Multi-Layered Security: Ten important steps to protect your business data
At this January’s International Cinema Technology Association (ICTA) Los Angeles Seminar Series, one of the most eye-opening sessions was a panel discussion on “The Networked Cinema.” In our increasingly technologically interconnected and networked world, a key issue in the discussion of any networked system is always cyber-security and the challenges it poses for exhibitors. The financial, operational and reputational damage from a data breach can be enormous and can imperil the very existence of a breached organization. As the fully networked cinema becomes a reality, exhibitors need to know the facts, and how to best protect their theatre operations.
In the world of cyber-criminals, if you connect it to the Internet, you can count on someone trying to hack and steal it. If what you put on the Internet or allow to be accessed via the Internet has value, someone will invest the time and effort to steal it, if for no other reason than for the pure challenge of doing so. Even if what’s stolen doesn’t have immediate value to the thief, odds are buyers can be easily found for it—usually on the dark web—despite the price paid for the stolen data being a tiny proportion of its worth to the victim. So if you’re unwilling to spend a small fraction of what those assets are worth to secure them against hackers, you can expect to eventually have those assets stolen or corrupted. (The dark web is part of the 96% of all pages on the Internet that standard “consumer” Internet browsers like Explorer, Google and Chrome cannot access. Those browsers can only find a meager 4% of what’s actually on the web, literally only the tiny tip of an enormous iceberg. The dark web is home to the vast majority of the Internet’s more nefarious activities, marketplaces and transactions.)
What’s a cinema owner to do? The consensus among the panelists at the ICTA session was to implement as many safeguards as possible while constantly monitoring your assets, procedures, employees and vendors with access to your systems and ensuring that all technology is kept updated with the latest patches and versions. Which safeguards? Here are the Big 10:
1. Payment Card Industry Data Security Standard (PCI DSS)
Quick Service Restaurant magazine recently noted that “the security benefits associated with maintaining PCI compliance are vital to the long-term success of all merchants who process card payments. This includes continual identification of threats and vulnerabilities that could potentially impact the organization. Most organizations never fully recover from data breaches, because the loss is greater than the data itself.”
The PCI DSS helps you protect your data by setting operational and technical requirements for businesses that accept credit card payments, and for software developers and manufacturers of applications and devices used in those transactions. PCI compliance is required by all of the card brands (Visa, etc.) for any merchant that accepts credit or debit cards; no merchant, regardless of size or volume or type of business, is exempt.
Encryption protects data in motion—while it’s being transmitted. Data is entered at the point-of-sale terminal and before it’s stored or transmitted it is transformed into an unreadable code of numbers, letters and symbols that can only become readable again with a special key.
Tokenization protects data at rest—while it’s sitting in your computer or software. After authorization, a unique token ID is returned to your credit card terminal or software, replacing sensitive payment data. The token is useless to data thieves and cannot be used for fraudulent purposes. It lets you perform follow-up transactions (voids, adjustments, recurring payments) and is seamless to your business. Apple Pay is an example of a popular payment solution that uses tokens.
EMV (EuroPay-MasterCard-Visa) consists of a small computer chip embedded in most credit cards that generates a one-time use code (a token) for each transaction. The code is different for every transaction and cannot be used to create counterfeit (cloned) cards because the card-issuing bank can verify whether the code is correct. The payment industry is working to speed up the transaction time for chip transactions. At present, no payments industry, PCI, local, state or federal laws or regulations require processing transactions via EMV chips, but increasing numbers of merchants are adopting the technology in an attempt to stem the tide of counterfeit cards and protect themselves from related chargebacks.
5. Smart Passwords
Do you use default passwords that came with your device or software, or ones like qwerty, 12345, password, passw0rd, or the name of your child or pet? Then you’re easy pickings for hackers. While most apps and software don’t require complex passwords, hackers have programs with algorithms that can search the entire Webster’s Dictionary in mere seconds to find possible passwords. So your answer is to get smart and use smart passwords!
* Pick your favorite phrase and then “corrupt it” with numbers and symbols instead of letters so the words can’t be found in a dictionary. For example, replace “I shall use strong passwords” with “i5ha@!!u53$trOngp@$$wOrdz!”
