10 Federal Trade Commission cybersecurity tips
What does the Federal Trade Commission (FTC) know about cybersecurity?
Quite a lot, as it turns out.
How protected is your small business?
Like big businesses, all small businesses, from coﬀee shops to manufacturers, are at risk for cyber attack. Take a no-cost cybersecurity course to understand the realities of cyber risk, identify vulnerabilities and identify a cybersecurity action plan for your own business.
This free, non-technical program is available on your schedule online now:
Small Business, Big Threat
The FTC has pursued more than 60 data security cases. These are settlements — no findings have been made by a court — and the specifics of the orders apply to just those companies. But learning about these alleged lapses that led to enforcement activity can help your company improve its cybersecurity.
Most of these involve basic, fundamental security missteps. Distilling the facts of these cases down to their essence, here are ten lessons to reduce risks.
1. Start with security.
From personal data on employment applications to network files with customers’ credit card numbers, sensitive information pervades every part of many companies. Experts agree on the key first step: Start with security. Factor it into the decision-making of every department of your business — personnel, sales, accounting, information technology, etc. Collecting and maintaining information “just because” is no longer a sound business strategy. Savvy companies think through the implication of their data decisions. By making conscious choices about the kind of information you collect, how long you keep it and who can access it, you can reduce the risk of a data compromise down the road.
- Don’t collect personal information you don’t need. The FTC’s complaint against a firm that purchased the rights to classic video games charged that the company collected lots of information during the site registration process, including users’ email addresses and passwords. By collecting email passwords — not something the business needed — and then storing them in clear text, the FTC said the company created an unnecessary risk to people’s email accounts. The business could have avoided that risk simply by not collecting this sensitive information in the first place. And don’t use personal information when it’s not necessary
- Hold onto information only as long as you have a legitimate business need. In the FTC’s case against a wholesale club, the company collected customers’ credit and debit card information to process transactions in its retail stores. But according to the complaint, it continued to store that data for up to 30 days — long after the sale was complete. Not only did that violate bank rules, but by holding on to the information without a legitimate business need, the FTC said the club created an unreasonable risk. By exploiting other weaknesses in the company’s security practices, hackers stole the account data and used it to make counterfeit credit and debit cards. The business could have limited risk by securely disposing of financial information once it no longer had a legitimate need for it.
2. Control access to data.
Once you’ve decided you have a legitimate business need to hold on to sensitive data, take reasonable steps to keep it secure. You’ll want to keep it from the prying eyes of outsiders, of course, but what about your own employees? Not everyone on your staff needs unrestricted access to your network and the information stored on it. Put controls in place to make sure employees have access only on a need to know basis. For your network, consider separate user accounts to limit access to personal data or control who can use particular databases. For paper files, external drives, disks, etc., an access control could be as simple as a locked file cabinet.
- Employee theft. The FTC alleged that a financial company failed to restrict employee access to personal information stored in paper files and on its network. As a result, a group of employees transferred more than 7,000 consumer files containing sensitive information to third parties without authorization. The company could have prevented that misstep by implementing proper controls and ensuring that only authorized employees with a business need had access to personal information.
- Appropriate employees. The FTC alleged that a leading social media firm granted almost all employees administrative control over the system, including the ability to reset user account passwords, view users’ nonpublic comments, even send them on users’ behalf. By providing administrative access to just about everybody, the firm increased the risk that a compromise of any employee’s credentials could result in a serious breach.
3. Require secure passwords and authentication.
If you have personal information stored on your network, strong authentication procedures — including sensible passwords — can help ensure that only authorized individuals can access the data. Here are some FTC tips: Insist on complex and unique passwords. Passwords like 123456 or qwerty aren’t much better than no passwords at all. That’s why it’s wise to give some thought to the password standards you implement. Businesses also may want to consider other protections — two-factor authentication, for example — that can help protect against password compromises. Hackers can and do use automated programs that type endless combinations of characters until they luck into someone’s password.
- Password standard training. In the social media case above, the company let employees use common dictionary words as administrative passwords, as well as passwords they were already using for other accounts. According to the FTC, those lax practices left the system vulnerable to hackers who used password-guessing tools, or tried passwords stolen from other services in the hope that employees used the same password to access the company’s system. The firm could have limited those risks by implementing a more secure password system – for example, by requiring employees to choose complex passwords and training them not to use the same or similar passwords for both business and personal accounts.
