10 Things to Know About Cybersecurity Based on Actual Cases

The Federal Trade Commission can be a great resource when it comes to protecting your business. Hear about and learn from some actual cybersecurity cases from the FTC. And scroll to the bottom of this article to watch a full recap of the FTC presentation.

In a recent COSE WebEd Series Webinar, the FTC's Amy Hocevar shared her thoughts on lessons you can learn from real world FTC cases.

The FTC helps ensure consumers have accurate information and promotes competition so that we have better products, lower prices, more innovation and a better economy. The FTC’s provisions prevent companies from engaging in unfair or deceptive ad practices, and prohibits unfair methods of competition.

FTC’s role in cybersecurity

The FTC has taken action against hundreds of companies who did not follow its guidelines regarding spam, spyware, general security cases and cybersecurity. The following four points guide the FTC’s enforcement:

FTC guideline No. 1: Information security is an ongoing process.

FTC guideline No. 2: A company’s security process must be reasonable and appropriate in light of the circumstances (volume, sensitivity of information, cost of tools available, etc).

FTC guideline No. 3: A breach does not necessarily show a failure to have reasonable security measures—there is no such thing as perfect security.

FTC guideline No. 4: Your practices may still be unreasonable even if you haven’t had a breach—it doesn’t mean there aren’t things you can improve or that a future breach isn’t possible.

Cybersecurity lessons

The following 10 lessons on cybersecurity are based off of some of the FTC’s actual cases, including some well-known company names.

Lesson No. 1: Start with security. The idea of protecting your company should be factored into every decision within your business.

Don’t collect information you don’t need. In the case with a company called Rock You, consumers had to provide email addresses and email passwords in order to access all features, which led hackers to access information of up to 32 million users. The FTC said this company created an unnecessary risk to email accounts by collecting sensitive information that it didn’t need.  In the case of BJ’s Wholesale Club, the FTC said that credit card information was stored long after the sale was complete. Hackers stole personal information from BJ’s consumers, leading to fraudulent charges all because the company did not securely dispose of the information when the company no longer had a legitimate need for it.

Don’t use personal information when not necessary. The FTC alleged that Accretive Health, instead of using fictitious data, used real consumer information in employee training sessions but failed to remove it from machines when the sessions were over.

Lesson No. 2: Control access to data sensibly.

Restrict access to sensitive data. In a case with Morgan Stanley, the company did a lot of things right, but an employee gained access to a report where the security settings were configured incorrectly. While a breach did occur, the FTC closed its investigation, highlighting that the company had reasonable protections in place.

Limit administrative access. Only employees tasked with a specific job should have access to that particular information. The FTC brought a case against Twitter, discovering that the company granted almost all of its employees access to passwords, email addresses, phone numbers and other information. Hackers were able to gain administrative control on multiple occasions in the Twitter system.

Lesson No. 3: Require secure passwords and authenticity.

Store passwords securely. In a case against Guidance Software, the FTC alleged that the company failed to protect information due to the way they stored network user credentials in clear, readable text. It is essential for companies to have strong policies to store passwords and that check-ins are conducted to make sure those policies are being followed.

Guard against brute force attacks. The FTC says that not  disabling accounts after a certain number of unsuccessful login attempts may unreasonably place networks at risk.

Protect against authentication bypass. One area that many business owners are unaware of is that hackers can access accounts, not by typing in a correct password, but by predicting a specific URL that bypasses the login.

Lesson No. 4: Store sensitive personal information securely and protect it during lifecycle.

Use industry-tested methods and cryptography when transmitting information. Experts may have already developed accepted standards that can be applied to your business. Familiarize yourself with methods that already exist in your industry. In the case of ValueClick Media, the FTC brought action against this company because its encryption method was subject to significant vulnerabilities that were commonly known and easy to protect against.

Ensure proper configuration. Hire experienced personnel to ensure your products are working properly. The FTC alleged that Fandango employees disabled secure encryption, which could lead to a hack. This situation could have been avoided if they had tested to make sure there weren’t any vulnerabilities in play.

Lesson No. 5: Segment your network and monitor who is trying to get in and out.

Only connect people/locations within a company when necessary. The FTC alleged that DSW was compromised because they allowed computers on one in-store network to connect to other in-store networks. If they had segmented branches, they would have reduced the risk of such a widespread attack.

Consistently monitor activity on your network. The FTC alleged that Dave and Busters did not use effective measures to monitor and was consequentially hacked. If the company had been monitoring their system, it’s likely they would have caught it.

Lesson No. 6: Secure remote access to your network.

Ensure endpoint security across all areas. When thinking about security it’s important to consider not only computers being used inside your company walls, but other computers being used outside of your company as well.

