AWS Users: Here's What You Need to Know About Your Security Risks

AWS Users: Here's What You Need to Know About Your Security Risks

With the widespread adoption of remote work over the last year due to the COVID-19 pandemic, the need for cloud-based services dramatically increased as many businesses migrated to the cloud.

 

Looking to 2021 and beyond, this trend shows no signs of slowing down any time soon. 

 

The cloud has immense benefits for business. It is efficient, cost-effective and allows companies unprecedented room to scale. However, it  is an easy target for attackers. Simple mistakes and misconfigurations of cloud settings were a leading cause of data breaches in 2020, costing businesses US$3.86 million.

 

Organisations should take stock of the security implications of the cloud and identify any vulnerabilities in their current infrastructure.

 

The Rise of AWS

 

One of the most popular cloud-based services is Amazon Web Services (AWS). AWS is a simple pay-as-you-go cloud computing solution designed for all types of organisations.

But even with the backing of one of the world's biggest companies in Amazon, AWS still needs maintenance from its end-users to ensure complete protection.

 

Uptake of and conversion to AWS is growing, and with it comes a whole new language that users need to know to stay safe. While AWS is responsible for managing a number of security controls, businesses that use the AWS environment are also responsible for ensuring that virtual appliances and services are correctly configured to avoid any vulnerabilities. To read more about the responsibilities between AWS and businesses who use AWS, have a look at the AWS artifact.

And when you are not aware of your responsibilities with AWS, it makes your business extremely vulnerable.

How do you ensure PCI Compliance in an AWS environment?

 

Stratica uses automated compliance assessment tools to help clients stay on top of their AWS environment security.

 

If you are using AWS and want to make sure your e-commerce site is as secure as possible or find out more about securely switching to AWS, contact me.

Lack of Security Puts Charities At Risk

A UK study shows that charities that facilitate donations through online platforms are at serious risk of falling victim to cyber-attacks.

 

Published by the UK Department for Digital, Culture, Media and Sport, The Cyber Security Breaches Survey found that 26% of charities experienced a cyber breach in the last twelve months.

 

The most common types of cyber-attacks were:

Phishing attacks, accounting for nearly 80% of breaches.

Hackers impersonating charity emails, accounting for 23% of all attacks.

Viruses, spyware or ransomware (16%).

 

Other less-common attacks charities saw included:

Unauthorised listening into video conferences.

Taking over charity's accounts.

Hacking bank accounts.

 

A significant challenge over the last year has been the shift to working from home during the COVID-19 pandemic, which meant charity employees typically worked from their personal devices, many of which are not secure.

 

Why are charities at risk?

 

Regular donation programs and online platforms that beneficiaries can access require

the storage of credit card details or other sensitive personal information.

 

However, with the risk of cyber crime so high, a breach can mean that the charity's ability to attract donors online successfully is at stake, and following a breach, charities only have a one in five chance of getting a customer back.


One of the more recent victims of payment security data breaches was OXFAM Australia. In this case, cybercriminals unlawfully gained access to the charity's supporter data. A similar incident occurred at the RSPCA. 

 

It will be tough for these charities, and the countless others, who fall victim to a cyber breach to fully regain the trust of their current and future donors.  So, to secure the future of your charity and those you support, prevention is the best cure.

 

How can charities protect themselves against a breach?

Charities rely on making it easy for donors to support them online, so they can't afford any security risk. To prevent a security breach, charities should undertake regular vulnerability scans and patching.

Reading over Stratica’s “Payment Security Checklist” is a useful guide to securing payments to your charity and protecting the generous people who support you.

For a complimentary security assessment, please get in contact with me so I can help you further understand the steps to protecting your charity from a devastating breach.

by stratica

Q&A: everything organisations need to know about PCI compliance

What is PCI compliance? Why do I need it? And what does it mean for my organisation?

I often get those common questions from business owners who accept payments online and want to demystify their cybersecurity requirements.
So today, I will unpack the most frequently asked questions about PCI compliance to help you understand your obligations when doing business online.
What is PCI compliance? 
The Payment Card Industry Security Standards Council (commonly shortened to PCI SSC or PCI council) is an organisation run by payment card companies. The PCI council sets best-practice standards for the secure storage of credit card information online.
Every organisation that allows payment card transactions online must follow these standards.
Why is PCI Compliance important? 
 
Should your organisation fall victim to a data breach, PCI compliance means that customer data remains protected.
Why do I need PCI compliance? 
PCI compliance offers the highest possible level of protection for businesses (and their customers) against data theft.
If you conduct business online, demonstrating PCI compliance will mean potential customers (especially those wary of the security of online payments) are more likely to buy from you.
Is PCI compliance mandatory? 
PCI compliance is mandatory if you accept credit or debit cards as a form of online payment.
Other businesses subject to mandatory PCI compliance requirements are:
  • businesses that accept credit or debit cards for payment, even if they use a third-party vendor's hardware, software or application to do so.
  • service providers that store credit/debit card data on behalf of another business.
  • hosting providers or other service providers that process or transmit credit/debit card data on behalf of another business.
How often do you have to demonstrate PCI compliance? 
You will need to demonstrate PCI compliance annually.
When should you be compliant? 
You should be PCI compliant all the time, as it can only take a second of vulnerability for cybercriminals to pounce.
What are the consequences of not being PCI compliant?
As well as putting your business and customers at risk of a debilitating data breach, banks may not allow you to process credit card payments without PCI compliance - They don't want a possible data breach to be their problem!
So without PCI compliance, you won't be able to make sales and do business online.
Should I maintain PCI compliance myself or get someone else to do it? 
It is possible to maintain your organisation’s PCI compliance yourself.
The PCI website has some fantastic resources that will help you achieve and maintain compliance.
However, understanding PCI compliance requires a lot of time and resources from your organisation that is usually better spent elsewhere.
PCI compliance can be simple, quick and cost-effective – That is, when you have the right company that takes time to understand your business.
Stratica helps you get compliant and stay compliant quickly and effectively!
Whether you would like to gain some more clarity on your PCI obligations and how to achieve compliance, or you would like to find out more about how Stratica can help ensure your business stays compliant 24/7/365, get in contact with us for a free consultation.

by stratica

How to stay PCI compliant

So your organisation is PCI compliant - Well done! You have taken the first step toward fostering a secure environment for your organisation and customers.

