Good Security Protects Us From Ourselves
Data you collect is vulnerable to hackers. They might make direct attacks or compile seemingly unrelated and non-threatening information. That ultimately puts people at risk.
Victor Santoyo has made a living guarding against and swatting away online predators. He is an expert on website security through Sucuri Security, which cleans and protects websites. He also has spoken at WordCamp Miami about online protection.
In the realm of specific data, protecting personally identifiable information has to be first priority. That not only tells others about you but inadvertently about friends and family as well.
“Any data that you collect through your website and gets moving in transit to other servers needs to be encrypted and protected,” Santoyo said. “Anything. Whether it’s just a first name or a personal address.”
Keep in mind that it’s critical to have a way to organize and prioritize.
“This is a great point,” Santoyo said. “The internet is creating all new types of data we need to start to collect or create. We really need to take inventory of what we’re gathering.”
Users also must prioritize who gets to see data and why.
“Absolutely,” Santoyo said. “I have a blog post on Payment Card Industry Requirement 9 due out soon.”
He also touched on that subject in another blog post about implementing strong access control measures.
Not just backups
Backups can help you recover hacked data, but you can’t make hackers unsee what they’ve seen.
“Certain attacks like ransomware will zip up and encrypt access to the data so it’s untouched,” Santoyo said. “Other times, data might get corrupted. So, relying on backups as a sole resource is tricky.
“Testing your backups before incidents is key if you want assurance,” he said.
Stephen wondered what would happen if a company based in the European Union has an office in India. Employees in India can view data of EU citizens. How could the Indian office comply with the EU’s General Data Protection Regulation — better known as GDPR?
In general, if EU standards are tougher than your standards, opt for the tougher ones. In a world wide web, everyone’s data is subject to penalties for violating another entity’s strict demands.
“GDPR is a certainly a key thing,” Santoyo said. “If you live in the United States, new California data privacy laws are also something to look out for.
“We have many employees who work remotely, and we’re compliant,” he said. “So, it’s definitely do-able. You just need to be assured that the data is located in the proper locations and only on a need-by-need basis.”
Effective security does not succeed in isolation.
“Being clear across your team about expectations is important, too,” Santoyo said. “If you’re in India, discourage the copying of EU data on local India servers or jotting down copied info.”
Jurisdiction does not depend on employee location.
“The location of the data is one of the main points to start with,” Santoyo said. “I’m in Miami. As long as I’m not storing EU data on my local machine, it’s fine.
“Whether you’re operating in the EU or out of it, if you’re collecting data from individuals who reside in the EU, you need to be careful,” he said. “I could be a U.S.-based business and start accepting EU orders. In that case, I need to start complying with GDPR.”
Santoyo also talked about security’s “deny first” approach.
“When in doubt, deny access,” he said. “Opt for tight security — especially from the start — until you’re confident of the interests of the other party and its privacy standards.
“This is the idea of denying public access to everything first,” Santoyo said. “It helps you slowly decide what access you do allow. If I open up my server to the world, I can’t control that. If I deny all first, I can slowly open up where I feel it should be.”
This is a commonly ignored default choice.
“It should be the default — and yet, people often overlook the practice,” Santoyo said. “Default configurations on applications, servers, and networks are not always ideal from a security standpoint, which is why they are important to review.”
Keep data under wraps as long as it has potential to do you or others harm. There is no statute of limitations on security and privacy violations.
“My quick answer to this is only for as long as absolutely needed,” Santoyo said. “If you need the data for longer than 30 to 60 days, there should be a data or security policy somewhere that describes the reason for extended use, worst case.
“Otherwise, purge that data on a scheduled basis once you’ve determined a length of time that works best for your company,” he said. “For those complying with GDPR, also make sure data is easily accessible for requested purge by those individuals.”
A Secure Sockets Layer certificate — known as SSL — is a digital certificate that authenticates the identity of a website and encrypts information sent to the server using SSL technology.
“This only keeps your data safe in transit,” Santoyo said. “A common misconception is that SSL protects your site. It will encrypt data on the way from the browser to your host server. This is still important to avoid ‘man-in-the-middle’ attacks.”
He added that Google is making a push for Hyper Text Transfer Protocol Secure, which users know by the acronym HTTPS.
If you suspect a breach, immediately change your passwords and review your security settings.
“First and foremost, notify those affected,” Santoyo said. “Then take proper actions to understand what happened, where, and make those changes.”
In a blog post, he detailed steps to take to recover from disasters such as data breaches.
Mergers and acquisitions are commonplace. They add another complexity to data handling. Security experts should do a data scrub when there’s any kind of company change to make sure all entities operate on the same security and privacy standards.
“Much like the India question, look through the data you acquire and validate its use,” Santoyo said. “If you don’t intend to use it, then lose it. If you do use it, set parameters on who will have access moving forward and for what purpose.”
Treat your data with all the attention you would give your first-born child.
“Be mindful,” Santoyo said. “Don’t start copying cardholder data on paper you won’t shred. Don’t make copies on USB drives. You’ll lose them because they’re small.
“Just as you don’t want your data tossed around like a hot potato, be mindful with the data of others,” he said. “Set proper expectations of how to handle it and where, how and when to dispose. If you set the example from the top — and set reminders — you’ve taken a good step.”
People being people, be alert to those who leave data in lunchrooms.
“That’s human nature at its best and worst,” Santoyo said. “I know I forget my keys in odd places at home.
“Imagine the workplace where stress and time are even more critical factors in your day-to-day,” he said. “Practicing good security is not blaming others but protecting us all from ourselves.”
About The Author
Originally published at www.datadriveninvestor.com on October 24, 2018.