Stop Wasting Time on PCI Remediation: Part 2

In the previous installment of our ‘Stop Wasting Time on Remediation’ series, we highlighted how establishing a strong working relationship with your Qualified Security Assessor (QSA) is an essential foundation for achieving a PCI remediation plan. But just as important as it is to work well with outsiders, there needs to be a strong sense of camaraderie within your organization as well.

Data security is a company-wide responsibility

Imagine you’re leaving work late one night when you see a suspicious person attempting to gain forceful entry into your office. You wouldn’t just walk away, thinking that your company’s security guards will handle the situation, would you?

It’s the same with data security- every additional person who gets involved is another pair of eyes ready to detect threats. To attain the coveted title of PCI compliant, remediation cannot be carried out solely by your company’s IT department. In fact, it is arguable that the responsibility of remediating cardholder data risks lies more with the people who handle that data, to begin with- your company’s employees. They are the ones acquiring and processing cardholder data on a frequent basis, so they should share the responsibility of safeguarding that very same data. Or more to the point – if the employees created your compliance issues in the first place, why not empower them to fix it too?

Everyone from Finance to HR has to get in on the remediation act and, going beyond that, help out in the never-ending responsibility of keeping hackers out.

Because the entire PCI compliance process including remediation must be repeated on a continual basis, managing the human factor of remediation becomes an entirely different challenge. The responsibility of making sure all employees are on board for the long haul of data security falls on Management, who have to build a strong understanding of why data security is something to be taken very seriously.

Hackers are counting on someone in your company to slip up; all they need is one employee to click a malicious link to initiate the first step towards creating a doorway into your computer network.

To further highlight the problem, here’s a horrible truth- 9 out of 10 employees knowingly violate policies designed to prevent data breaches. Kind of makes you want to succumb to the feeling of ennui and despair, doesn’t it?

Peter Lefkowitz, vice president, and chief privacy officer at Oracle, believes that part of the problem lies in employees not comprehending data protection policies. In this article from The Privacy Advisor, Lefkowitz elaborates on how policies should be as simple to understand and follow as possible. “My experience has been most employees are happy to comply with the policy, but the policies need to be made understandable; the policies need to be communicated to employees, and employees need to be trained on the policies in a way that fits what their job is.”

It does get progressively harder to enforce these policies the larger your company is, but we’re coming full circle to the original point- all employees should feel that data security is everyone’s responsibility, and it’s your job to cultivate a working environment that embodies that mindset.

The most practical way of making employees more aware starts with changing your security violation alert methodology. Traditionally security alerts are something that only the IT security team will see and hence employees are oblivious to the real-life threats constantly being faced by the company. If you run platforms which are monitoring for violations of security policy, consider setting up any alerting capabilities to be sent directly to the staff members committing these violations. Usually these violations occur accidentally so by detecting these quickly and immediately alerting, staff members will quickly learn what is good behavior vs bad behavior.

A simple example rests within the Ground Labs Enterprise Recon product. Its most popular feature is the ability to continually monitor for cardholder data storage violations and generate an alert that is directly sent to the custodians of that data – usually the employee sitting on the system where the violation occurred, or their immediate manager / team leader. Whilst this outcome in itself is a great foundation for security, the more important side effect is the change in behavior that occurs among employees. By knowing that systems are in place to monitor and alert when an employee or application stores cardholder data in an insecure way, they immediately become aware of what not to do, and become more interested in wanting to understand how not to generate an alert or more to the point – how to properly handle cardholder data in a PCI compliant manner.

Very quickly you will see reduced occurrences of cardholder data being sent via email or spreadsheets being used as mini-customer databases containing full payment details. They know if they do this – an alert will be generated and there is potential consequences that come with that.

In the ideal security-aware company, employees are alert to threats and know how to react to suspicious activity. There should be a clear procedure on who to inform once a threat has been identified so that threats can be dealt with as swiftly as possible.

Start by changing the mindsets of employees by letting them know that security is everyone’s business, not just the tech nerds’.