Insights from an IT insider on how you can help your IT team better protect your business and your customers
By Rob Chapman, Director of Security Architecture at Cybera
“You don’t know what you don’t know.” That’s a truism that unfortunately causes a lot of unnecessary risk in our businesses. We often assume the best about all the people and IT systems working around us. If everything is working, then it must be working well, right? However, there’s an ugly secret in the corporate IT world—the line between “working well” and all-out chaos is razor-thin.
As a mentor from IBM once confided to a fresh college graduate, “If you go into IT, you’ll inevitably find that some major part of your company runs on technology held together with little more than hope and a prayer. You’ll find servers that no one knows anything about. But if they ever stop running, the company will stop making money.” He has proven to be absolutely correct.
As smart as most of IT workers are (and as well intended as most executives are), IT shops are still primarily viewed as cost centers. That means they tend to get scrutinized only when one of those random machines held together with bailing wire and duct tape stops working—and the business suffers accordingly.
These insights from an IT insider from “the other side,” will help align your leadership and IT teams so you can better protect your business and your customers.
“Working” Doesn’t Necessarily Mean “Working Well”
One of the easiest ways to avoid unnecessary business risk is to take a greater interest in your IT operations. Let’s face it, a lot of executives treat IT like they do a refrigerator: It’s just supposed to work without any worry.
In other words, they don’t tend to get too far into the details when it comes to prioritizing IT security and regulatory compliance. Unless you have a strong security culture or a prominent IT champion in your company, you’ll probably find some clear deficiencies in these two areas. Luckily, this is relatively easy to fix, because it’s more of a culture problem than an actual technology problem.
Getting the Culture Right First
If you want to blow your IT team’s collective mind, proactively schedule a meeting to talk about data encryption. Yes, encryption. We IT security types love nerding out on that stuff. But don’t worry—you don’t need to sit through a deep-dive lesson on the math behind encryption. All you need to do is ask honest questions about where and how encryption is used in your company—and what its potential economic impact could be.
You’ll often find that your IT team already has good encryption tools to increase security. They simply need executive support to implement them properly. This leadership is vital for two critical areas that significantly impact your business and your customers:
- Meeting your payment card industry (PCI) compliance obligations
- Securely deploying Internet of things (IoT) devices as part of your business strategy
Reducing PCI Compliance Risk and Complexity through Encryption
If your business is in the retail sector, you’re probably accepting credit cards for payment transactions. That means you have an obligation to protect sensitive cardholder data as it travels from the point of purchase all the way to the card processing bank and back again.
The primary goals of PCI compliance are to:
- Protect sensitive customer cardholder data
- Reduce the threat of data theft and security breaches
- Help you avoid regulatory fines and legal fees
If you ask your PCI compliance team how it’s going, prepare to hear a litany of frustrations about the sheer complexity and the amount of resources required to do the job right. Most PCI environments are sprawling behemoths of legacy point-of-sale (POS) and back-office systems. This is where many businesses feel the full weight of the PCI compliance rules—and those rules can be extremely daunting and expensive to manage.
As of now, the current PCI rules require encryption only when cardholder data leaves the store on its journey to the processing bank (encryption of the card data at the store level isn’t required). That approach is not good enough. Fortunately, the PCI governing body offers a more manageable set of rules as long as you implement point-to-point encryption (also known as P2PE) across your payment environment.
P2PE helps ensure that data is encrypted as soon as it’s created and remains encrypted across your entire environment. Think about that the next time you go to any store that accepts credit cards. Unless they’re using P2PE, there’s a good chance your credit card data is unprotected within the store environment.
IT Insider Tip: One of the best decisions you can make as a business leader is to have your IT team encrypt everything. Data should be encrypted as soon as it’s created, when it’s on your systems, and when it’s travelling to someone else’s systems. Implementing encryption in those three areas will do more to increase security and protect customer privacy than just about anything else you can do.
Securing IoT Devices
Much like PCI compliance, the ramp-up of IoT device deployment suffers from similar types of security issues. These Internet-connected devices can range from fuel tank monitoring gauges to digital menu displays and standalone food kiosks. For the most part, these task-oriented devices perform a very specific function and that’s it.
The general assumption is that they’ll work simply and securely. The reality is often a different story, however. For instance, there have been unsecured industrial controls exposed right on the edge of the internet. Let’s just say that if you ever want to change the known volume of fuel in a storage tank, there’s a good chance that the control system is vulnerable.
Which brings up a question you might be wondering about: How could IoT devices be so vulnerable to a security breach? Most of the time, it simply comes down to laziness and perceived cost savings. Many businesses perceive these devices as a relatively low risk. And when they integrate them with third-party systems, the priority is usually to do it cheaply and quickly rather than correctly.
IT Insider Tip: Here’s how you can create a stronger security culture for your company
- Tighten the bond between your IT and leadership teams
- Encourage IT to make the right choices, not just the easiest choices
- Become a vocal advocate for security to better manage corporate risk and protect your customers
Becoming a Champion of Cybersecurity
The notion that people and IT systems are working well just because they’re working has become hopelessly outdated—and potentially catastrophic—in today’s increasingly digital world. You can never assume that anything is secure, because hackers aren’t taking a holiday anytime soon.
Fortunately, the solution is simple. As mentioned earlier, this isn’t solely a technology issue. We already know how to keep things secure. It comes down to your company culture and the values you set by your executive decisions and actions. After all, do you want to build a culture of “let’s just get it done” or “let’s do it right?”
About Rob Chapman
As Director of Security Architecture at Cybera, Rob Chapman is responsible for the company’s overall cybersecurity architecture and PCI compliance initiatives. During his career, he has focused on areas ranging from academic and enterprise technologies to big data and audiovisual systems. Chapman has a Masters in Educational Leadership and Instructional Technology from Tennessee Technological University. He resides in Columbia, Tenn.