By Graeme Zwart, Head of Security
We shine a light on the ordinary, day-to-day work that helps make businesses more secure.
It’s unglamorous. It’s unsung. But business-as-usual, or BAU for short, is the bedrock of an effective security approach. This was brought home to me after a conversation with someone who worked at a large acquirer. He read post-breach forensic reports as part of his job.
He’d read hundreds of reports from investigators following card data security breaches. Only a handful — literally he could count them on the fingers of one hand — were so-called ‘sophisticated’ attacks. He had an almost grudging admiration for the ingenuity of the criminals on those occasions. The merchants had really been unlucky.
However, the vast majority of card security breaches did not involve custom-written malware or advanced persistent threats. There was nothing especially advanced or persistent about the attacks.
On the contrary, they exploited ordinary, everyday weaknesses. For example, using default passwords, not deploying anti-virus software on all systems, failing to test systems and processes regularly.
These are good, common-sense controls. But common sense is sometimes not that common. Just as business-as-usual security is not that usual. So, let’s look at this in a little more detail.
Start at the beginning and scope the activity. Decide on what regular tasks are necessary to help maintain a robust level of security for your particular business. This process will help identify any gaps or overlaps, plus set the tone of the activity internally.
Decide how frequently your business will do each BAU activity, e.g. daily, weekly, monthly, quarterly. The likelihood and impact of risks are different for each business, so tailor the frequency to match the risk appetite of your business.
Determine where these BAU activities must take place. Some may be head-office tasks. Others may be required across your store estate. If you trade overseas or via local language websites, remember to replicate the tasks in-country offices and stores.
Assign responsibility for each task, preferably to a named person with a back-up or escalation contact. Again, this will help identify any gaps or overlaps in accountability.
Establish the technology, policies and procedures for how BAU tasks are to be done. Moreover, review this as well as the four stages above regularly. The external threat landscape, as well as things within your own business, are constantly changing. Your BAU plan must reflect this.
I’ve made some general points about business as usual security. However at PXP Financial, we believe that each customer is different, so please complete the contact form below for a consultation on your payment data security needs.