5 (More) Lessons from the FTC to Avoid Data Breach

The second of this two-part series wraps up the FTC’s ten steps and practical guidance to avoiding data breach and protecting confidential information for businesses.

In the first of this two-part series brought to you by staff from the FTC’s East Central Region, we discussed the first five lessons to protecting your company against vulnerabilities in data security. In part two, we round out the top ten lessons, distilled from over 50 law enforcement actions brought by the FTC

Share
  • Email
  • Compass Payroll

    Lesson No. 6: Secure remote access to your network

    Pre-Check

    Business doesn’t just happen in the office. While a mobile workforce can increase productivity, it also can pose new security challenges. If you give employees, clients or service providers remote access to your network, have you taken steps to secure those access points?  

    Ensure endpoint security

    Just as a chain is only as strong as its weakest link, your network security is only as strong as the weakest security on a computer with remote access to it. Take care to ensure that computers with remote access to your network, including those with remote login accounts or access through an online portal, have appropriate endpoint security, including firewalls and updated antivirus software.

    Put sensible access limits in place

    Not everyone who might occasionally need to get on your network should have an all-access, backstage pass. That’s why it’s wise to limit access to what’s needed to get the job done, including adequately restricting third-party access to your network. Consider placing limits on third-party access to your network—for example, by restricting connections to specified IP addresses or granting temporary, limited access.

    Lesson No. 7: Apply sound security practices when developing new products

    So you have a great new app or innovative software on the drawing board. Early in the development process, think through how customers will likely use the product. If they’ll be storing or sending sensitive information, is your product up to the task of handling that data securely?

    Train your engineers in secure coding

    Have you explained to your developers the need to keep security at the forefront? The FTC has alleged in several cases that companies failed to train their employees in secure coding practices, leading to questionable design decisions, including the introduction of vulnerabilities into the software. For example, the FTC alleged that one company failed to implement readily available secure communications mechanisms in the logging applications it pre-installed on its mobile devices. As a result, malicious third-party apps could communicate with the logging applications, placing consumers’ text messages, location data and other sensitive information at risk. The company could have reduced the risk of vulnerabilities like that by adequately training its engineers in secure coding practices.

    Follow platform guidelines for security

    When it comes to security, there may not be a need to reinvent the wheel. Sometimes the wisest course is to listen to the experts. The FTC alleged in three actions that companies failed to follow explicit platform guidelines about secure development practices, by, for instance, turning off a critical process known as SSL certificate validation in their mobile apps, leaving the sensitive information consumers transmitted through those apps open to interception through man-in-the-middle attacks. This vulnerability could have been prevented by following the iOS and Android guidelines for developers, which explicitly warn against turning off SSL certificate validation.

    Verify that privacy and security features work

    If your software offers a privacy or security feature, verify that the feature works as advertised.

    Test for common vulnerabilities

    There is no way to anticipate every threat, but some vulnerabilities are commonly known and reasonably foreseeable. In more than a dozen FTC cases, businesses failed to adequately assess their applications for well-known vulnerabilities like those identified by the Open Web Application Security Project (OWASP).

    Lesson No. 8: Make sure your service providers implement reasonable security measures

    When it comes to security, keep a watchful eye on your service providers—for example, companies you hire to process personal information collected from customers or to develop apps. Before hiring someone, be candid about your security expectations. Take reasonable steps to select providers able to implement appropriate security measures and monitor that they’re meeting your requirements.

    Put it in writing

    Insist that appropriate security standards are part of your contracts. Businesses can include contract provisions that require service providers to adopt reasonable security precautions—for  example, encryption.

    Verify compliance

    Asking questions and following up with the service provider can help ensure that the service provider is performing in a manner consistent with your privacy and security policies and the terms in the contract designed to protect consumer information.

    Lesson No. 9: Put procedures in place to keep your security current and address vulnerabilities that may arise

    Securing your software and networks isn’t a one-and-done deal. It’s an ongoing process that requires you to keep your guard up.

    Update and patch third-party software

    Outdated software undermines security. The solution is to update it regularly and implement third-party patches.  

    Heed credible security warnings and move quickly to fix them

    Have an effective process in place to receive and quickly address security vulnerability reports.  Consider a clearly publicized and effective channel (for example, a dedicated email address like security(@)yourcompany.com) for receiving reports and flagging them for your security staff.

    Lesson No. 10: Secure paper, physical media and devices

    Network security is a critical consideration, but many of the same lessons apply to paperwork and physical media like hard drives, laptops, flash drives and disks.

