It’s 2016...And PCI DSS Still Matters: Five Common Security Practices That Put a Campus at Risk

We tend to be process-oriented and use metrics to gauge the efficacy of a process or program. This is particularly true within the payment card industry, where success is often measured in increased transaction volumes, decreased authorization times, reduced chargebacks and so on. However, this mentality encourages a belief that all aspects can be objectively measured and that there are finite goals to all tasks. Security is not about achieving an end goal where we can say "We are now secure." Rather, in security where threats are constantly evolving, the objective should be an effective and continual process of evaluation and improvement -- there is no easy answer.

We can be lulled into a belief that static controls are enough to prevent a breach. But security can introduce complexity and administrative friction, requiring a diligent effort to ensure the appropriate balance of control and agility. Designing and enforcing an effective strategy is an ongoing evaluation of the complexity, policy, and operational impact of security protocols. It is not enough to simply implement the PCI controls and believe you have all bases covered. Humans are creative and adaptive; if you lock the door they may try the window. If you close the window they may knock a hole in the wall. It is a constant effort to stay one step ahead of today’s sophisticated adventurists and hackers.

Despite constant reports warning of emerging threats, most decisions to invest in new security controls and protocols are still driven by audits. Too often we pursue security with a check box mentality and measure our security based upon the number of requirements or standards with which they comply. Compliance with relevant standards (PCI DSS, HIPAA, GLBA, etc.) is important and necessary, and they can help develop useable frameworks and policies. However, compliance alone should never be considered the final answer on security. Nor should compliance be considered a measuring stick by which colleges and universities evaluate their security posture. You can pass an audit and still be vulnerable to an attack. An effective security strategy also needs real-time monitoring and security operations. 

Information leaks and security breaches are often related to human behavior issues. A firewall or intrusion detection system doesn’t give up and go home. Generally speaking, technology does not fail, people fail. When data breaches occur, it is rarely because a firewall failed. It may be that the firewall was misconfigured, but while a firewall will never quit its job or get tired on a Friday afternoon, a firewall administrator could. It is effective management that enables a college to glean the most value from their security technology. This means that business officers need to ensure that appropriately trained people are implementing and managing the technology is a consistent, repeatable manner.

Most of the glaring gaps in security at both large and small campuses have little to do with technology and more to do with awareness. Public reports about a compromised network lead many people to believe it is always the work of very technical hacks. But, often it is an inadvertent human mistake that leaves doors wide open for adversaries to walk right in. With the click of a mouse, employees can unknowingly open the door to a campus network, leaving sensitive information vulnerable to the criminal element who are more sophisticated, targeted, and sinister than ever.

Every organization must be proactive about the security of its data and networks, including all the various connection points through mobile devices and cloud applications. Constant vigilance is required and every part of the IT infrastructure needs appropriate protection. However, often focus is on the larger implementations and efforts while ignoring the seemingly small things that create gaps in security. For example, a large percentage of data breaches are still initiated by the tried and true social engineering tactic of spear phishing. Attacks can happen anytime and come from anywhere, without warning, each with the potential to compromise vital data or cripple important systems or applications. 

The media often portray the information security profession as a fast paced exciting field where security professionals are tracking hackers in real time. The truth is much different. Security is about consistently and repeatedly enforcing policies and procedures and standardizing processes to minimize errors. Effective security requires industry knowledge, expertise, and a lot of maintenance and management hours. It is this requirement to follow often mundane procedures that tempts security professionals to become complacent. Complacency creates security gaps. It is incumbent upon the organization to ensure that the security team does not lose site of the objective and focus. In fact, campuses serious about security make it an enterprise-wide priority. They formalize and enforce security policies, rather than simply seeking to ensure compliance with external standards. They prioritize employee education alongside technology deployment and they build defenses into every layer of the network and connection point.

Information security can be challenging, as it requires both consistency and adaptability. That is surely a difficult balance to achieve. However, as data breaches continue to take center stage among the boardrooms, media, and regulators, achieving that balance is more important than ever. If the five points above could be distilled into one, clichéd point, it would be that when we become complacent, we place our campuses and customers at risk. Maintaining a vigilant, adaptable approach to security can help reduce that risk. 

Ron King is President of CampusGuard

(972) 964-8884

rking@campusguard.com