on all desktops. Signature-based detection is how we detected viruses and intrusions five years ago. It does not block day-zero viruses because most signature-based solutions take 8 to 24 hours to update, giving hackers free access to unprotected networks for that amount of time. Because assaults on network systems typically go through stages, a solid client will recognize that a layered approach is the only effective strategy against these attacks, which can occur beyond the perimeter, at the server, or at the file level. A true client should proactively defend against damage to your desktops throughout all stages of an attack, whereas other technologies provide early stage protection — and only when a signature is known.

* Hack yourself: A penetration test subjects a system to real-world attacks selected and conducted by security staff. The benefit of a penetration test is that it identifies the extent to which a system can be compromised before an actual determined attack. Test results will either show you where you to need enhance your security or let you know that you should sleep better at night. Only a real penetration test can simulate what would happen if a determined hacker were to attack your organization. Be careful to make sure that you use only reputable security consultants who can provide at least five recent references. Anyone can run a Nessus scan and charge you a lot yet provide little benefit. Make sure you have a red team test done as well. A red team test actually tests to see physically how far into your facility a hacker can get.

* Train, train, and train some more. Your IT staff should be fully and formally trained about all of your hardware and software solutions to combat the threats to your data. Also, train your end users. Give them lots of practical examples and make sure they know they should contact IT when in doubt.

Purser says that we should note that in these five tips, only one required software and hardware. Of course hardware is needed, but decision makers often put hardware in place and believe that solves the problem. The FBI says that hackers steal $67.2 billion worth of personal information every year, and the amount is only growing. With so much at stake, hackers will try to get some of it. “Hardware alone will never stop them. The remarkable thing is that rather than spend more money to defend against this problem, you can simply change tactics,” Purser concludes.