    Securely store sensitive files

    If it’s necessary to retain important paperwork, take steps to keep it secure. Storing sensitive consumer information in boxes in a garage or leaving faxed documents that include consumers’ personal information in an open and easily accessible area are both situations that the FTC has alleged increased the risk to companies’ customers.

    Protect devices that process personal information

    Securing information stored on your network won’t protect your customers if the data has already been stolen through the device that collects it. Attacks targeting point-of-sale devices are now common and well-known, and businesses should take reasonable steps to protect such devices from compromise.

    Keep safety standards in place when data is en route

    Businesses can reduce the risk to consumers’ personal information by implementing reasonable security policies when data is en route. For example, when sending files, drives, disks, etc., use a mailing method that lets you track where the package is. Limit the instances when employees need to be out and about with sensitive data in their possession. But when there’s a legitimate business need to travel with confidential information, employees should keep it out of sight and under lock and key whenever possible.

    Dispose of sensitive data securely

    Companies can reduce the risk to consumers’ personal information by shredding, burning or pulverizing documents to make them unreadable and by using available technology to wipe devices that aren’t in use.

    Looking for more information?

    The FTC’s Business Center has a Data Security section with an up-to-date listing of relevant cases and other free resources

    The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. You can file a complaint online at www.ftc.gov/complaint or by telephone at 1-877-FTC-HELP (1-877-382-4357). 


    Grasshopper
    Next up: 5 Questions with e2b teknologies
  • More in Operations
  • 5 Questions with e2b teknologies

    We’re blessed in the CLE with a variety of creative, innovative software companies offering valuable services and unique, proprietary products. Every year, during the Best of Tech Awards nomination period leading up to Tech Week, we see a lot of great nominations. It’s tough to win the awards and tough to get to the finalist stage. This year, e2b teknologies made it to that finalist round, a much deserved accolade as they’ve made incredible traction with a core product: Anytime Collect. We spent a little time with the company to learn more about them, their products and their plans for the future.

    So, give us some background on e2b teknologies: When did you get started, core markets, key products/services, headcount, etc.?

    Share
  • Email
  • Compass Payroll

    e2b teknologies was founded in 2001 by several former Sage Software and Haitek Solutions employees but traces its roots to the original company - Haitek Solutions, which was formed in the early 1990s as a software development and business applications reseller. Our heritage has long-since been tied to business application development with literally decades of experience implementing, developing, and integrating business applications. Today, e2b teknologies is a business software developer and ERP consulting, reseller, and custom development company specializing in accounting and business applications for wholesale distribution, manufacturing, and service management organizations. Our product offering includes Epicor ERP, Sage 100 ERP, Sage 500 ERP, Sage ERP X3, Sage CRM, and other extended solutions.

    e2b teknologies also develops complimentary business applications including Anytime Collect accounts receivable management software which was a finalist for the 2015 OHTec Best Software Product Award, Anytime Commerce B2B e-commerce platform, Anytime Docs documents management software, Anytime 500 manufacturing and distribution add-ons for Sage 500 ERP, and others.

    Pre-Check

    e2b calibration is another business unit in the e2b teknologies family. It is an ISO/IEC 17025 accredited calibration and repair laboratory providing a full scope of services (traceable to NIST) for most popular calibration, test, and measurement instruments services.

    Where have you seen the strongest growth for the company in the past few years? 

    We’ve seen growth throughout our business over the last few years. The calibration lab continues to be hugely successful as it has seen consistent growth in both customer count and revenue; Our ERP sales consulting, and development practice continues to thrive as we further diversify our product offering and our team has earned a number of publisher and media accolades for excellence in ERP sales and services.

    Of all the success we have seen, the growth of our accounts receivable management software, Anytime Collect, has been very impressive. Anytime Collect is a cloud-based accounts receivable management software that helps companies get paid faster and easier through automation and management of the entire accounts receivable process.

    Sales of Anytime Collect have grown significantly year-over-year for the past five consecutive years and we expect the trend to continue throughout 2015 and beyond. This explosive growth can be attributed to a number of factors including the expansion of our private-label relationships, a growing number of international partners, software translations into different languages, and the fact that it’s available in three editions for different segments of the market; from small to large companies.

    Where do you see growth opportunities going forward?

    No one truly knows what’s ahead, but all signs point to cloud software becoming the standard in the near future. We expect that most of the new and innovative business applications developed in the next 5 years will be cloud-based and that cloud applications will soon rival on-premise applications in performance and overall total cost of ownership.

    Thankfully our ERP partners have risen to the challenge and provide us with competitive solutions available for traditional on-premise installations as well as new hosted cloud-based offerings. As for the products we develop, like Anytime Collect, we are equally committed to giving our customers and prospects options when it comes to deployment.

    Regardless of where the market goes or the growth we see, we will not stop innovating and we will never lose our focus on why we’re in business – to help our customers to enable technology to effectively manage every aspect of their business so they have the insight they need to make critical decisions, to build better products, to provide better services, and to exceed their customer expectations in everything that they do.

    What are some key trends you’re seeing among your customers and their uses of technology?

    Cloud ERP continues to be a hot topic and it’s something our customers and prospects ask us about all the time. We work with a lot of manufacturers and they’re typically more hesitant to make the move to the cloud, but they’re getting curious and we’ve seen an increase in the number of customers who wind up going the cloud ERP route than in years past.

    Tell us about some of the unique aspects and cool elements of e2b.

    e2b teknologies is a company built around people and we don’t just say it, we mean it. We value every relationship both inside and outside of our office walls and strive to exceed customer expectations in all aspects of our business – sales, consulting, engineering, support, and finance. Perhaps that’s why so many of our teammates have worked together across two decades (or maybe it’s because the company comes together every Friday morning to cook and eat breakfast together!).  

    We are very proud of our team but we are even more proud of the success we’ve shared with our customers as they’ve grown through their implementations to fully utilize their business systems to manage and grow their own businesses.

     

    Grasshopper
    Next up: 5 Questions with Pantek
  • More in Operations
  • 5 Questions with Pantek

    Longtime member, Pantek, Inc., was recently acquired by a group of seasoned tech entrepreneurs, including Michael Fischer, Tony Pietrocola, John Farrall, and Michael DeAloia.  Pantek, a former OHTec Best of Tech Finalist, has gained a lot of traction recently and the new ownership sees solid potential for growth at the company.  We spent some time at their offices recently to learn a little more about their plans.

    Longtime member, Pantek, Inc., was recently acquired by a group of seasoned tech entrepreneurs, including Michael Fischer, Tony Pietrocola, John Farrall, and Michael DeAloia. 

    Share
  • Email
  • Compass Payroll

    Pantek, a former OHTec Best of Tech Finalist, has gained a lot of traction recently and the new ownership sees solid potential for growth at the company. We spent some time at their offices recently to learn a little more about their plans.

    OHTec: Congrats on the purchase, that’s very exciting. Can you give us a little more detail on the company:  year founded, core services, primary markets, etc.?

    Pre-Check

    Pantek: Pantek was founded in 1995 to provide comprehensive IT services to companies who utilize Linux and other Open Source technologies. Pantek’s core services are consulting and support for Linux and open source technologies, managed services for open source systems, and hosting. Pantek has clients in all 50 states and in 35 countries around the world. In fact, our revenue from clients in Northeast Ohio is actually less than 5%.

    OHTec: How did the investor group come together? What are your backgrounds?

    Pantek: The investor group was formed 18 months ago because we had similar interests in terms of the type of business that we would like to purchase. Our backgrounds were heavy in the tech space and we all appreciated the scalability and stable revenue of the hosting business. We were also looking for a business that truly had a differentiated product/service offering which is hard to find these days.

    Mike Fischer is the former CEO and owner of Thinsolutions which he founded in 1997. In 2012 Mike sold the 52 person Thinsolutions to Konica Minolta. Tony Pietrocola previously founded a digital marketing company called Tenth Floor; the Cleveland-based company was sold to Bridgeline Software in 2008. Tony is now running an online lending company in Strongsville called vLoan. Michael DeAloia writes a technology column for The Plain Dealer and Cleveland.com. He previously served as the city of Cleveland’s “tech czar,” a position that involved recruiting tech companies to the city. John Farrall is a partner at Cleveland Research Co., an equity research firm headquartered downtown.

    OHTec: What were the top 2-3 areas that made Pantek so attractive for this acquisition?

    Pantek: The Linux expertise that Pantek has developed over its 20 years in business has made it one of the premier Linux and Open Source support and hosting companies in the world. If one Googles “Linux tech support,” Pantek commonly only trails Linux.com itself in the organic rankings. 

    The hosting market is commoditized and most small hosting companies are having to make a difficult shift from pure infrastructure hosting to more of a managed hosting/software consulting business model where there is a niche or some level of expertise that adds value to the hosting customers. Pantek is in a unique position as it was built first and foremost as a service and support company and therefore the company already understands and excels at consulting and supporting clients at a software support level. Lastly, the hosting infrastructure that is in place at Pantek is top notch and the hosting business can easily be expanded with minimal additional capital costs.

    OHTec: Where do you see the top 2-3 opportunities for growth? What kind of growth are you forecasting for the company in the next couple of years?

    Pantek:  

    1. We are going to do a better job of capitalizing on some existing areas of expertise such as the excellent work we do with a couple of web platforms, namely Wordpress and Magento. We do consulting, development, and managed hosting for these products and we really haven’t been communicating this skill to the overall market. 

    2. The investor group was formed with the idea that we would like to grow the business quickly through acquisition and that is still the plan. We are currently aggressively looking to acquire hosting and Managed Service companies and especially those that will offer our current clients a deeper set of products and services. 

    3. The Pantek business has been developed to be a premier technical support and hosting business, but the company has an opportunity to grow through a deeper consulting relationship with each of its existing and future clients – we plan to become much more relationship oriented with respect to our clients.

    Our current plan is to grow the business significantly within the next few years. This will be accomplished through acquisitions and by organic means of providing more value to our existing clients.

    OHTec:  What are your visions for additional acquisitions and mergers to Pantek?

    Pantek:  Our plans are to do at least one acquisition per year for the next 5 years. Our intention is to look for businesses that can help further cement the offerings we focus on, such as Linux, Magento and Wordpress, while we will also look to broaden the scope of how we can work with existing clients and prospects.

    OHTec Bonus Question:  It’s the Summer of 2016 – who draws more viewers the Cavs winning the NBA Finals or the Republican National Convention?

    Pantek: In Cleveland, all eyes will be on LeBron and the gang but nationwide the RNC will hold more total viewers. I would think by then the Republican field should be trimmed from the current list of 20 some hopefuls.  My money is the Cavs winning it all next year. As a long suffering Cleveland sports fan, I will be delighted to witness the championship drought coming to an end. Go CAVS!

    Pantek has been innovative in the open source space for quite awhile. It’s exciting to see the company acquired by a local group; hopefully we’ll see more growth leading to additional acquisitions. Good luck!

    Grasshopper
    Next up: 5 Ways to Avoid a Data Breach
  • More in Operations
  • 5 Ways to Avoid a Data Breach

    We’ve heard a lot recently in the news about data breaches. Don’t let your business fall victim to the plethora of threats out there to one of your most vital resources. Keep your data safe and protect confidential information with these five expert tips brought to you by the FTC’s East Central Region in the first of a two-part series.

    When managing your network, developing an app or even organizing paper files, sound security is no accident. Companies that consider security from the start assess their options and make reasonable choices based on the nature of their business and the sensitivity of the information involved. Threats to data may transform over time, but the fundamentals of sound security remain constant. As the Federal Trade Commission outlines in Protecting Personal Information: A Guide for Business, you should know what personal information you have in your files and on your computers, and keep only what you need for your business. You should protect the information that you keep, and properly dispose of what you no longer need. And, of course, you should create a plan to respond to security incidents.

    Share
  • Email
  • Compass Payroll

    There’s another great source of information from the FTC about keeping sensitive data secure: the lessons learned from the more than 50 law enforcement actions the FTC has announced so far. These are settlements—no findings have been made by a court—and the specifics of the orders apply just to those companies, of course. But learning about alleged lapses that led to law enforcement can help your company improve its practices. And most of these alleged practices involve basic, fundamental security missteps. Distilling the facts of those cases down to their essence, staff from the FTC’s East Central Region present in this article five lessons that touch on vulnerabilities that could affect your company, along with practical guidance on how to reduce the risks they pose. 

    Pre-Check

    Lesson No. 1: Start with security

    From personal data on employment applications to network files with customers’ credit card numbers, sensitive information pervades many companies. Experts agree that the first step in managing confidential information is to start with security. Factor it into the decisionmaking in every department of your business—personnel, sales, accounting, information technology, etc.  Collecting and maintaining information “just because” is no longer a sound business strategy.  By making conscious choices about the kind of information you collect, how long you keep it, and who can access it, you can reduce the risk of a data compromise down the road. Of course, all of those decisions will depend on the nature of your business.  