- Guard against brute force attacks. The FTC alleged that a software company stored network user credentials in clear, readable text that helped a hacker access customer credit card information on the network. Similarly, the FTC charged that a publisher allowed customers to store user credentials in a vulnerable format in cookies on their computers. In each of those cases, risks could have been reduced if the companies had policies and procedures in place to store credentials securely. In three other cases, the FTC alleged that the businesses didn’t suspend or disable user credentials after a certain number of unsuccessful login attempts. By not adequately restricting the number of tries, the companies placed their networks at risk.
4. Store sensitive personal information securely and protect it during transmission.
For many companies, storing sensitive data is a business necessity. And even if you take appropriate steps to secure your network, sometimes you have to send that data elsewhere. Use strong cryptography to secure confidential material during storage and transmission. The method will depend on the types of information your business collects, how you collect it and how you process it. Possibilities include Transport Layer Security/Secure Sockets Layer (TLS/SSL) encryption, data-at-rest encryption or an iterative cryptographic hash, depending on your business. But regardless of method, safe storage is only as good as the personnel who implement it. Make sure the people you designate to do the job understand how your company uses sensitive data and what’s appropriate for each situation.
- Keep sensitive information secure throughout its lifecycle. The FTC alleged that a mortgage corporation used SSL encryption to secure the transmission of sensitive personal information between the customer’s web browser and the business’s website server. But once the information reached the server, the company’s service provider decrypted it and emailed it in clear, readable text to the company’s headquarters and branch offices. That risk could have been prevented by ensuring the data was secure throughout its lifecycle, not just during initial transmission.
- Don’t start from scratch unless absolutely necessary. An online advertising firm stored sensitive customer information collected through its e-commerce sites in a database that used a non-standard, proprietary form of encryption. Unlike widely accepted, extensively tested encryption algorithms, the FTC complaint charged that the firm used a simple alphabetic substitution system subject to significant vulnerabilities. The company could have avoided those weaknesses by using tried-and-true industry-tested and accepted methods for securing data.
5. Segment your network and monitor who’s trying to get in and out.
When designing your network, consider using tools like firewalls, thereby limiting access between computers on your network and between your computers and the Internet. Other useful safeguards include intrusion detection and prevention tools to monitor your network for malicious activity.
- Not every computer in your system needs to be able to communicate with every other one. You can help protect particularly sensitive data by housing it in a separate, secure place on your network. That’s a lesson from one case. The FTC alleged that the company didn’t sufficiently limit computers from one in-store network from connecting to computers on other in-store and corporate networks. As a result, hackers could use one in-store network to connect to and access personal information on other in-store and corporate networks. The company could have reduced that risk by sufficiently segmenting its network.
- Who’s that knocking on my door? That’s what an effective intrusion detection tool asks when it detects unauthorized activity on your network. The FTC alleged that a credit card processing company didn’t use sufficient measures to detect unauthorized access to its network. Hackers exploited weaknesses, installing programs on the company’s network that collected stored sensitive data and sent it outside the network every four days.
6. Secure remote access to your network.
Business doesn’t just happen in the office. While a mobile workforce can increase productivity, it also can pose significant security challenges. If you give employees, clients or service providers remote access to your network, ensure you have secured those access points.
- Network security is only as strong as the weakest security on a computer with remote access, just as a chain is only as strong as its weakest link. For example, a capital lending service allegedly activated a remote login account for a business client to obtain consumer reports, without first assessing that business’s security. When hackers accessed the client’s system, they stole its remote login credentials and used them to grab consumers’ personal information.
7. Apply sound security practices when developing new products.
So you have a great new app or innovative software on the drawing board. Great! Early in the development process, think through how customers will likely use the product. If they’ll be storing or sending sensitive information, is your product up to handling that data securely? Train your engineers in secure coding. Have you explained to your developers the need to keep security at the forefront?
- Train engineers in secure coding. An e-verification firm allegedly failed to implement readily available secure communications mechanisms in the logging applications it pre-installed on its mobile devices. As a result, malicious third-party apps could communicate with logging applications, placing consumers’ text messages, location data and other sensitive information at risk. The company could have reduced the risk of such vulnerabilities by adequately training its engineers in secure coding practices.
- Follow established guidelines. An Internet movie times and ticket firm and a credit and financial management platform turned off SSL certificate validation in mobile apps, leaving sensitive information consumers transmitted through those apps open to interception through man-in-the-middle attacks. These two companies could have prevented this vulnerability by following the iOS and Android guidelines for developers which explicitly warn against turning off SSL certificate validation.
