Expert Interview Series: Garrett Stiles of Aeris Secure on Cyber Security and Compliance for SMBs
May 22, 2017
Garrett Stiles, of Aeris Secure, is a technical writer interested in the cyber security space.
We recently asked Garrett about trends in cyber security and the compliance challenges small- and medium-sized companies face today, here’s what he shared:
Can you tell us about Aeris Secure? What is the mission behind your company?
Aeris Secure is an information security consultancy, focused on helping small- to mid-sized companies achieve their security and compliance objectives. Our mission is to make security simple for those small businesses with limited resources, knowledge and experience.
What are the common pain points or frustrations you’re helping your clients solve?
One of the primary services we provide is PCI compliance assessments. When it comes to compliance there are always going to be frustrations. The main pain point we try to alleviate is the fact that compliance and audits can be a distraction from the actual operations of the business. Dealing primarily with small business, I’ve noticed that resources and time are usually limited and employees are wearing multiple hats. Besides playing the role of auditor, we strive to educate our clients in security best practices and help them understand the need for an established information security management system. In doing so we can help them implement a security program that fits their needs and is manageable given their situation.
How has PCI Compliance evolved since you started your business? What has made the biggest impact?
There have been a lot of changes since we first became a PCI QSA company. From my perspective as a security professional, the most important is that the requirements in the PCI DSS have become clearer. The PCI SSC has updated the standard to include very good guidance on the intent of requirements. This is something that was lacking in PCI DSS v1.0, which we were using when we first started. Back then, it was all up to the interpretation of the auditor, which led to variation between QSAs in how a requirement was applied.
The PCI council and the community has put in a lot of effort to provide supplemental information and guidance beyond what is contained in the PCI DSS. There is the FAQ on the PCI council website, as well as a number of Information Supplement documents to act as additional guidance on how requirements should be met and applied. These additional documents don’t provide official guidance, but help to educate and inform. All official PCI requirement details are contained in the PCI DSS, but these supporting documents and information definitely have helped to provide continued education to PCI QSAs.
What are the challenges for businesses in staying compliant?
The biggest challenge is to remember that compliance isn’t a once a year occurrence. Many businesses approach it as an event, rather than a way of conducting business. This doesn’t work when the next audit comes around and you haven’t kept up on all the recurring requirements or tasks that need to be performed throughout the year. It puts you in a predicament when you didn’t do your quarterly scanning, for instance, and the auditor asks to see the reports. You can’t go back in time and fix it. Making compliance a priority within the organization, and establishing a schedule of what needs to be done and when, will help reduce the challenges of maintaining compliance year over year.
What are best practices for businesses as far as protecting sensitive consumer information? What should business owners be aware of?
There are many best practices that you can follow when it comes to protecting customer information. My go-to recommendation is always: if you don’t need it don’t store it. I often find companies holding onto data well beyond its usefulness because they say they don’t know if they might need it. They don’t know, because they haven’t taken the time to figure it out. The key to good security is having a strong understanding of the people, processes and technologies that interact with sensitive information. Once you know that, you can protect it. With that understanding you can begin to clean up unnecessary processes and reduce the amount of access to and storage of sensitive information; reducing your exposure and risk.
What are the most common mistakes or oversights you see business owners making in terms of cyber security? What should they be doing differently?
The biggest mistake I see is the “set it and forget it” mentality. Most small business owners are busy. They want to do the right thing; it’s just that the right thing takes time and attention when it comes to security. Most businesses invest money into their security operations. They buy cameras, ID cards and readers, a firewall. But then don’t monitor or maintain those things. A good security operation takes constant care to make sure it is functioning properly and up-to-date. You don’t need the latest and greatest technology to be secure. Most of it is just utilizing the tools and services you already have. The best thing a business owner can do is to formally assign someone to the role of security officer. It doesn’t have to be their full-time job, but they are responsible for it. That way they will see that things are maintained and monitored.
Why is PCI Compliance so important to small business owners today? What are the risks of non-compliance?
Every business owner that deals with credit cards needs to be concerned with PCI. They have an obligation to remain compliant with the PCI DSS at all times. It’s just part of being in business. Beyond the requirement aspect of PCI compliance, it does provide value and benefit the company if they take the time to really improve their security posture through the compliance process. Compliance does not equal security. But it does provide a baseline for the minimum effort required as well as outline a great starting point for establishing an information security management system within the organization. If business owners accept their responsibility of establishing a secure network and environment, and set as a priority protecting their customers data, then PCI compliance can establish a good foundation from which to build a secure organization.
Most businesses today rely heavily on credit cards for method of payment. Without the ability to process credit cards most business would fail very quickly. If you aren’t PCI compliant then technically you can’t process credit cards. It’s that simple. It might take some time before someone comes asking, or a serious security event to raise a red flag. But eventually you will be asked about your PCI compliance status, and if you aren’t compliant you put at risk your entire business. In addition to not being able to process, there may be fees and fines for no compliance. In the instance of a data breach add onto that huge cost for incident response, forensics investigations, card replacement costs, in addition to the now required level one PCI assessment. Most small business can’t survive six months after a breach. Accepting the responsibility and taking appropriate steps in advance is the only way to address the risks of non-compliance.
What cyber-security issues or trends are you following today? Why do they interest you?
The big issues right now are Internet of Things (IoT) and all the security implications there, ransomware, and of course cyberespionage. Each is interesting for its own reasons. IoT is pretty much the cutting-edge of technology. Being a tech nerd, I like all the gadgets, and for the security professional side of me it’s the new battle ground for hackers. Ransomware just fascinates me. I find it interesting how criminals can use the simplest methods to extort money. They are very clever at using proven methods in new ways. Cyberespionage is pretty hot right now, but the added twist of potential political impact is like something out of the movies.
Learn more about protecting your business.
Subscribe now and stay up to date with News, Tips, Events, Cybersecurity, Cloud and Data Compliance.