It’s that time of year again where the air turns a bit cooler, pumpkins start popping up in your supermarket and your annoying neighbor starts posting daily “Only XX Days til Christmas” updates. Yes, it is almost holiday shopping season and if you’re lucky enough to be in retail at this time of year, this is your three-month long super bowl.
I titled this blog “Don’t Be a Target” because, well, there are things you can do to make yourself less of a target to bad actors - although everyone else thought it was yet another dig at Target’s infamous breach. It wasn’t, to start with, but what does that say about the power of a breach when we’re still referencing it 4 years later? These events leave a mark both on your wallet and your reputation, however, there are steps you can take to stay off any bad actor’s radar.
So let’s get down to it:
1. Patch known vulnerabilities – I can’t believe I even have to say this but you have to stay up to date on patches. The last two major ransomware viruses used vulnerabilities that were well known and documented. This is basically a fool-proof attack plan for exploiting your organization unless you stay on top of patching.
2. Network device hygiene – If you have a device that connects to the internet then it needs to be monitored and updated with the newest software, security and patch upgrades. This doesn’t just go for your POS machines anymore. With the rise of the internet of things, there are more devices than ever which means more ways than ever to get into your network. So, from scanners to HVAC systems, if you have a device that can get on the internet, update and patch it. If you have a device that is too old to patch then it needs to be replaced.
3. Know what’s on your network – Just as you should know if all of your devices are up to date with their software, you should know every device that is connected to your network. This includes employee cell phones or other connected devices as well as any third party contractors and their devices. If there is a device outside of your organization that is connecting to your network, you must ensure that they are still following your policies and best practices.
4. Constant monitoring – This subject is at least two-fold:
a. Network Device Traffic: I just spent the past two tips telling you about devices but even if you know they are patched and you know they are using your defined policies, you still need to know who they are connecting with. Make sure you are monitoring all traffic coming and going from your network so that you are alerted when any of your devices are connected with anyone they shouldn’t be.
b. Network Access: Simply stated, you need to know who is in your network and what they are accessing. By continuously and comprehensively watching these interactions you will be able to spot if anyone is accessing privileged information that they shouldn’t be. You also need to know if that person should have access or not. With a roles based access control solution, you can see who has access to what and can tell if there are any outliers that need to be addressed.
5. Segment your most sensitive data – Our CISO has actually talked about this in blogs before but open, flat networks allow for too much pivoting throughout your network and easier access to your privileged data. Instead, you need to segment your data and never keep your backups in any way connected to your primary network.
6. Test and verify – The best way to know if your network is impenetrable? Try and hack it. There is a reason that PCI-DSS requires an annual penetration test for your organization. Until you test yourself, you don’t know if the patches you applied are valid or if the data you thought was segmented is just a simple pivot away.
Will doing all of these things ensure that you aren’t breached this holiday season? I would never make that claim. However, by following all of these steps you can ensure that you are exponentially safer and, therefore, less attractive to the bad actors out there looking to take advantage of this busy holiday season.