A very important concept in Information Technology Security is that that kind of security is now about avoiding as much as you can, it’s usually about managing those risks, and about determining what those risks are going to be, and then trying to do the best that you can to prevent what you can and the rest you manage based on business policy rules in place. Unfortunately, the world has to be this way because if we were in our own little fantasy world as InfoSec or IT Security Administrators and we decided that we wanted to make this system as secure as possible so nothing could go wrong with it, so that we’d put our work in up front and we don’t have to worry about it ever again.
The unfortunate side effect of that is that now your user can’t use that PC or their job is very, very difficult and cumbersome and they have to jump through hundreds of hoops that you’ve put in place just to do one simple thing. What that usually constitutes is that your user is going to avoid as much of that as they can. They’re going to go outside of the process and try and find a faster way to get their job done more efficiently. As a security administrator, what you have to figure out is where do I find that middle ground? Where do I come in to figure out how to put as much security as I can in place but also meet all of the requirements and try not to impact my users with my security policies to the point that they can’t officially get their job done.
Then, when you come up with that, that’s where you kind of get to this risk and management is what you’re doing at that point. You are mitigating risks, you’re not avoiding risks. That’s why we say it’s kind of a shaky area because you can avoid a lot of risks and what you talk about trying to be proactive with things but a lot of times your business requires you to be reactive or requires you to mitigate a risk instead of completely get rid of it. That is just the nature of the world and how this stuff works. That’s why Info Sec security people are a thing that companies have to employ, is that the business doesn’t allow you to become completely proactive.
That’s where South Seas, with our experience, we can come to help you understand what are the risks. That’s the important first step is, identify, figure out what the risks are and then mitigate. That’s where you’re two stepping and oversimplifying process a bit but that is the simplistic view of it, is that you want to identify and mitigate. That way, you’re doing the best you can with the tools that you’ve been given and the abilities you have to secure as much as you can without taking your business down to a call.
Another important concept that goes right along with this is peripheral devices, scanners, printers, specifically things like pen pads that you have to deal with PCI Security on, is how you mitigate risks and how you manage those devices so that they’re secure but at the same time allow your users to use them. That’s where this identify and mitigate process is really employed very rigidly, is that some devices like pin pads you have to abide by PCI rules so you have to be very rigid with the application of security there.
Some devices it’s not as much of a concern but you still want to employ a similar process across the entire board and mitigate as many risks as you can from everything because even something as simple as a printer drive that’s installed into a system may have vulnerabilities. It’s software, it could have a bug, it could have an exploit, and if you’re not mitigating the risks of that, that could allow someone to get into your system and gain access to information being passed through what you thought were encrypted channels to a pin pad.
Unfortunately, those are the kind of loopholes that people are looking for in the world to get your information, to steal your information, to inject into your process, and you didn’t even know about it until far too late for you to deal with that. Now you’re sitting in court, now you’re sitting in your fraud department dealing with that. Legal is the last place you want to be with this stuff, that’s why we try to mitigate these first and then you don’t have to be there, you don’t have to deal with that. You can go home and sleep at night.
I’m Anthony with South Seas Data and we’re here to try and help you prevent that fraud, prevent the issues that will lead you to legal problems.