    Lesson No. 2: Control access to data sensibly

    Once you’ve decided you have a legitimate business need to hold on to sensitive data, take reasonable steps to keep it secure. Not everyone on your staff needs unrestricted access to your network and the information stored on it. For your network, consider steps such as separate user accounts to limit access to the places where personal data is stored or to control who can use particular databases. For paper files, external drives, disks, etc., an access control could be as simple as a locked file cabinet. Administrative access, which allows a user to make system-wide changes to your system, should be limited to the employees tasked to do that job.

    Lesson No. 3 Require secure passwords and authentication

    If you have personal information stored on your network, strong authentication procedures— including sensible password “hygiene”—can help ensure that only authorized individuals can access the data.

    Insist on complex and unique passwords

    “Passwords” like 121212 or qwerty aren’t much better than no passwords at all. That’s why it’s wise to give some thought to the password standards you implement. For example, you can require employees to choose complex passwords and train them not to use the same or similar passwords for both business and personal accounts.

    Store passwords securely

    Don’t make it easy for interlopers to access passwords. Three of the FTC’s settlements in this area have alleged that:

    • The company stored network user credentials in clear, readable text that helped a hacker access customer credit card information on the network;
    • The business allowed customers to store user credentials in a vulnerable format in cookies on their computers; and
    • A company failed to establish policies that prohibited employees from storing administrative passwords in plain text in personal email accounts.

    In each of those cases, the risks could have been reduced if the companies had policies and procedures in place to store credentials securely. Businesses also may want to consider other protections—two-factor authentication, for example—that can help protect against password compromises.

    Guard against brute force attacks

    Remember that adage about an infinite number of monkeys at an infinite number of typewriters? Hackers use automated programs that perform a similar function. These brute force attacks work by typing endless combinations of characters until hackers luck into someone’s password.  Implementing a policy to suspend or disable accounts after repeated login attempts may help to eliminate the risk from brute force attacks.

    Protect against authentication bypass

    Locking the front door doesn’t offer much protection if the back door is left open. In one settlement, the FTC charged that a company failed to adequately test its web application for widely-known security flaws, including one called “predictable resource location.” As a result, a hacker could easily predict patterns and manipulate URLs to bypass the web app’s authentication screen and gain unauthorized access to the company’s databases. The company could have improved the security of its authentication mechanism by testing for common vulnerabilities.

    Lesson No. 4: Store sensitive personal information securely and protect it during transmission

    Use strong cryptography to secure confidential material during storage and through all phases of transmission. The method will depend on the types of information your business collects, how you collect it and how you process it. Given the nature of your business, some possibilities may include Transport Layer Security/Secure Sockets Layer (TLS/SSL) encryption, data-at-rest encryption or an iterative cryptographic hash. Make sure the people you designate to do that job understand how your company uses sensitive data and have the know-how to determine what’s appropriate for each situation. Several companies have unnecessarily risked attacks that could have been prevented if the companies’ implementations of SSL had been properly configured.

    When considering what technical standards to follow, keep in mind that experts may have already developed effective standards that can apply to your business, including widely-accepted encryption algorithms. Savvy companies don’t start from scratch when it isn’t necessary and could subject data to significant vulnerabilities if deviating from tried-and true industry-tested and accepted methods for securing data.

    Lesson No. 5: Segment your network and monitor who’s trying to get in and out

    When designing your network, consider using tools like firewalls to segment your network, thereby limiting access between computers on your network and between your computers and the internet. Another useful safeguard: intrusion detection and prevention tools to monitor your network for malicious activity.

    The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. You can file a complaint online at www.ftc.gov/complaint or by telephone at 1-877-FTC-HELP (1-877-382-4357).

    Grasshopper
    Next up: 5 ways to drive energy efficiency at your business in 2016
  • More in Operations
  • 5 ways to drive energy efficiency at your business in 2016

    The energy market has slipped into new low territory as cold air remains trapped in Canada with mild U.S. temps now stretching into the New Year. We experienced near record mild temperature trends in December that remain broadly based across the eastern 2/3 of the US and forcing the cost of the natural gas futures to curve downward into 14-year lows. Still, there are ways for your business to continue to drive down usage and build up your bottom line. Here are five things you can start doing today that will help keep your energy costs in check during 2016.

    The energy market has slipped into new low territory as cold air remains trapped in Canada with mild U.S. temps now stretching into the New Year. We experienced near record mild temperature trends in December that remain broadly based across the eastern 2/3 of the US and forcing the cost of the natural gas futures to curve downward into 14-year lows. Still, there are ways for your business to continue to drive down usage and build up your bottom line. Here are five things you can start doing today that will help keep your energy costs in check during 2016.

