Michael Fimin is CEO and Co-founder of Netwrix Corporation, developer of IT infrastructure visibility solutions for midsize to large enterprises. Fimin brings more than a decade of IT industry experience, including at Aelita Software (later acquired by Quest Software), where he drove the company’s top-selling security and compliance product.
UnboundID: Trump’s hotel chain is one of the latest large corporations undergoing investigation for a data breach. Are retail and hospitality business practices changing to adapt to these ongoing threats?
Fimin: I would say that online retailers are probably the most secure today. Retailers are trying to take more steps to protect customer data, and of course PCI compliance is huge for them. If they screw that up they can lose their ability to take cards. So, most retailers are using many tactics: traditional tools like firewalls and antivirus but also the whole gamut of monitoring systems, database encryption, and new security solutions based on user activity analytics and machine learning.
Beyond technology, there is much to be done on the people and process side. Recently, I was at the RSA Conference and one of the greatest threats discussed was the human factor. It’s all about educating users and making sure that privileged users who maintain the IT infrastructure are using the latest best practices, such as using tools that deliver visibility into the entire IT infrastructure and deliver anomalies detection. Simple things like writing passwords on sticky notes or on the back of keyboards are still happening on a regular basis. A small mistake of improperly sharing a password can instigate an enormous data breach, ruining all of a company’s efforts on the technology side. If you can teach employees one thing, it’s that their logins are just like their Social Security number. You don’t share it with anyone else.
UnboundID: Are there any consumer sectors that are behind today on security?
Fimin: I think the restaurant industry is still the most insecure. Restaurants have POS terminals everywhere which are easily accessible by almost anyone. Large restaurant chains also have so many locations, which equates to a lot of staff taking credit cards from customers and swiping them on machines in public areas every day. If you know what you’re doing, it’s very easy to steal the data. Hackers can even use sniffing technology to capture wireless traffic that is running through the wireless devices that restaurant employees are using on the floor. In comparison, at the typical retail store, you have checkout registers that are always staffed and locked if no one is around. So restaurants can perhaps do two things: if they can create more secure payment terminals and simplify the interface so that even the most basic user, someone without much technology background, could use them securely, that would help a lot. As well, restaurants should use auditing and monitoring software so that they can track employee actions from the time that they clock in and every action they make with the POS systems. This allows the restaurant to look back to the user level to research a breach by discovering what occurred, when and where, or look into some suspicious activity.
UnboundID: What about consumers, what do they need to be doing or looking for in their merchants, to be more secure?
Fimin: Always be mindful of the fact that whenever you share your data, you are putting your data in the hands of a third party. If you don’t have to share your data, don’t do it. With online retailers of course, you do have to share a lot more data to complete a transaction. And ironically, a small retailer might be safer. If you do business with a very small mom-and-pop retailer, they likely won’t be a target for hackers, even though they may have less security in place to protect your data. Finally, I would use identity protection services like LifeLock. That way you can get an alert when there’s suspicious activity with any credit card or bank account that you have registered. Consumer banks are also doing a better job all the time at theft and fraud detection.