How your company can avoid Sally Beauty's multiple security breach issues

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.examiner.com/article/how-your-company-can-avoid-sally-beauty-s-multiple-security-breach-issues

The security vulnerabilities a business faces are usually in four areas:
information technology, employees, the building, and intellectual property.
In Sally’s case, these issues are compounded by a sprawling network of 3500
stores in 11 countries. Unfortunately for Sally Beauty customers, a failing
in security has led to two security breaches; one in March 2014 and most
recently in May of this year. The company has stated that customer credit
and debit card information was accessed both times, but the extent of the
breach has yet to be released.

Insecure operations leave your company open to losing valuable intellectual
and tangible property. You may also find yourself losing customers as well,
as most people would rather do business with a company that can ensure the
privacy and protection of their information. Here are four factors that may
have led to Sally Beauty Supply’s multiple security breaches – and how your
company can avoid them.

Assessing Information Technology Security
The first area of operations security that you need to evaluate is IT and
electronic communications. This most likely where Sally Beauty went wrong.
Much of this part of the assessment requires the help of a knowledgeable IT
professional, but at the most basic level, this means ensuring all
antivirus, firewall, and applications such as Flash and Java are up to date.

Once you’ve covered the essentials, you need to start looking at the
security of your company’s website, as well as the internal network and
databases. This is where you need to enlist the help of an IT professional
who can identify vulnerabilities in your system, especially any e-commerce
activities that require customers to provide personal or financial
information. He can then make sure they’re properly patched to avoid
exposing your business -- and your customers -- to hackers and thieves.

You also need to determine if your current passwords are secure. Passwords
for things like routers and other devices or programs that have default
passwords such as “admin” should be switched out for something unique.
Likewise, check for any security keys that were created by a representative
or technician of the company that sold you the application or device and
change them to something that’s only known to members of your organization.

Finally, evaluate the procedure the company uses to get rid of old
computers. If you’re not taking the time to permanently erase or destroy
the hard drives, someone could easily dig them out of the trash and run off
with the brains of your business.

Assessing Employee Security
Employees are one of the weakest points in a company’s operation security,
as they’re the ones who work with most of the sensitive information every
day. Sally’s security breaches may have come at the hands of cashiers who
may have collected the credit and debit card information with hand-held
skimming devices or by accessing the information from the register.

Evaluating this area starts with assessing the process by which you hire
workers. Background checks are a must for positions that require access to
the business’s financials or other important documents. Consult with an
attorney to reassess any non-disclosure or non-compete documents you make
new employees sign and ensure they fully protect the company. You should
also change position-specific passwords when an employee leaves to ensure
they cannot continue to access sensitive material once the working
relationship ends.

Make sure you’re keeping account of things like company-provided mobile
devices and put standard operating procedures in place for handling lost or
stolen electronics. Evaluate the measures that are in place to monitor
employee computer use and perform regular checks of email and social media
communications to head off leaks.

Assessing Building Security
No operation can be fully secure if the build it’s housed in is vulnerable.
Since Sally has over 3,000 stores, it’s very possible that thieves broke in
and stole computers or other equipment that contained sensitive customer
information.

Beyond fundamentals like making sure all doors and windows have working
locks, you need to gauge the effectiveness of your security system. Check
for blind spots in camera views or vulnerabilities in the alarm system,
such as weak passwords or visible wires that can easily be cut by thieves.

The question of who has access to the keys is another facet of building
security. Master keys should only be in the hands of security and essential
or high-ranking personnel, while regular employees only need have the keys
to access the areas in which they work. You should also have a record of
how many keys there are and exactly who has copies. If you haven’t already
done so, you may want to look into the feasibility and necessity of key
cards or other electronic means of access.

Assessing Intellectual Property Security
The most valuable asset a business has is its ideas, but this area is often
one of the most under-protected. It’s unlikely that Sally was a victim of
intellectual property theft, but it’s still an important consideration for
businesses. Make sure all patents, trademarks and copyrights are in force
and up to date. Check the duration of each registration and renew any that
have lapsed. This protects you from other people claiming – and making
money from – your ideas.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!