    Share
  • Email
  • Compass Payroll
    1. Smart energy is getting smarter: More small businesses are integrating smarter solutions to both control energy costs as well as better understand and manage their overall energy use. The combination of cloud-based information systems plus storage can enable smart, connected buildings that use and manage energy more efficiently than ever before. Better information means greater visibility over your energy use—and more control over your bottom-line energy costs.
    1. Don’t get left in the shade: Solar solutions are more modular and streamlined today, so installation is simplified. The market has been innovating relentlessly and truly revolutionary approaches are making their debut. It is easy to generate and offset more than 80% of your electric, which allows you to cut costs faster and save even more. With the 30% tax credit that was just extended until 2019, who doesn’t want free cash back on their project?
    Pre-Check
    1. Control for behaviors: If you still have old fluorescent lighting, it’s time to upgrade. LEDs are now affordable and provide reduced maintenance and significant energy savings. However, just because you install new energy efficient lighting, you still need to remember to turn it off when not in use!  Today, advanced controls for lighting, HVAC, refrigeration, occupancy, etc., are more widely adopted and integrated into a centralized energy management system.
    1. Use the data: If you are like most small businesses that have conducted an energy audit of your facility, you might not have done anything with that report since it was presented to you. Don’t let it continue collecting dust.  Take a good, hard look at that report and figure out what areas of your business you need to prioritize for your next energy project.
    1. Take ownership: Energy accountability still is lacking in many organizations. While more management teams realize the importance of managing energy use, who specifically is responsible for driving improvements (operations, real estate, sustainability, etc.) remains fluid, and thus reduction programs stall. Dedicate one person or team to being your business’s “energy champion” devoted to keeping a constant watch over energy consumption.

    And here’s a bonus tip: Don’t feel like you need to go it alone when it comes to energy usage. The COSE Energy Team stands ready to assist. Contact us at 216-592-2205 or energy@cose.org.

    Grasshopper
    Next up: 6 Steps to Improve Cyber Security
  • More in Operations
  • 6 Steps to Improve Cyber Security

    While cyber threats to your business evolve over time, the basic principles of defense remain the same. It’s with that thinking in mind that the Federal Trade Commission published its report “Start with Security: A Guide for Business” which details cyber security best practices as gleaned from previous FTC cases. Following are six steps you can start implementing today to keep your network safe.

    While cyber threats to your business evolve over time, the basic principles of defense remain the same. It’s with that thinking in mind that the Federal Trade Commission published its report “Start with Security: A Guide for Business” which details cyber security best practices as gleaned from previous FTC cases. Following are six steps you can start implementing today to keep your network safe.

    Share
  • Email
  • Compass Payroll

    1. Think Security First

    Regardless of what action you want to take, make your choice with security in mind. For instance:

    Pre-Check
    • Don’t collect data you don’t need: Review what you’re asking your customers to provide. Is any of it sensitive data that could compromise them if you’re hacked? Do you absolutely NEED to have all of the information you’re asking for?
    • Hold on to information only as long as you need it: Collecting personal customer data can be a necessary action companies have to take, but once the deal is done, it might be unwise to hold onto it. If your business is storing credit or debit card numbers for days after a sale is finalized, you might be leaving yourself vulnerable if you’re hacked.
    • Keep Data Secure at All Times: Utilizing encryption methods are important, but make sure that data stays encrypted at all times. Encrypting does no good if, for example, it’s decrypted at some point by a service provider and then emailed back to your office.

    2. Control Access

    Not everyone on your staff needs access to the sensitive data you have on hand. Put controls in place to ensure only those on a “need to know” basis can see this data.

    3. Secure Passwords and Systems

    Insist on complex and unique passwords to access your administrative system. And guard against brute force attacks—programs that endlessly guess at passwords until they luck into a match—by restricting the number of password attempts.

    4. Monitor Your Network

    All of the computers on your network don’t need to talk to each other. House particularly sensitive data in a secure place on your network. And monitor activity on your network, too. Look for suspicious activity that could indicate unauthorized access.

    5. Remote Access

    Have a mobile workforce? Before you activate a remote login account, assess whether it is secure. And ensure virus protections are up to date on any online portals. Relatedly, update and patch any third-party software you might be using.

    6. Verify Security of Service Providers

    It doesn’t matter how secure things are in your own house if the security your service providers use is lacking. Make sure to put security standards in writing in any contracts you have with the firms. And if they say they have secure processes in place, verify that this is true.

    Grasshopper
  • More in Operations