- Verify that privacy and security features work. A networking solutions firm allegedly failed to test that an option to make a consumer’s camera feed private would, in fact, restrict access to that feed. As a result, hundreds of private camera feeds were publicly available.
- Forever? Maybe. Similarly, a social media company advertised that messages would disappear forever, but the FTC says it failed to ensure the accuracy of that claim. Among other things, one app saved video files to a location outside of the app’s sandbox, making it easy to recover the video files with common file browsing tools. The lesson: When offering privacy and security features, ensure that your product lives up to advertising claims.
8. Make sure your service providers implement reasonable security measures.
When it comes to security, keep a watchful eye on your service providers — for example, companies you hire to process personal information collected from customers or to develop apps. Before hiring someone, be candid about your security expectations. Take reasonable steps to select providers able to implement appropriate security measures and monitor that they are meeting your requirements.
- Put it in writing. Insist that appropriate security standards are part of contracts. The FTC alleged that a transcription company hired service providers to transcribe sensitive audio files, but failed to require the service provider take reasonable security measures. As a result, the files — many containing highly confidential health-related information — were widely exposed on the Internet.
- Verify compliance. A company that provides a loyalty program where members accrue credits on eligible purchases that are then directed to a college savings plans or to pay down student loans allegedly hired a service provider to develop a browser toolbar. The company claimed that the toolbar, which collected consumers’ browsing information to provide personalized offers, would use a filter to remove any identifiable information before transmission. But, according to the FTC, this firm failed to verify that the service provider had implemented the information collection program in a manner consistent with privacy and security policies to protect consumer information. As a result, the toolbar collected sensitive personal information — including financial account numbers and security codes from secure Web pages — and worse, transmitted it in clear text.
9. Put procedures in place to keep your security current and address any vulnerabilities that may arise.
Securing your software and networks isn’t a one-and-done deal. It’s an ongoing process that requires you to keep your guard up. If you use third-party software on your networks, or you include third-party software libraries in your applications, apply updates as they’re issued. If you develop your own software, how will people let you know if they spot a vulnerability, and how will you make things right?
- Update and patch third-party software. Outdated software undermines security. The FTC alleged that an apparel and home goods company didn’t update its anti-virus software, increasing the risk that hackers could exploit known vulnerabilities or overcome the business’s defenses.
- Listen carefully then move! A leading smartphone and tablet manufacturer allegedly didn’t have a process for receiving and addressing reports about security vulnerabilities. Alleged delays in responding to warnings meant that the vulnerabilities found their way onto even more devices across multiple operating system versions. Similarly, a movie ticket and times company allegedly relied on a general customer service system to respond to warnings about security risks. According to the complaint, when a researcher contacted the business about a vulnerability, the system incorrectly categorized the report as a password reset request, sent an automated response and marked the message as “resolved” without flagging it for further review.
10. Secure all physical media.
Network security is a critical consideration, but many of the same lessons apply to paperwork and physical media like hard drives, laptops, flash drives and disks.
- Securely store sensitive files. If it’s necessary to retain paperwork, keep it secure. The FTC alleged that one defendant maintained sensitive consumer information collected by his former businesses in boxes in his garage. And a leading identity theft protection company allegedly left faxed documents that included consumers’ personal information in an open and easily accessible area. In both cases, the businesses could have reduced risk by implementing policies to store documents securely.
- Protect devices that process personal information. Securing information stored on your network won’t protect your customers if the data has already been stolen through the device that collects it. In a dollar store chain investigation, FTC staff said that the business’s PIN entry devices were vulnerable to tampering and theft. As a result, unauthorized persons could capture consumer’s payment card data, including the magnetic stripe data and PIN, through an attack known as “PED skimming.” Attacks targeting point-of-sale devices are now common and well-known, and businesses should take reasonable steps to protect such devices from compromise.
- Keep safety standards in place when data is en route. The FTC alleged that an employee of a healthcare services and technology provider left a laptop containing more than 600 files, with 20 million pieces of information related to 23,000 patients, in the locked passenger compartment of a car which was then stolen. And unencrypted backup tapes, a laptop and an external hard drive – all of which contained sensitive information — were lifted from a biotechnology technology employee’s car. In each case, the business could have reduced the risk by implementing reasonable security policies when data is en route.
For the full document, see Start with Security: A Guide for Business (PDF). The FTC has numerous other resources, including an online tutorial to help train employees; publications to address particular data security challenges; and news releases, blog posts and guidance to help you identify and possibly prevent business pitfalls.
If you liked this post you might also like: