Goin' Social Mobile: Security Begins From the Inside Out
I find myself talking about the "soft center" of data security a lot. Many companies fall into the trap of just securing their perimeters, but should the "steel walls" be breached by a hacker, or worse, compromised by an insider, all of that precious and highly-sensitive data is just there for the taking. Recently I shared some thoughts for an article on social media risks and guidelines: In reality, companies are already feeling the impact of real risks related to social media use. According to Mike Logan, president of the Boston-based Axis Technology IT security company, "I can't begin to tell you how many times companies come to us because they've discovered their employees were using social networks that compromised sensitive data. Basically a P2P network or a social network like Facebook that collects information is pretty much the equivalent of digging a tunnel right into a company's data center," he says. While many communication professionals and social media enthusiasts have eagerly embraced the transparency in communication that social media offers, their enthusiasm may be misguided. Certainly, such enthusiasm is being mitigated by the practicalities of managing organizational risk. This really isn't new or shocking, but it is a problem that is growing everyday. And to add to that, there's a merging of social media on mobile, along with related payment transactions. Take a look at this Mobile Banker article by Kate Fitzgerald, particularly this section: The flap last month surrounding the social-networking site Blippy, which inadvertently exposed certain customers' credit card data through a glitch, underscores the potential for more data breaches within social-networking sites and related applications, several experts say. Blippy, which launched last year, invites users to register their credit cards with the site so others could track their purchases. Blippy typically removes the actual credit card numbers and other sensitive data before posting users' purchases. But in a technical oversight earlier this year, the company briefly exposed certain users' raw transaction data, compromising card security. Blippy could have averted the incident through adherence to core data-security principles, including the Payment Card Industry Data Security Standard, several data-security experts tell PaymentsSource. Blippy vowed after the incident to hire a chief security officer and to invest in "regular third-party infrastructure and application security audits." But because Blippy considered appropriate security only after data were exposed is an alarming trend, as social-networking and mobile-payment applications continue to grow, Nagraj Seshadri, security technologist for data-security firm Sophos Inc., tells PaymentsSource. "In many cases, security is an afterthought and is bolted on in response to a breach," he says. And I think by now most of us are quite familiar with those "after the fact" horror shows and the painful costs.