When it comes to information security, there is no shortage of technology to protect our bank accounts, medical records, and other sensitive information.
We have passwords, biometrics, two-factor verifications, sandboxes, VPNs, intrusion prevention systems, encryption, and firewalls in our security arsenal. Yet too often these measures are rendered useless if a criminal sends an infected file to someone on your staff. If the staff member doesn’t know what to look for, they could open the file and unknowingly execute malware or enable the sender to steal sensitive information. Cyber attack victims and IT professionals are often unaware of, and unprepared for, the clever, ever-changing tactics of resourceful criminals.
When you think about all the data a university collects and has access to – personal information, academic data, residence and payment information – you realize just how enormous a task it is to protect data and ensure it’s being used appropriately. Universities need controls around the systems they use to collect and store this information. In addition, schools need trained staff to manage the system's check points and controls once they're in place. While humans will always make mistakes, risk can be avoided by implementing processes and technical controls around both the systems and the humans.
What we can do to stop cyber attacks
To combat this ongoing assault, people must be made aware of the criminal tactics used to steal sensitive company or customer information. The amount and variety of data a university interacts with requires staff to stay up to date on multiple standards, including the Family Educational Rights Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPPA), and the Payment Card Industry Data Security Standard (PCI DSS), to name a few. Indeed, organizations should hold workshops with employees and attend conferences to stay up to date on these regulations and how to train their people to spot unusual activity. Let’s take payments for example, since that is our landscape.
For any organization to comply with Payment Card Industry Data Security Standard (PCI DSS) Requirement 12.6, they must have a formal security awareness program in place. In addition, all personnel must be made aware of the importance of cardholder data security. This awareness training must be offered when new employees are hired and annually thereafter.
Cashiers, especially, must be attentive to their devices. Crooks have been known to add fraud devices, called skimmers, to Point-of-Sale (POS) hardware that can read and retrieve card data. Some even build their own fraudulent POS devices that look just like the real thing, then pose as repair technicians to install them on the devices of unwary cashiers or managers. Cashiers must be trained to identify such device tampering.
Using the technology at hand
But humans must also be sure to use the tools available to them. In our work, we often find security measures in our software and POS equipment haven't been activated, either due to lack of awareness or resources.
Reducing duplicate card fraud at the point of sale does not completely protect against data theft. Encrypting that sensitive data as it passes from point to point within the payment network in effect devalues it for potential thieves. The latest validated Point-to-Point-Encryption (P2PE) does just that. It protects customer card data by encrypting it when the customer swipes, dips, or taps their card.
Encryption takes place before the data ever “leaves the box” and remains in place until the data reaches the service provider. This means that even if a resourceful criminal were to access your point-of-sale station, they wouldn't capture card data; instead they would have a useless collection of encrypted, tokenized ones and zeros. For our customers who implement the full solution, P2PE goes one step further, not only reducing data breach opportunities es, but also lessening an organizations’ PCI compliance scope and the work associated with it.
Those with nefarious intentions will keep working to find new vulnerabilities, which means we must diligently continue to train, assess, and control our environment. If you have questions about securing the humans at your organization, please reach out to me or your TouchNet rep for advice on how to keep your school, students, parents, and their information safer from attacks.
Director, Information Security
Matt Dewell is the Director of Information Security for TouchNet. He started his TouchNet career in 2011 and is responsible for the security of corporate and customer data as well as compliance with internal, industry, and regulatory requirements. Prior to joining TouchNet, Matt worked in IT risk and advisory services at KPMG LLP, where he led and performed assessments and audits for clients across multiple industries. Matt has a bachelor’s degree in Computer Information Systems and a Master of Business Administration from Kansas State University. He also holds the following certifications: Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), PCI Internal Security Assessor (ISA), and Payment Card Industry Professional (PCIP).