Protecting Your Customers’ Data:

Policies and Procedures

The information assets of a retail busi- networking sites can increase the surface them know that they can be checked on,
ness remain a desirable target for com- area that is exposed to attack when your and that you do hold them accountable,
puter criminals. The compromise of assets employees go online or use email. When helps assure that employees abide by
such as customer credit card numbers or users, especially new ones, are naïve to your company’s policies.
contact information can seriously dam- the threats the internet can pose, it’s Another way an employee can unwit-
age the reputation of any business. Small important for business owners to contin- tingly provide an entry point for an attack-
retailers can’t dedicate the same amount ue to emphasize the value of actively edu- er is through the use of an MP3 player,
of resources to protecting the integrity of cating employees about how their con- camera, or a USB storage device on a
their company’s computer systems as duct on the web can be a threat to the work computer. Recently, monitoring
large enterprises can. However, with good security of your company’s data. agencies have seen increased use of such
operating procedures and policies, you devices by hackers to transfer malicious
can help to prevent many situations that Unintentional Compromise software between different computers.
could leave your company vulnerable to A single computer user inadvertently
Some devices, especially USB storage
having your data compromised. downloading malicious content from an
devices, can be programmed to automat-
email, or visiting a site that contains mali-
ically execute software when they are
Update Protective Software cious content, can expose your whole
attached to a computer. Your computer
Threats to computer systems continue to network to being compromised. It should
systems may be able to be configured to
evolve. Remaining pro-active with updat- always be part of your policy that com-
block such action; however, such devices
ing the software your company uses to pro- puter users may never download or install
may also be used to transfer software to
tect from attack is a crucial way of reducing programs that are not explicitly approved
your computers that violates your com-
such threats. But just as evolving threats
can dictate active updates to software,
they can also create new vulnerabilities
regarding the way your company imple- Threats to computer systems continue to evolve. Remaining
ments computer security procedures. pro-active with updating the software your company uses to
Emerging trends such as social net- protect from attack is a crucial way of reducing such threats.
working have also encouraged new
users, who may not have spent much
time on the web in the past, to go online. pany’s policies and voids the protections
Social networking can be a useful tool for by your Information Technology depart-
your systems have in place to prevent
both personal and professional reasons. ment or consultant. To back this policy up,
directly downloading unapproved pro-
There are arguments on both sides of the it is also a good idea to use the configura-
grams. In addition to providing a way to
issue of whether to allow employees tion options in the software you use to
transfer potentially malicious content,
access to such sites on work time. On one prevent such activity. Limiting the sites
storage devices also provide a means for
hand, some employees may use social your employees have access to can help
the transfer of protected data by a dis-
networking to increase business opportu- as well. However, limiting site access may
gruntled employee. It may be necessary
nities for your company; on the other, be difficult if certain employees need to
to prohibit access to USB connections on
they may simply be engaging in personal use sites such as vendor portals that can-
your business’s computers either
activities on company time. In either case, not easily be restricted. If the only way to
through software or physical protection.
while the use of such sites does not pres- limit access is through verbal instruction,
It is also wise to change computer pass-
ent a direct threat to your company’s it’s important for employees to know that
words whenever an employee leaves the
computer systems, an increased comfort employers have the right to audit their
company.
level with utilizing the internet for social employees’ usage of the internet. Letting

24 SEPT-OCT 09
 Take Precautions to Avoid Infections
“Malware” is software designed to create problems. It works in ways that many retailers probably haven’t even imagined.
In a recent issue, SC Magazine, which is aimed at IT security professionals, reported the following:
> A recent McAfee study on popular keyword searches found that users searching the internet for “screensavers” have a 59% chance of being
infected by malware on any given search results page.
> Almost one in 10 pieces of malware use “autorun”to spread themselves. If autorun is enabled on your computer, you are at risk. Although
Microsoft is working on a patch to decrease autorun risks, there is no timetable for it.
> Employees react cooperatively when bosses reframe the issue of “computer security.” It’s really “information protection,” and everyone wants
their own information protected. If you reframe the concept, you’ll get quicker buy-in from employees.
> While social networking sites have moved from being in “infancy” to being in their childhoods, how useful they will become as business tools
is a very large open question—but the likelihood is great that they will evolve as legitimate and useful tools. Simply blocking access to them is
probably short-sighted, at best.
> A recent Cisco survey showed that more than 75% of employees polled do not use a privacy guard when they are working in a public place
remote from their office.
> While intentional disruption can occur because an employee is angry over perceived mistreatment, it is far more likely for computer systems
to be invaded by outsiders than by insiders. Researchers at North Carolina State University recently found that most interest users are susceptible
to “tricks”—like email invitations—that could expose their systems to malicious disruption.
Editor’s Note: SC Magazine is published monthly by Haymarket Media, Inc., 114 West 26th Street, 4th Floor, New York, NY 10001.

Off-Site Threats Exist offices. Some newer anti-virus packages the greatest threat to the integrity of your
Aside from entry-level employees who integrate “end point security” capabilities, network. Yet the threat can be greatly
may only interact with your point-of-sale which can assure compliance with com- reduced through two simple means: a
computers, higher-level employees, such pany policies by verifying compliance on clear policy that is enforced, and proper
as your managers or buyers, can present a the remote computer before allowing education. Pro-actively addressing the
threat as well. They may find it necessary access to your company’s computer sys- threat(s) to your systems will help assure
to remotely access your company’s com- tems. that your customers never have to ques-
puter systems. Such access could com- Developing a clear policy for your tion the safety of their information when
pound the security risks to your systems employees to follow can help to outline patronizing your business. n
by the addition of the security layers of the procedures your company has in Scott Muller heads information technolo-
the remote user’s computer system, or by place to prevent a data breach. While soft- gy services for NSRA. He can be reached at
the security of the method they use for ware may be able to help you enforce [email protected].
access. For example, consider a remote some aspects of that policy, however,
user going through a public wireless con- software cannot protect from all dangers. Got Email?
nection at an airport to access company Proper education is necessary to prevent
NSRA requests your email address!
data. If that user is not accessing your sys- the inadvertent violation of policy, in both
tem via a secure method, it takes little or normal situations and in situations that
no effort for a hacker to hijack the con- are not routine. In the event of a violation, The association is updating its mem-
nection and view the data being trans- auditing your users’ use of your systems bership database and would like to
ferred between the two machines. It’s can help to narrow down how or where include your correct email address.
also possible that the user’s computer the misuse of your network occurred, and Please put your name and current
could already be compromised and run- your employees’ knowledge that you email address in the “Subject” line of
ning a malicious program that is sending periodically undertake such auditing can a blank email, then email your
data—such as the keystrokes he’s typ- help to assure compliance. updated information to
ing—to a remote third location. For this [email protected]. Current and
Employees’ misuse of the system— correct information helps NSRA bet-
reason, your company policy also should whether it is intentional misuse or inno-
include requirements for remote comput- ter serve your needs.
cently accidental misuse—is probably
ers, in addition to the computers in your

nsra.org 25