As businesses look to implement innovative new cloud services and support multiple platforms and devices, they are faced with the daunting task of maintaining security, data, privacy and the identities of the users and customers they support. Unfortunately, data loss incidents, misguided privacy policies, grievous data collection practices and ineffective planning and communication responses are becoming commonplace. We are at risk of becoming causalities in what is shaping up to be a never-ending war against cybercriminals, politically-charged hactivsts, data thieves and data saboteurs. Online trust and user confidence are becoming daily casualties. To help address these threats and protect the online ecosystem, the Online Trust Alliance is hosting its annual educational Forum in San Jose, October 1–4.
As recent experiences by Zappos and others have recently proven, trust is an asset which takes a long time to build, but a millisecond to lose. The level of trust or distrust impacts business and government efficiency, effectiveness and relevancy to those they serve. All too often efforts to enhance and protect trust are an afterthought or a short-lived initiative.
New levels of sophisticated spear phishing and whaling fueled by resilient botnets, social networking abuse and malicious advertising, are putting every business at risk. The impact is both direct and indirect. Employees of cloud service providers and critical infrastructure are increasingly being targeted, diverting resources which could be used to innovate or serve customers.
With this onslaught of threats it is imperative for both the private and public sectors to renew a commitment to implementing a security- and privacy-by-design discipline. While there is no silver bullet or absolute guarantee of protection, the following simple steps can reduce the risk of security issues by upwards of 80 percent:
- Implement comprehensive email authentication with BOTH SPF and DKIM for all domains and subdomains; incorporate authentication checks into all inbound email.
- Upgrade all users to the most current browsers, with integrated protection from phishing and drive-by downloads. Consider activating privacy controls and tracking controls from unknown third-party sites.
- Support and publish a DMARC record (Domain-based Message Authentication, Reporting & Conformance), providing ISPs and receiving networks enhanced ability to block spoofed email.
- Review and test your server’s SSL implementation. Site scores less than 80 require immediate attention.
- Revisit your data collection, retention polices and data encryption methods. The less data retained, the less data can be lost. As observed with the recent breach by Yahoo! Mail, data encryption has evolved significantly and practices deployed just a few years ago are proving to be ineffective today. Data in-use, in-transit and archived should all be encrypted.
- Continually test all client applications for known vulnerabilities. Consider such tools such as Secunia’s PSI (Personal Software Inspector).
- Upgrade your site to Always-On SSL, (AOSSL). AOSSL is a best practice to secure sensitive data, especially for users of public Wi-Fi hot spots. Criminals can snoop or “sidejack” cookies and data packets from unsuspecting users. Sidejacking allows hackers to intercept cookies (typically used to retain user-specific information such as username, password and session data) when they are transmitted without the protection of SSL encryption.
- Data Loss Incident Planning—Develop tests and refresh data incident response plans. It is incumbent for all businesses to have a plan in place. Not only will this help minimize the impact from a breach, having a plan in place with an effective communications and remediation strategy in place will protect the trust and confidence of your users.
- Revalidate user access controls for both internal and external systems and services. Access should be limited and contained for business purposes based on employees’ roles. Ensure processes are in place to revoke user privileges with vendors and service providers upon termination and/or job change.
To learn best practices to implementing these and other best practices, attend the upcomingOTA Online Trust Forum in San Jose Oct 1-4. Over 50 speakers, 25 sessions and compelling full-day trainings on email authentication/DMARC, Mobile Security & Privacy or botnets. Save 25 percent by registering by September 20 with code mnews25.
About Craig Spiezle
Craig Spiezle is the executive director and president of the Online Trust Alliance, and is recognized as an advocate for consumer trust, brand protection and the need for innovation. Spiezle serves on the Board of the Identity Theft Council, and is an active member of AWPG, IAPP and InfraGard. He will be chairing the Seventh Annual Online Trust Forum this fall, Oct. 1-4, 2012, in San Jose. For more information visit:https://otalliance.org/forum.html. To reach Craig Spiezle directly, contact him at [email protected] .