Three Fundamentals of Data Security

People want to perform their jobs securely, but they don’t always know how.

February 17, 2014
KEYWORDS cloud , data , mobile , security
/ PRINT / ShareShare / Text Size +

Want to maintain the integrity of member data? Keep three key fundamentals in mind, advises Ryan Elkins, senior manager, information security, for Diebold, a CUNA Strategic Services alliance provider.

He and Credit Union Magazine Editor Walt Laskos recently discussed these fundamentals and how credit unions should evaluate their core competencies in regards to security.

CU Mag: I’ve been told that point-of-sale terminals costing $5,000 several years ago can now be replaced with pads and cloud access for around $100 per terminal. If costs have decreased to this extent, what’s preventing today’s payment solutions providers from adopting a more sophisticated standard?

Elkins: Cloud solutions are not going to slow down. Providers that can reach multiple customers with single services will have improved margins, allowing for investment into comprehensive security solutions around the services.

In today’s market, a cloud provider that invests heavily in a security program could quickly differentiate itself from competitors.

When it comes to cloud providers, most security organizations are resistant to going that route due to the fact that you are essentially handing the security of your data or systems to a third party. The providers are aware of this and have focused heavily on implementing visible security controls to offer the appropriate level of assurance to their customers.

Credit unions, small banks, and even retailers must begin evaluating their core competencies in regards to security. Determine which competencies can be accomplished in house and then engage in noncaptive solutions to address security gaps.

CU Mag: There is no one standard for mobile payments in the U.S. today. Instead, there is an array of payment options as providers continue to jockey to see whose standard will become the norm. How long will this pattern continue and when will it be resolved?

Elkins: This is a very exciting time in the mobile payment space. We are seeing growth and adoption with near field communication, quick response codes, biometrics, mobile wallets, and even digital currencies.

There will be pros and cons with each solution, and these new approaches will introduce new attack vectors.

We can’t lose sight of general standards and data protection requirements to serve as an agnostic foundation for the variety of mobile sensors. All of these technologies when implemented on mobile devices will still need to rely on a secure element.

CU Mag: How does Diebold address security throughout its various service platforms?

Elkins: The foundation and success of Diebold’s security program begins with the leadership support. Through this support, we have engrained security within the culture, our products, and our services.

The security team has representation during the initial research and development conversations, secure standards are incorporated throughout the software development lifecycle, and recurring assessments are performed against products, services, and internal systems.

We focus on understanding the threat landscapes, learning from publicized breach reports, and striving continuously to expand our preventive and detective control capabilities.

CU Mag: What are the top three fundamentals that CUs must keep in mind to preserve the integrity of member data?

Elkins: The top three fundamentals are just that—fundamental. They are the foundation for any security program that must supersede the implementation of high-performing technologies or robust programs.

First, focus on configuration management. In almost every breach that we have analyzed, somewhere along the line the attackers took advantage of default or weak passwords, misconfigurations, unused services, and/or reliable vulnerabilities.

Second, establish policies, procedures, and standards and share them with the groups responsible for systems. Security teams must be able to delegate security responsibility and be able to govern adherence to these policies, procedures, and standards.

Most people want to perform their job functions securely; they just do not always know what to do.

Third, implement a security awareness program for employees. Make security relevant to their personal and professional lives.

Provide insight and communications regarding phishing attacks, social engineering, mobile devices, and password security.

Create posters, deploy screensavers, and have tabletops in the cafeterias where employees can talk to security experts.

Transform your employees from your biggest security weakness to your biggest security strength.

Post a comment to this story


What's Popular

Popular Stories

Recent Discussion

Great article! Unfortunately, most employees don’t feel valued or appreciated by their supervisors or employers. In fact, research has shown that the predominant reason team members quit their jobs is because they don’t feel valued. This is in spite of the fact that employee recognition programs have proliferated in the workplace – over 90% of all organizations in the U.S. has some form of employee recognition activities in place. But most employee recognition programs are viewed with skepticism and cynicism – because they aren’t viewed as being genuine in their communication of appreciation. Getting the “employee of the month” award, receiving a certificate of recognition, or a “Way to go, team!” email just don’t get the job done. How do you communicate authentic appreciation? We have found people have different ways that they want to be shown appreciation, and if you don’t communicate in the language of appreciation important to them, you essentially “miss the mark”. Additionally, employees need to receive recognition more than once a year at their performance review. Otherwise, they view the praise as “going through the motions”. A third component of authentic appreciation is that the communication has to be about them personally – not the department, not their group, but something they did. Finally, they have to believe that you mean what you say. How you treat them has to match the words you use. If you are not sure how your team members want to be shown appreciation, the Motivating By Appreciation Inventory (www.appreciationatwork.com/assess) will identify the language of appreciation and specific actions preferred by each employee. You then can create a group profile for your team, so everyone knows how to encourage one another. Remember, employees want to know that they are valued for what they contribute to the success of the organization. And communicating authentic appreciation in the ways they desire it can make the difference between keeping your quality team members or having a negative work environment that everyone wants to leave. Paul White, Ph.D., is the co-author of The 5 Languages of Appreciation in the Workplace with Dr. Gary Chapman.

Your Say: Who should be Credit Union Magazine's 2014 CU Hero of the Year?

View Results Poll Archive