StoreFront BackTalk had a post last week from frequent contributor Walt Conway of 403Labs. The post covers three lessons State administration in South Carolina learned through the process of dealing with the data breach discovered in October, and how those lessons might be applied to the retail business. Two important details regarding the breach: the bad guys gained access to State tax systems through malware attached to a phishing message, and the head of the State’s Department of Revenue will resign as a result.
From StoreFront BackTalk:
Lesson #1: Don’t Skimp on Training. Training can’t prevent every social-engineering or spam attack from being successful, but effective training (and enforcement) can go a long way in reducing the effectiveness of such attacks. Such malware-laden E-mails tend to increase after natural disasters and during the holidays. We can expect to receive a few “click on this great Santa video” E-mails, so it may be a good time to reinforce the training with all your employees.
Lesson #2: Strong User Authentication is Your Friend. Two-factor authentication is not the same as multiple passwords. It means using two completely separate methods of identification, from among the following: Something you know (user ID and strong password); something you have (e.g., token or other physical device); or something you are (fingerprint or handprint).
Lesson #3: Protect Your Sensitive Data. A lot of South Carolina’s problems might have been eliminated had the data been protected with strong encryption accompanied by solid key management procedures.