One of the most common questions we hear from businesses as they work on providing a stronger level of security is, “What should we be looking out for when it comes to achieving PCI compliance and safeguard against threats?” While the list of threats is lengthy and ever evolving, we find that the majority of concerns fall into a few overarching ‘scary’ personas:
- The Hateful Hacker
- The Insidious Insider
- The Needless Negligent
- The Overlooked Outsider
- The Do-Nothing Demon
Most organizations are looking outwards for the greatest threats, such as The Hateful Hacker. Hackers are often motivated by one of or a combination of financial gain, disruption, or espionage. This category of threats is ever-advancing as The Hateful Hacker is a highly skilled individual or team with growing resources and knowledge. In the case of a Hacker threat, organizations are often put into a place of reactive response as the skill sets of this threat type advance just as quickly if not quicker than the defenses that businesses are able to put in place. Secure measures can be put into place to reduce the risk from the Hateful Hacker, such as: keeping software up to date, app and site restrictions, unique passwords, email security, social engineering training. In case of breach, organizations must act quickly in response to an attack to minimize the impact. Having a plan in place enables security teams to act quickly in case of a breach.
While organizations are right in thinking that there are great external threats likely targeting their organization, security concerns shouldn’t be limited to external evaluation. We’re seeing a greater number of growing insider security scares. A recent Forbes article explains that an Insider probably (1) won’t need to conduct reconnaissance like an outside attacker, (2) doesn’t need external malware to access systems or rely on remote servers for command and control, and (3) they’ve learned to disguise their activities like outside attackers. An insider threat could be a disgruntled employee, a malicious new hire, or an employee that has moved on. Taking proper care of existing employees, ensuring an excellent working environment and competitive pay are small ways to prevent a disgruntled employee accepting monetary pay off for data or system access. Careful and thorough vetting can reduce the risk of on-boarding a maliciously placed employee within the organization. In similar fashion, having a secure off-boarding process can ensure that access to company resources, systems, and applications is turned off immediately upon dismissal or leave can prevent an insider breach from an exiting employee.
Similar to the Insider, the Needless Negligent is an internal resource that proves to be a threat to the organization. However, unlike the Insidious Insider, the Needless Negligent’s activity is often unintentional or acted on with the best of intentions. Employees in the Needless Negligent category may be responding to a phishing email from what they believe is the CEO or providing what they believe is great customer service with sensitive information over the phone through a social engineering ploy. Organizations that have negligent originated attacks are often the organizations that don’t take the time or resources to invest in continued and updated compliance training for their employees. Making your teams aware of risks and how they could be used as a pawn within a breach could be your best investment on preventing the next successful attack.
Reigning in the threats posed by the Needless Negligent can help minimize the threat of The Overlooked Outsider. External threats in this case are third parties that may have access to your physical facility. An example of this would be if a Needless Negligent accidentally left a post-it note on their desk containing customer information. The Overlooked Outsider, hypothetically being a cleaning or physical security company, would have access to that information that could be manipulated, sold, or compromised in a way that would put the entire organization’s data under investigation. Another example would be a workstation that wasn’t properly logged off or shut down.
A final and common threat we see is The Do-Nothing Demon; organizations that are either dismissive, think they are compliant, or believe that they are not a significant enough target for a breach or attack, or organizations that are paralyzed by indecision on which security methods to move forward with. In all these situations, we strongly urge companies to become and remain PCI Compliant. Organizations are putting band-aid methods in place such as compensating controls to temporarily pass audits but not putting data security forefront of mind. By using compensating controls such as pausing and resuming call and screen recordings within the contact center, the data is still available to all breach types. With recent amendments to telephone-based payment regulations, these compensating controls are being recognized as outdated, and the compliance industry is pushing people to the more effective solution of descoping. PCI Pal can assist in de-scoping your contact center by ensuring that sensitive customer information such as credit card numbers never enter your organization’s environment. In case of a breach, there is nothing for any of these personas to be able to access or compromise, therefore data is not compromised. To schedule a demo of the solution or learn more about how to protect your contact center from security villains and threats, contact us at [email protected].