Put sensible limits in place. According to the FTC, Dave and Busters didn’t adequately restrict third party access to its networks and therefore a data breach occurred through a vendor. Reduce this risk by restricting connections to your network. One way to do this is to block certain IP addresses; perhaps only allow IP addresses from countries you do business with. Also, allow for temporary third party access only when needed.

Lesson No. 7: Apply sound security practices when developing new products.

Train engineers in secure coding. The complaint against HTC America alleged that the company failed to implement readily available security and therefore malicious third-party apps were able to put sensitive information from the company at risk.

Follow platform guidelines for security. Businesses must verify that privacy and security features work. Snapchat advertised that messages would disappear forever, but it was later discovered the app saved video files in a location that made them easy to recover. Verify that privacy and security features live up to your claims; test for common vulnerabilities and make sure your business is protected against them.

Lesson No. 8: Make sure your service providers implement reasonable security measures.

Put it in writing.  The FTC alleged that GMR Transcription hired people to transcribe audio files but failed to protect the information so it became accessible on the internet. It is important to actually put security requirements into your contracts to ensure service providers are compliant. Make sure companies you are doing business with know you will follow up with them in terms of security issues.

Lesson No. 9: Put procedures in place to keep your security current and address vulnerabilities that might arise.

Update third-party software. TJ Maxx was alleged to have not adequately protected its consumers simply because it failed to update it anti-viral software. In the case against Fandango, the company was notified of a vulnerability but didn’t act because the notification was misclassified. Heed credible security warnings and move quickly to fix them. Consider having a dedicated email address for people to send these problems to and a staff member dedicated to responding.

Lesson No. 10: Secure paper, physical media and devices.

Keep safety standards in places when data is en route. With Accretive Health, personal data was locked in a car that was stolen and, therefore that information was compromised. Information should be out of sight, encrypted, and should not be transported unless absolutely necessary.

Dispose of sensitive data securely. According to FTC complaints in Rite Aid and CVS,  both companies tossed prescriptions in dumpsters. They could have easily shredded and disposed of the materials appropriately instead of putting their consumers’ information at risk. Additionally, wipe hard-drives, photo copiers, and other machines before getting rid of them.

For a full recap of this session, please see the video below.

If you would like more details, consider signing up for information from the FTC because if a data breach occurs or there is a threat out there, the FTC will be talking about it and notifying you. www.ftc.gov



Share
  • Email
  • Next up: 3 Things to Know: Technology and Your Small Business
  • More in Operations
  • 3 Things to Know: Technology and Your Small Business

     

    Do you recognize that technology is the answer to so many of your business needs, but are sometimes unsure of how to get there? Here are three things we think you should know when it comes to technology and your small business.

    First thing to know: It plays a crucial role in helping customers find your business
    If you want customers to be able to locate your business quickly and easily (and what small business owner doesn’t), a strong online presence is not optional. That’s where search engine optimization (SEO) technology comes in—it’s a must-have for any small business looking to rank higher in search results. 

    Still not convinced? Here are five reasons why you should invest in SEO for your business. Now that you know why, let’s talk about how. Start by setting up an effective SEO content strategy with these four steps.

    Second thing to know: High-tech doesn’t mean impersonal 
    Are you worried about how to embrace new technological solutions without losing the human element that is so important to small businesses? Here are some tips for balancing high-tech with high-touch. And when it does feel like Zoom and other technologies have overtaken your more personal approaches, here are some ways to maintain culture and connection in a virtual world.

    Third thing to know: It doesn’t have to be overwhelming. Bonus: Join us for GCP Tech Week!
    New technologies can often be overwhelming, especially when it’s not in your nature or realm of expertise. If thinking about investing in SEO, enlisting influencer marketing, or establishing a CRM has your heart racing, it may be time to call in the experts. Here are 10 benefits to a managed service provider for your IT needs

    And speaking of technology leaders who might be able to help your small business grow and thrive, join us for GCP Tech Week 2021, September 27 – October 1. Tech Week is an annual initiative to support and engage the local tech community through education, networking, and programming for entrepreneurs, executives, students, educators, and other stakeholders of the IT industry.

    Additionally, the Best of Tech Awards Finalists are now announced—join us on September 30 as we congratulate the winners!

    Share
  • Email
  • Next up: Air Sanitization: Which Option Do I Choose?
  • More in Operations
  • Air Sanitization: Which Option Do I Choose?

    Watch GCP's recent webinar about disinfecting air streams.

    Prioritizing decisions that improve indoor air quality has never been more important than it is in the age of COVID. Building owners are putting people first.

    In a recent webinar, we took a critical look at the various air sanitization technologies and broke them down to better understand what application is right for a building. Placement of these specific systems is extremely important to ensure their effectiveness.

    One of GCP’s partner contractors, Air Force One, discussed the benefits of each of these systems to help you make an informed decision for your unique needs.

    Watch the webinar recording below:

     

    Share
  • Email
  • Next up: Back up Power to Create Resiliency and Incentives
  • More in Operations
  • Back up Power to Create Resiliency and Incentives

    Watch the GCP Energy Team's recent webinar about finding the right-sized generator for your business and how a demand response program can benefit you.

    GCP's Energy Team recently hosted a discussion about creating resiliency, reliability, redundancy, and return on investment.

    GCP’s demand response partner, CPower and backup generator and monitoring partner, PowerSecure; both market leaders, discussed how you can optimize interior and exterior lighting & controls, HVAC & Mechanical, and Electrical systems, and reduce kWh and your carbon footprint with the right sized generator for your unique needs, and then benefit from participation in a demand response program.

    Watch the recording below:

    Share
  • Email
  • Next up: Connecting Diversity & Inclusion with Sustainability
  • More in Operations
  • Connecting Diversity & Inclusion with Sustainability

    Watch GCP's recent webinar, Connecting Diversity & Inclusion with Sustainability.

    In a recent webinar, the Greater Cleveland Partnership's Nicole Stika, Vice President, Energy Services, discussed the Intersection of Equity & Inclusion and Sustainability in the Workplace with Melanie Larkins, Product Sustainability Leader, Tarkett USA Inc., and Monica Jackson, Vice President, Global Inclusion & Diversity, Eaton.

    Watch the webinar recording below:

    Share
  • Email
  • Next up: Employee Retention Challenges and Solutions
  • More in Operations
  • Employee Retention Challenges and Solutions

    Does your small business struggle to hire or retain excellent employees? Here are nine suggestions for keeping top talent.

     

    As a small business you should be aware of exactly how you are actively supporting your employees’ overall success. The pandemic has shown us that employees are looking for new and better opportunities all the time and that small businesses are struggling to hire and retain employees. Whether it be to thrive in their current role at your organization or to prepare them for their next career advancement, it is your responsibility to make sure your employees grow and thrive in their jobs. Ensuring your team is equipped with the latest knowledge and skills in their field will definitely contribute to your business’s long-term success. Constant employee turnover is costly and time consuming, therefore investing both mentally and financially into your employee’s growth will help with retention issues. Employees know when they’re being supported, and when they’re not.

    Here are some suggestions you can take to increase your employee retention:

    Retention Suggestion No. 1: Open lines of communication. Goals change as we grow. Talk with your employees about their career goals. If possible, create a development plan to help them grow into management, if that is a goal, or other ways in which you can help foster their goals.

    Retention Suggestion No. 2: Enhance communication between all levels within your company. By removing the level barriers, you may find that sharing ideas will help your employees and help your company to grow.

    RELATED: Why employee motivation matters more in a small business.

    Retention Suggestion No. 3: Create an open-door policy. Let your employees know that they can come to you when they have an issue. Creating trust will help with productivity and performance.

    Retention Suggestion No. 4: Create a mentorship program. A lower-level employee can grow into a great manager. Mentoring can help your company’s culture while also providing a way for management and senior employees to get to know junior employees.

    Retention Suggestion No. 5: Invest in employee training. If you have a training program in place for new hires, it helps to avoid any disconnect between current employees and new hires. This can be done virtually or in-person as things begin to open up. And don’t forget on-going training for all employees to increase their skill set, as well as training for diversity & inclusion initiatives, HR and workplace protocols and team-building skills.

    Retention Suggestion No. 6: Invest in professional memberships for your employees. This will provide employees with a means to develop relationships and new skills and come back with new ideas and innovations.

    Retention Suggestion No. 7: Do performance reviews. Even if you have only a couple of employees, performance reviews are a way to let employees know how they’re doing, and what they can be doing differently in order to reach their goals. Be candid, but also constructive. Do annual reviews, but also think about doing quarterly reviews.

    RELATED: Read more by Tim Dimoff.

    Retention Suggestion No. 8: Recognize your employees. Find ways to recognize the accomplishments your employees make throughout the year to encourage them to keep up the good work.

    Retention Suggestion No. 9: Expand their horizons within the company. Offer employees opportunities to delve into other departments—including shadowing a co-worker for the day. This gives them an idea of what others are working on and helps them see how everyone works together to achieve overall company goals.

    By investing in these simple ideas, you are also investing in your company’s growth.

     

    Timothy A. Dimoff, CPP, president of SACS Consulting & Investigative Services, Inc., is a speaker, trainer and author and a leading authority in high-risk workplace and human resource security and crime issues. He is a Certified Protection Professional; a certified legal expert in corporate security procedures and training; a member of the Ohio and International Narcotic Associations; the Ohio and National Societies for Human Resource Managers; and the American Society for Industrial Security. He holds a B.S. in Sociology, with an emphasis in criminology, from Dennison University. Contact him at mailto:info@sacsconsulting.com.

    Share
  • Email
  • More in Operations