If you're a business owner that deals with credit cards, you probably aren't impressed with the title of this article. However, if you're the person responsible for being sure your organization is PCI compliant, you'll be doing backflips! Ok, maybe it's just our engineers that will be doing backflips, but we've been working hard on getting this to market and it's just about there. We're in a limited beta stage right now where we're rolling it out quietly to certain select customers to test it on certain key environments, but soon we are going to be ready to release the most cost-effective solutions available to make PCI compliance headaches go away!
Protecting PII (personally identifiable information) is one of the biggest responsibilities of companies today. If people trust you with their information, you have to meet certain standards of excellence to prove you're doing an adequate job of protecting that data from prying eyes. This is where our new Risk Intelligence tool comes in. Rather then requiring high-end and expensive hardware running on your network that you don't know how to use anyway, we've got a better approach! Our new Data Breach and RI tools will allow you to take a snapshot of any computer at any time and see just how vulnerable you are, and what the financial ramifications are.
Let's take a look using a test machine we setup. This is a typical office computer that contains some staff information, personnel records, and has both active and archived emails within its folder structure.
This first example shows the overall pass or fail status of a particular computer. In this case, based on the data the scan found on this computer, the company would be liable for approximately $63,000 in fines just based on what we found on the initial scan. The icons under each category show you what kind of information was able to be revealed in the search through the data. We found social security numbers and credit card information for almost every card agency out there. This computer has a lot of data on it that's not encrypted and not protected against unauthorized access. Let's dive deeper into the report and see what it reveals.
The initial scan showed 48 files with personal information on this hard drive. Each file can be reviewed independently for what kind of information is contained in it so you can determine the threat and the best way to handle it. We have an example below.
By expanding the arrow beside a particular file we can see the information above. Most of that information is useless to the normal person using a computer, but some of it will make sense to you. In this case we see it's a Microsoft Word document and what the file is titled, and where it is on the hard drive. Most importantly the scan shows what kind of PII was revealed. In this case it is a date of birth. Yes, a full DOB is personally identifiable information and can NOT be stored on a network or computer where just anyone can access it. Yes, in case you're curious, that means your employee records as well! But let's keep going.
How about this email, huh? It was sent to the recipient in February of 2009 and saved in the email archives according to the email retention policy - just like it should have been. Be that as it may, leaving a full credit card number stored on a computer system's file structure is definitely a no-no if it happens to belong to a customer. Thanks to the report, I know what email archive the file is located in, what date to go look for, who it came from, and what information is revealed that shouldn't be. As the business manager or customer I can now go deal with that email in whatever manner my company policy dictates. Considering the age, as the IT vendor, I would be OK recommending the file be deleted as it's beyond the 7 year retention mark.
The above report shows a detailed view of what actions the scan performed on the drive. We found 48 files with breach potential and a total of 316 individual instances of personal information being stored in an openly readable format.
This last tool is one of the best parts about the new system. Not only can we identify what files are opening you up to potential risk, but we also have a tool that can create a custom script on-the-fly to delete all those files from the system. It works in a matter of seconds and can be created on the fly from any machine and deployed to the correct machine then run like any other powershell script.
We aren't 100% sure yet how we're going to deploy the option to end-users to delete files. The report itself will allow you to identify which files need attention and you can decide how to handle them on an individual basis. It might cause more potential damage than it solves to allow users to mass delete files from their computers without individually examining them. However, either way, we will have a process by which you can request us to clean the files up for you if needed.
What's it going to cost?
Always the first question on someone's mind, right? Pricing is still being determined. I can tell you now that it's going to be somewhere around the $5-$15 per desktop per month model. No contract will be required. If you are a current managed services customer, we can deploy Risk Intelligence in the background with absolutely zero input from you. The good news is that Risk Intelligence doesn't necessarily need to be deployed to every PC in your network. If you have certain PCs that never touch PCI data or PII data, there's no need for those machines to be monitored. Other products, such as Antivirus and Web Filtering have to be deployed across the entire network to be able to protect all points of entry.
Does using your software mean we are fully PCI compliant?
Slow down there! There is a lot to PCI compliance that's outside the scope of what can be done using a machine-based agent. Specifically there are two main parts of compliance that need to be addressed with regards to a computer. The first is internal compliance. That's what we are solving here. Inside the network we can use the RI tool to determine if any of your machines have data at risk and if so, how to resolve the issue. There is still an aspect of testing called external penetration testing - where the goal is to get INTO your network from the outside. This tool can't do that because it runs inside the network, not external. While external protection solutions are still very costly, internal solutions like RI can help fill the gap for small to medium-sized companies. It basically allows us to be sure that even if someone DID penetrate the network from the outside, there's nothing inside to find that would put your customers at risk.
Is Risk Intelligence a total solution for your PCI needs? No, but it IS a huge step towards being compliant the cost savings compared to other solutions can't be beat! It allows you and your IT staff (us) to work together to locate problems and resolve them in common-sense language without being too hard to implement for the average user.
Interested in Risk Intelligence?
If your company is interested in discussing your options regarding PCI compliance, Data Breach potential and Risk Intelligence, feel free to let us know in the comments or send an email to support@twistednetworx.com.
If you're seeing this article on Facebook, leave a comment below with your thoughts on the concept and we'll respond as soon as we see them!