We've offered a lot of security advice for those shopping online this holiday season. But what about the IT practitioners responsible for securing sites those customers are using?
This post is for them.
Here are some words of wisdom I've picked up from security pros over the years. Some of the advice may seem obvious. But as I said yesterday, repetitive advice tends to be necessary in this hyper-connected, fast-paced world of ours. The advice is also not new. They are points I've been collecting for the last decade. But it's timeless advice, all the same.
1: Make sure the security software is on
Ensure all systems that access the Internet are protected with anti-malware technology, specifically making sure browser security enhancements are configured and enabled in AV software.
2: Save users from themselves (otherwise known as awareness training)
Forget that employees are shopping on company time. The bigger problem is that they're doing it on company machines online thieves are just itching to hijack. Since employees are going to do this anyway, they should at least be educated on how to do it safely. Awareness of common techniques and an understanding of how to identify malicious content can go a long way toward proactive prevention.
3: Monitor the networks
This may seem painfully obvious, but since warning signs tend to be missed and the breaches keep piling up, this one's worth repeating. Remember to review your logs.
4: Segment the networks
This is something companies have been advised to do over the years as part of PCI compliance (see our list of public articles on Akamai security and compliance). The idea is to make it so the bad guys can't access the goods, even if they manage to break into another part of the network. By segmenting users from each other as well as network assets should a breach occur you limit your exposed footprint to potential malware, or even an attacker. Treat user computers as untrusted devices.
Cracking down on employees who shop online with company machines has become especially difficult because they are using mobile devices beyond the eyes of office managers and, often, beyond the eyes of IT, especially the laptops. To that end, if employees are allowed to take corporate assets (laptops) home for personal use or access the corporate environment using mobile devices, ensure not only that secure VPN technologies are installed and utilized, but that some sort of endpoint security validation or quarantined access is in place.6: Bad things in store for those who store
Another basic requirement of PCI security is that companies store as little card holder data after transactions as possible. The more that's stored, the more damage companies and customers can suffer at the hands of data thieves.7: Encrypt it
Verify that your company has an encrypted card reader to ensure PCI compliance and, more importantly, to ensure the bad guys can't use what they steal. Encryption will soon be easier than ever, with the unveiling last week of Let's Encrypt -- a new Certificate Authority (CA) service designed to transition organizations from cleartext HTTP to secured HTTPS over TLS.
8: Choose Akamai
This one is admittedly self-serving, but it's a fact that we protect our customers against all manner of threats. You can read more about that here.