The best way to balance the need for network and application access with security and regulatory requirements is to understand exactly what the business needs. Working out how much protection and control to put in place without stifling the business is crucial for a robust protection plan.
There is a baseline level of security and compliance management, as set out for example by the Payment Card Industry Data Security Standard (PCI DSS) in retail or by the Financial Services Authority (FSA) in finance. Beyond that, incisive questions need to be asked by the business, like ‘do we have a security strategy and an information security management system?’
This is something which many SMEs are unlikely to have. The key stakeholders in the business need to evaluate what they believe their security posture to be and how they would like to be seen by clients and customers.
For example, three or four years ago, it was not uncommon for businesses to have a website login with no minimum strength on the password, but now they are starting to recognise the validity of using stronger passwords with a good mix of numbers and upper/lower case characters.
With respect to PCI DSS, customers obviously want the convenience of paying by card but are forever fearful of security breaches. There have been breaches of PCI-compliant merchants which are not greatly publicised and many of them stem from more targeted phishing attacks.
No business in the world can be truly secure and the PCI audit is a statement of security at a particular point in time. Given an unlimited amount of time and effort, attackers have a knack of being able to eventually get through almost any defence. It’s perseverance that gives them the data they need and they’re willing to invest whatever it takes in order to get their hands on it.
Humans are easier to exploit than systems because their nature makes them helpful, to the extent of volunteering information that may compromise them and their company.
Attackers can use pretexting to an account department for example, saying they are trying to send a fictional invoice and asking if the company has received it. The answer to this question will be ‘no.’ The attacker will then contact the firm again and ask the employee to look in the junk mail folder.
If the employee finds the email in the junk folder, opens it and then runs the attachment, there could be embedded malware in the PDF which executes on the employee’s machine. There are many more subtle methods too and attackers only have to be lucky once, whereas a company has to be careful all the time.
What can be done?
Once a business has identified its most precious assets, it should run a penetration test to try to access those systems. This will make the engagement much more impactful and realistic, providing a real learning experience and a clear indicator of whether the test has achieved its goal.
If the company is conducting a penetration test for compliance reasons, such as PCI DSS, then the goal should be to access the systems inside the PCI scope to extract cardholder data. Cyber attacks may succeed with perseverance but so do robust IT security policies and protection systems.