When it comes to compliance with security regulations, every retailer is doing just fine. At least that's what management, internal auditing and compliance officers will proclaim. Then it happens -- that big breach that's only supposed to hit other people. Just ask Target, Neiman Marcus and Michaels Stores. These breaches can hit pretty hard, even if they're on some seemingly unimportant set of point-of-sale systems.
You see, the thing with endpoint security is that all is well in enterprise IT until some ugly point-of-sale (POS) vulnerability or related end-user exploit takes them by surprise. I suspect these retailers, among other businesses affected in similar ways, had Payment Card Industry vulnerability scans that showed no sign of critical flaws. They probably adhered to well-known POS security best practices, and their compliance audits were squeaky-clean -- at least until they got hit.
We're headed in the wrong direction with information security, but it doesn't have to be that way. For years now, organizations have suffered from textbook security breaches, with hints of cleverness here and there.
Here's how it often happens: A criminal casts a wide net, finds some good opportunities to pursue and has little difficulty exploiting them because he knows that enterprise desktops, POS systems and other endpoints are basically wide open for attack.
Whether you're in retail, hospitality or a similar services business, the odds are not in your favor. Time management experts tell us that we need to focus on tasks with the highest payoff and that's exactly why criminal hackers focus on POS security. The high turnover rate in these industries makes things all the more difficult, even as the vulnerabilities seem obvious in hindsight.
Don't let history repeat itself. Here's what those charged with endpoint protection should learn from POS security breaches:
1. Remember that retail computers are just like any other endpoint. If a system is on the network and has an IP address or URL, then anything is fair game. Make sure that all these systems join enterprise desktops in falling within the scope of your endpoint security program. Don't forget standalone POS systems that connect directly to the Internet via old-fashioned dial-up or T1.
2. Know endpoint security risks. Sensitive information is processed and stored on POS systems, desktops, laptops and tablets. Corporate networks and data centers may be secure, but endpoints are typically where the greatest vulnerabilities lie. This is because of an enormous amount of missing third-party patches, weak passwords and end users downloading and sharing files. The only way to overcome these business risks is via periodic and consistent security testing.
More on endpoint security
Locking down enterprise desktops with Group Policy settings
Java and fileless malware threaten desktops
Healthcare provider takes desktop security prescription
Supercookies take a bite out of endpoint security
Physical and virtual desktop security just aren't the same
3. Adopt good technologies to enforce security policies. Many IT security policies aren't worth the paper they're printed on or the binders they're stuck in. Look past them and demand -- politely, of course -- the endpoint technologies you need such as whitelisting, data loss prevention, and even network-based content filtering and advanced malware protection. Simply removing local administrator rights and establishing a process for third-party patch management are worth a ton of resiliency. In my experience, however, it seems people struggle to implement such controls even if they are known to work.
4. You need an incident-response plan. Define what constitutes an incident and write out what you're going to do when the going gets tough. It's as simple as that and there's no excuse not to have one.
5. Everyone must be on board for endpoint and POS security to work. As a desktop admin, you're not going to be able to fix all of your enterprise security problems -- especially once you branch out to cash registers and similar POS systems in remote locations. But you do play an important role. Get on the radar of management and users, earn their respect and grow those relationships so you can get what the business needs most.
6. Never let your guard down. Many businesses that have been hit with data breaches have been victims multiple times. After the initial security breach, I'm guessing their scans kept turning up clean and they never really got any better. Complacency is one of IT's greatest enemies. Do what you can to continually improve desktop security, even if it means doing something as drastic as upgrading to the dreaded Windows 8 -- which really isn't all that bad and happens to be more secure than its predecessors.
Whatever you do, don't just sit there and wait for the next big breach to happen. It certainly will, but just let it be the other guy, but only because your endpoints are properly secured and not worth the trouble.