But here's the bad news… Achieving compliance is the easy part.
The hard part is what comes next: staying compliant.
PCI compliance is like servicing your car. You don't do it once and expect it to never run into problems again.
Remember, even not being compliant for just one second can leave you vulnerable to data breaches.
And the only way to prevent the impacts of non-compliance is through continuous adherence to PCI standards.
So how do you stay PCI compliant? Here are three things every organisation should be doing to stay up to standard.
Allocate resources to PCI compliance consistently 
Just like maintaining anything, PCI compliance requires a regular commitment.
Continuing to meet PCI obligations requires -
People
Just like keeping your office clean requires a dedicated cleaner or cleaning team; you will need a dedicated PCI compliance team.
Is there someone in your organisation in charge of PCI compliance?
Is there a team that supports this person in maintaining compliance?
Ensure that your team receives the required resources and training to efficiently and effectively ensure compliance.
Processes
Processes will be your PCI Compliance for Dummies handbook, containing easy-to-follow instructions on how to install, maintain, and troubleshoot the tasks required to maintain compliance. To account for the regular changes in the PCI environment, you should update these processes regularly.
Technology 
Technology is the most critical piece in the PCI puzzle - People and processes are useless without it! Technology is the software you will need installed to easily undertake, monitor and maintain activities that keep you PCI compliant. You will need to update your technology at least every few years (and with it, update your processes and re-train your people).
And if you don't think you have the team on hand, we can help. To see how we can help maintain PCI compliance in your organisation, get in contact with us for a free consultation.
Perform regular evaluations 
How do you know if the security measures you have put in place to stay PCI compliant are working?
Well, the only way to know for sure is to act like a cybercriminal!
Organisations will use red teams, which are people that try to hack into your organisation. If they can, it's a sure-fire way to know you are not PCI compliant.
In these cyber-attack simulations, you can also use a blue team, which defend against the hackers on the red team.
To test your PCI compliance, you should be running the following assessments:
  • penetration testing
  • internal and external scanning
  • security awareness training
  • compliance review
  • risk assessment
Vulnerability management
Almost all recent data breaches have one thing in common: the organisations didn't have any vulnerability management programs.
And those organisations would have avoided falling victim to a data breach if they had performed these basic vulnerability scans:
  • application security
  • firewall and router configurations
  • patching and patch management
  • review logs, alerts, and access permissions
  • data integrity assessment
To maintain PCI compliance, organisations should undertake vulnerability scans at least every three months, as well as an annual assessment performed by a Qualified Security Assessor (QSA).
Self-Assessment Questionnaires (SAQs) are also a vital tool for organisations, notably lower-level ones, to assess PCI compliance. There are several kinds of SAQs depending on how you handle card transactions. Get in contact with us to find which SAQ is the right one for your organisation.
Stratica are qualified security assessors and work with organisations to help them maintain PCI compliance.
To find out more about how we can help empower your organisation to meet PCI compliance requirements and keep your organisation safe, get in contact with us today.

by stratica

Customer story: Cardgate on the importance of having high-security standards

CardGate has been a payment service provider since 1998, and their software helps merchants process card payments online. They are a preferred supplier of the Commonwealth Bank of Australia. 

 

Being in business since the early stages of e-commerce, Cardgate CEO, Harry Ramadan, has seen many things change, the most significant development happening in the mid-2000s.

 

When the internet became more accessible, online shopping became more popular. And that created a perfect storm for a new generation of criminals: cybercriminals.

 

So while the payment card industry was experiencing record growth and was looking to a prosperous future, they were in the grips of a cybercrime epidemic that could derail it all. In Harry's words, the industry "needed to get their act together".

 

So in 2004, the Payment Card Industry Security Standards Council (commonly shortened to PCI Council) was born. The PCI Council went about setting best-practice standards for the secure storage of credit card information online.

 

And PCI compliance would eventually become mandated for payment service providers. Harry was an early adopter and noticed a stark change in the competitive landscape.

 

"Our first PCI audit was in 2006, and at that time, a lot of our competitors didn't bother or see the need to achieve PCI compliance."

 

"The mandate flushed a lot of companies out of our industry".

 

And it was for the better. While many predicted e-commerce would become the wild west where no card was safe, PCI standards have helped e-commerce grow to unprecedented levels and change the retail landscape for good.

 

The importance of having the right PCI compliance partner

 

As the industry matured almost a decade later, Harry realised not all PCI qualified security assessors were created equal.

 

"We had worked with some companies we weren't happy with in the past."

 

"A lot of companies will come in, do a quick audit and give us the all-clear. We wanted someone who would work with us to maintain the highest possible security standards."

 

In came Stratica, and Harry soon realised the benefits of Stratica's unique approach to Cybersecurity.

 

"They aren't just assessors and auditors. They are consultants, and help us set the highest possible standards for payment security."

 

"Our high-value partnerships with merchants depend on the level of attention to detail we get with Stratica."

 

Having worked with Stratica since 2015, Harry knows his security is in good hands.

 

"PCI compliance is never easy, but we can rely on Stratica for great advice."

 

Are you looking for a qualified security assessor to help your organisation stay PCI compliant? Look no further than Stratica. For a free audit and security review where we will help you set the standard for payment security in your industry, get in contact with us today.

by stratica