As an I.T. person I will tell you this post could get a little technical, and will definitely be less formal that some of the other posts on our site (us IT people can tend to be a little sarcastic at times). If you have an I.T. person in your organization, I would ask you to refer this to them and request that they post comments containing ideas, tips, or information that they have come across on securing customer identity information successfully ….. or at least advice to help keep us all a half-step ahead of the hackers. This is meant to open up a discussion, not just be a straight forward post.
Having said that (and finally getting into a second cup of coffee …. My dog broke my French coffee press, so keep in mind I’m drinking the wimpy stuff) – it’s time to look at what us techie folks deal with when we hit the issue of securing critical customer information. Here are some suggestions from myself, and many others having to now deal with this issue:
- Always have at least one tried and true commercial security product in place …. Granted the definitions may get cracked by the hackers five minutes after they are released, and sometimes before – but a proven product does at least buy your security team time to block hackers, or viruses with secondary products. Remember this though – “tried and proven” should not be translated into “protection for everything”.
- Have a combination of hardware and software security products working together – if the hackers can’t get into your network, they can’t do damage. If they do successfully breach your network, you want a good defined secondary stopping point. Being proactive is extremely important in security. Only being reactive to security issues in any company is extremely dangerous. For example: desktop security suites are great ….. but, if you did your job, hackers should have never gotten that far – but they are a useful secondary stopping point.
- If you are a security person (or at least in charge of security) ….. face the fact that you are probably going to be the most hated person in your company simply because you are the one ultimately telling people that they aren’t allowed to work on their MySpace accounts, nor search for dates on Craigslist – oh, and watch YouTube videos. Do not bend on this, unless you like being the scapegoat for security breaches, like spending time explaining things in court, or generally are trying to avoid all possible time with your family. Most people try to not get into these situations – but considering everyone is different, to each his own.
- Have the mindset that your customer’s information is more important than your job – if you slack and don’t try your best (granted, we don’t all have 24/7 to spend securing our companies, and we are not all gurus) someone could obtain your customer’s information and ruin their lives for quite a bit of time, along with gaining some unwanted national recognition for oneself. Would you want another company to think any less of the importance of your identity information?
- Don’t let pride get in the way of seeking advice from outside sources that know better than you do. Network with the people that have the same responsibilities as you … an outside information source does not always have to cost $200 an hour if you network with other individuals that have similar security responsibilities in the companies they work for.
- Have the sense to be open-minded about the products and platforms you use. Don’t just use a flavor of Linux because it is free, nor use Microsoft because everyone does. Each job has a correct tool, or set of tools designed to perform that job well. Look at each platform you want do use and ask the following questions: 1. How stable is it for what I am doing? 2. Will the security within the platform compliment the applications I am running on it (in other words – can you make Oracle more secure on a specific Linux flavor, or on a Windows platform)? 3. What third party commercial and Open Source products can I use to compliment the security on the platform I have chosen?
- Most people overlook question 1 in the bullet point above. If you talk to any experienced “old-timers”, many of them will tell you that can be a big mistake. If your system is not stable, it is inherently not secure doing anything. Instability creates back-doors …. Kind of like ignoring a lock that is not always working on the back entrance of your house, just because you think no one will ever use it to break in because it’s not as noticeable as the front door.
- Use a mix of commercial (native along with 3rd party) products in coordination with Open Source products to design your security infrastructure so that it is easy to occasionally “switch-up” at least some of the products and security flows that you are using. The longer you keep things in place and the same, the longer hackers have a chance to learn your systems.
One last comment from me – There is no such thing as “set and forget” when securing customer identity information, you WILL have to actively monitor your systems for security reasons, not just rely on automated alerts.
Please submit comments, and additional advice to help all readers, thanks!
Corporate Investigations Inc 