I mentioned in a previous blog that all of us can learn from the massive retail data breaches that were announced during the holidays, and we should be using the knowledge as a tool to strengthen protection of our own data. We’re finding out more about these digital heists all the time.
A big disclosure came in a recent news story about how the bad guys penetrated a retailer’s security. The story said the remote access credentials from a vendor – who had nothing to do with credit card processing – were stolen and used to access the retailer’s systems.
As I have written previously, remote access is a great tool for business owners and managers to use, because it allows someone at an alternative location to handle some of the routine processes we all have in our business lives. Sometimes we use it to conduct business from home during off hours (meaning we don’t have to drive to the shop in the middle of the night when we finally get around to working on the month-end reports) or we allow trusted vendors/partners to access our systems for support reasons. Usually these support situations are handled more quickly and “cheaply” by allowing the vendor to perform a task digitally instead of being physically onsite during normal business hours.
However, anyone who is creating a remote access situation (for himself or for a vendor) should be thinking about how, when, why and where this access will be used. You don’t give vendors keys to the front door of your business or give them the ability to sign a check drawn on your company account. But with remote access, you may well be doing those things digitally.
If you allow remote access, you need to break the conversation about this access into small “bites”:
– How? What software will you use for access? Do you require a user name and password? Do those credentials require multi-factor authentication?
– When? Do you limit access to previously scheduled times or is the remote access always turned on?
– Why? Always ask yourself, why does this person need access? Is there an alternative way to provide the information without giving him the “keys” to the building and its systems?
– Where? Will you allow him to access your systems from anywhere? Should you only allow access from that person’s office?
If the published news reports about the data thefts are correct, the answers to some of these questions might have prevented the breaches.
One of the easiest ways to gain knowledge about these situations is to watch how banks and brokerage houses handle these types of questions.
Clearly, as consumers we are demanding remote access to financial institutions’ computer systems for the ability to check a balance, transfer funds between accounts, pay bills or print statements – so the “why” is covered.
As for the “when,” we as customers are demanding 24-hour access.
But the “where” and “how” are examples of how these providers are attempting to protect themselves and us (their customers).
I have login credentials that require a code number each time I log in from a “new” computer. This code number is emailed to my email account on file when I attempt to use an unknown (therefore untrusted) computer. If someone steals my credentials and tries to access my account from a different computer, I will get an email with the code number, which alerts me to a potential problem.
As for the “how,” I have made a conscious choice not to use my login credentials if I am on an unknown computer or on a public network. Most of us have smart phones today and most of those smart phones can be made into a “hotspot.” Assuming that I need my computer to log in, I use my hotspot as the conduit to the Internet, not the local coffee shop’s or hotel’s free Wi-Fi. In some cases, I use a smart phone app that was provided by the financial institution.
If you have vendors or employees asking for remote access, you need to spend the time to think about all of these items before digitally handing over the keys to the building and its sensitive systems. It pays to be vigilant.
(Note: Michigan Retailers Association provides $100,000 in data breach protection, automatically, to all businesses that process through MRA. It’s another valuable benefit of partnering with MRA.)
John Mayleben CPP is Michigan Retailers Association senior vice president, technology and product development, and a national expert on electronic payment processing. He was the first person in Michigan and among the first in the nation to receive the Certified Payments Professional designation from the Electronic Transactions Association.