Special Report: Data Security Part II

Three Fundamentals of Data Security

People want to perform their jobs securely, but they don’t always know how.

February 17, 2014

Want to maintain the integrity of member data? Keep three key fundamentals in mind, advises Ryan Elkins, senior manager, information security, for Diebold, a CUNA Strategic Services alliance provider.

He and Credit Union Magazine Editor Walt Laskos recently discussed these fundamentals and how credit unions should evaluate their core competencies in regards to security.

CU Mag: I’ve been told that point-of-sale terminals costing $5,000 several years ago can now be replaced with pads and cloud access for around $100 per terminal. If costs have decreased to this extent, what’s preventing today’s payment solutions providers from adopting a more sophisticated standard?

Elkins: Cloud solutions are not going to slow down. Providers that can reach multiple customers with single services will have improved margins, allowing for investment into comprehensive security solutions around the services.

In today’s market, a cloud provider that invests heavily in a security program could quickly differentiate itself from competitors.

When it comes to cloud providers, most security organizations are resistant to going that route due to the fact that you are essentially handing the security of your data or systems to a third party. The providers are aware of this and have focused heavily on implementing visible security controls to offer the appropriate level of assurance to their customers.

Credit unions, small banks, and even retailers must begin evaluating their core competencies in regards to security. Determine which competencies can be accomplished in house and then engage in noncaptive solutions to address security gaps.

CU Mag: There is no one standard for mobile payments in the U.S. today. Instead, there is an array of payment options as providers continue to jockey to see whose standard will become the norm. How long will this pattern continue and when will it be resolved?

Elkins: This is a very exciting time in the mobile payment space. We are seeing growth and adoption with near field communication, quick response codes, biometrics, mobile wallets, and even digital currencies.

There will be pros and cons with each solution, and these new approaches will introduce new attack vectors.

We can’t lose sight of general standards and data protection requirements to serve as an agnostic foundation for the variety of mobile sensors. All of these technologies when implemented on mobile devices will still need to rely on a secure element.

CU Mag: How does Diebold address security throughout its various service platforms?

Elkins: The foundation and success of Diebold’s security program begins with the leadership support. Through this support, we have engrained security within the culture, our products, and our services.

The security team has representation during the initial research and development conversations, secure standards are incorporated throughout the software development lifecycle, and recurring assessments are performed against products, services, and internal systems.

We focus on understanding the threat landscapes, learning from publicized breach reports, and striving continuously to expand our preventive and detective control capabilities.

CU Mag: What are the top three fundamentals that CUs must keep in mind to preserve the integrity of member data?

Elkins: The top three fundamentals are just that—fundamental. They are the foundation for any security program that must supersede the implementation of high-performing technologies or robust programs.

First, focus on configuration management. In almost every breach that we have analyzed, somewhere along the line the attackers took advantage of default or weak passwords, misconfigurations, unused services, and/or reliable vulnerabilities.

Second, establish policies, procedures, and standards and share them with the groups responsible for systems. Security teams must be able to delegate security responsibility and be able to govern adherence to these policies, procedures, and standards.

Most people want to perform their job functions securely; they just do not always know what to do.

Third, implement a security awareness program for employees. Make security relevant to their personal and professional lives.

Provide insight and communications regarding phishing attacks, social engineering, mobile devices, and password security.

Create posters, deploy screensavers, and have tabletops in the cafeterias where employees can talk to security experts.

Transform your employees from your biggest security weakness to your biggest security strength.