There are lots of rules and regulations for security that companies enact. There are even more that are pushed on us from various groups, such as the PCI and HIPAA certifications. There are plenty of data professionals that find these rules to be burdens to just getting work done, and circumvent them. This is also the advice that I've heard given to non-technical people as well that ask questions of their friends.
It's hard to tell, but it appears that a lack of adherence to security rules was the reason that many Subway franchises were hacked and credit card data stolen. The franchises installed a remote desktop software, likely to make it easy for them to access records from home, and hackers managed to scan these systems, guess passwords, and install their own trojan programs.
Subway ditacted the use of point to point encryption, but the franchises refused to implement it. I'm not sure why this was allowed, and how this isn't required for PCI certification. Apparently there are still loopholes in the PCI regulations. While requiring more compliance isn't ideal, it wouldn't be necessary if so many people didn't value convenience above security.
You don't need to encrypt every communication with your SQL Server on your internal networks, but is something that you ought to consider for any external communications. Adding certificates to your servers, configuring encryption on the network, and talking IPSec with the network staff can be intimidating, but it's not that hard. It doesn't provide perfect security, but it definitely adds a layer of protection to your systems.
The basics also apply here. Limit remote access, patch your software, and above all, don't allow any default, or extremely easy passwords. There are plenty of tricks for creating and remembering strong passwords. Give some of those to your clients, and give them some good examples of places where weak passwords failed, like this Subway example, or the construction company that lost $240,000.
And encourage them to learn to type better. The easier it is to enter a 24 character password phrase, the more likely they are to adopt one.
Steve Jones
Happy Holiday!