* Re-use passwords over again for at least a year, or re-use a duplicated good password example (create your own), the same passwords for multiple accounts, a password with personal information (name, birth date, etc.), dictionary words, keyboard patterns (QWERTY) or sequential numbers (12345), or repeating characters (222TT).
* Make your password all numbers, uppercase letters or lowercase letters—mix it up!
6. Two-Factor Authentication
Two-factor authentication (2FA) adds a second level of authentication to an account log-in. A username and a password is single-factor authentication, whereas 2FA requires the user to have two out of three types of credentials—something you know, such as a PIN, password or pattern; something you have, such as an ATM card, phone or key fob; and something you are, such as a biometric like a fingerprint, voice print or retinal scan—before being able to access an account.
7. IT Infrastructure
It is vital to make sure all parts of your IT infrastructure have the latest patches and versions, that credit card payment functions are isolated on a dedicated server, and IT activity is monitored by skilled IT professionals who can detect unusual activity or threats and react quickly to protect your systems. These days, every business really needs to employ or at least have access to (and use) one or more IT professionals with cyber-security training.
8. Networked Vendor Compliance
The now-infamous Target breach of 2013 occurred when hackers discovered that all Target’s stores used a common HVAC contractor to monitor their systems. E-mails to the contractor’s employees inviting them to open a seemingly innocuous attachment resulted in malware infecting the contractor’s IT system when one or more of the employees opened the attachment. Then, after a few more steps, the hackers were able to collect credit card numbers, PINs, CVV codes, and expiration dates in real time continuously for many months until the breach was detected. (On average, it takes about 10 months before breaches are detected.) The lesson here is that not only do your systems and procedures need to be secure, but those of your networked vendors do as well. So if a vendor can access your NOC, box-office POS system or any other networked device or program, that’s a potential entry point and weak link in your protective chain that needs to be addressed.
Be aware of what data you’re storing that could possibly be of value to someone and take steps to protect and monitor the parts of your system housing that data against unusual or suspicious activity. Get rid of stored data if it’s really not necessary to keep. Monitor access to your systems and limit that access on a need-to-know basis. Determine where sensitive data resides, who is accessing which files, when files were read or changed, and whether there are any anomalous user activity patterns.
As soon as questionable activity or programs are detected on your system, immediately take steps to stop the activity, secure the system and preserve the evidence. Work to protect your system against disgruntled employees, data theft, crypto/malware attacks, human error, data loss/destruction and wasted resources.
Remember that no one safeguard is adequate by itself. Cyber-criminals have many tools at their disposal to undo your security measures, but like a home burglar, they’re less likely to pursue your systems if they find simpler, less protected cyber-prey. The best course of action is to use multiple layers of defense, keeping them constantly updated and systematically monitoring them for anomalies.
* Over 4,000 cyber attacks occur daily.
* 80% of card data compromises occur in small businesses with fewer than 250 employees.
* 60% of those breached small businesses go out of business within six months of the breach.
* 72% of breaches involved firewalls that were not up to security standards or were improperly configured; 63% involved weak, default or stolen passwords; and 61% of breached businesses didn’t have effective antivirus software.
* 30% of “phishing” messages were opened last year, 12% of the targets clicked on the malicious attachment or link, and half of those did so within an hour of receiving the e-mail.
* 76% of Americans says they would stop doing business with a company following a data breach.
* It takes an average 283 days to detect a security breach.
(Sources:Department of Homeland Security, 2016 Verizon DBIR, Ponemon Insitute, PCI Security Standards Council, Digital Transactions, March 2016)
Wynn J. Salisch, CCM, ETA CPP, MBKS, is an educator, merchant advocate, payments broker and former exhibitor with over 50 years of experience in the entertainment and payments industries. He is currently the chairman and CEO of Casablanca Ventures. A certified payments professional of the Electronic Transactions Association and a partner on the U.S. Secret Service Electronic Crimes Task Force, he teaches payments cost control and data security for companies and organizations nationwide to help them reduce their costs, protect their data and adopt best practices. He may be reached at email@example.com.
Mark Mayfield is director of global cinema marketing for QSC, LLC, and an experienced cinema audio professional. He also serves on the board of directors of the International Cinema Technology Association (ICTA). He may be reached at firstname.lastname@example.org.