Low Hanging Fruit for securing your data

I recently met with a small business (SB) owner who was almost hyperventilating over the challenges of becoming PCI Compliant. To him, this was a hardship created by the government to make small business owners’ poorer, while putting more money into the pockets of big business. Initially, we simply talked about the Who and Why around PCI Compliance. Next, we broadened our discussion into his individual business needs and goals. We then translated these into a comprehensive plan for securing his environment in a manner that supported these. He came to understand that this did not have to be a six-figure plan to put some basic pieces into place with a quick turnaround and quick return on investment.

Who and Why of PCI Compliance:

For a SB owner, throwing the whole catalog of 12 steps to securing your environment is overkill. Unless a business processes over 20,000 credit card transactions a year, the requirements published by the PCI-DSS (standards group), are much more simplistic.
·         Don’t store ANY credit card data in your environment,
·         All transmissions should be on PCI-DSS approved devices,  (list available: http://www.cgsolutionsofjax.com/images/approved_pin_transaction_security_PED_Devices.pdf)
·         Fill out and submit Attestation paperwork annually.

Why being just PCI Compliant is not enough:

PCI standards are “minimal”. The interpretation of the requirements is even debatable depending upon the size and complexity of an environment. A seasoned “IT-savvy” Assessor will understand the difference between creating a program that basically just checks items off a list and a program that takes a meaningful and layered approach to security, while providing for PCI Compliance.

Reviewing Individual Business needs:

Whether a business is in a static position, growth mode, or facing the unfortunate position of losing market share, the SB owner needs to take a holistic approach to managing security and the potential liability surrounding a potential data breach.
·         What is the investment?
·         What is the Return on Investment (ROI)?
·         In the event of a breach, what is the business’s potential liability?
·         What is the cost of potential downtime?

Any investment, whether it is for technology, security, or other, should have an established timeline for an expectation on return. For small businesses, there are a number of investments that are necessary in order to insure data protection.

Low Hanging Fruit that will go a LONG way to helping secure your environment:

·         Antivirus/Malware

o   For antivirus, purchase multiple year licenses.

o   Have an individual join groups such as Secunia or the SANS group to receive notifications from antivirus and software vendors on outbreaks or potential vulnerabilities.

·         Desktop management support/warranty

o   Use built-in tools to restrict employee’s access to sensitive data, to questionable websites, to pop3 mail accounts.

o   Disable the ability to capture print screens for those employees who have access to sensitive customer or patient information.

o   Purchase desktops through a reputable partner who will provide desktop support in the event of a hardware failure.

·         Copier security

o   For leased copiers, insure the hard drive has been wiped, in a secure method, approved by the Department of Defense, prior to returning to vendor.

·         Printer security

o   Define who can print to what printers. Allow a limited number of employees to manage print jobs.

·         Paper security

o   Create a clean desk policy and either, purchase a shredder or, lease a shredding bin from a reputable vendor.

·         Social Engineering and Information Security training for employee

·         Mobile Device lock down (to include USB devices)

·         Business Continuity/Disaster Recovery solutions

The SB Owner I was speaking with had a small environment, but the general consensus by desktop support companies is that when a company has more than 10 desktops, the need for professional desktop support becomes pressing; the reason being that automation becomes key to reducing labor costs.

At CGSolutions, we have:

·         A library of sample policies and procedures that will get you started,

·         Templates that can be applied to your desktops to secure your corporate environment,

·         Business partners who have expertise in desktop support, including in regulated industries,

·         Partnerships with internet providers who focus on your current and future business needs, 

·         Partnerships with managed services teams.

Don’t let the fear of what you don’t know get in the way of being successful in your business. CGSolutions can help you bridge the gap between where you are and a secured environment. With over 28 years of experience in technology, we have the expertise to implement meaningful solutions versus those that simply check a box on an audit report. Give us a call, 904-654-7323.