10 Things to Know About Cybersecurity Based on Actual Cases

The Federal Trade Commission can be a great resource when it comes to protecting your business. Hear about and learn from some actual cybersecurity cases from the FTC. And scroll to the bottom of this article to watch a full recap of the FTC presentation.

In a recent COSE WebEd Series Webinar, the FTC's Amy Hocevar shared her thoughts on lessons you can learn from real world FTC cases.

The FTC helps ensure consumers have accurate information and promotes competition so that we have better products, lower prices, more innovation and a better economy. The FTC’s provisions prevent companies from engaging in unfair or deceptive ad practices, and prohibits unfair methods of competition.

FTC’s role in cybersecurity

The FTC has taken action against hundreds of companies who did not follow its guidelines regarding spam, spyware, general security cases and cybersecurity. The following four points guide the FTC’s enforcement:

FTC guideline No. 1: Information security is an ongoing process.

FTC guideline No. 2: A company’s security process must be reasonable and appropriate in light of the circumstances (volume, sensitivity of information, cost of tools available, etc).

FTC guideline No. 3: A breach does not necessarily show a failure to have reasonable security measures—there is no such thing as perfect security.

FTC guideline No. 4: Your practices may still be unreasonable even if you haven’t had a breach—it doesn’t mean there aren’t things you can improve or that a future breach isn’t possible.

Cybersecurity lessons

The following 10 lessons on cybersecurity are based off of some of the FTC’s actual cases, including some well-known company names.

Lesson No. 1: Start with security. The idea of protecting your company should be factored into every decision within your business.

Don’t collect information you don’t need. In the case with a company called Rock You, consumers had to provide email addresses and email passwords in order to access all features, which led hackers to access information of up to 32 million users. The FTC said this company created an unnecessary risk to email accounts by collecting sensitive information that it didn’t need.  In the case of BJ’s Wholesale Club, the FTC said that credit card information was stored long after the sale was complete. Hackers stole personal information from BJ’s consumers, leading to fraudulent charges all because the company did not securely dispose of the information when the company no longer had a legitimate need for it.

Don’t use personal information when not necessary. The FTC alleged that Accretive Health, instead of using fictitious data, used real consumer information in employee training sessions but failed to remove it from machines when the sessions were over.

Lesson No. 2: Control access to data sensibly.

Restrict access to sensitive data. In a case with Morgan Stanley, the company did a lot of things right, but an employee gained access to a report where the security settings were configured incorrectly. While a breach did occur, the FTC closed its investigation, highlighting that the company had reasonable protections in place.

Limit administrative access. Only employees tasked with a specific job should have access to that particular information. The FTC brought a case against Twitter, discovering that the company granted almost all of its employees access to passwords, email addresses, phone numbers and other information. Hackers were able to gain administrative control on multiple occasions in the Twitter system.

Lesson No. 3: Require secure passwords and authenticity.

Store passwords securely. In a case against Guidance Software, the FTC alleged that the company failed to protect information due to the way they stored network user credentials in clear, readable text. It is essential for companies to have strong policies to store passwords and that check-ins are conducted to make sure those policies are being followed.

Guard against brute force attacks. The FTC says that not  disabling accounts after a certain number of unsuccessful login attempts may unreasonably place networks at risk.

Protect against authentication bypass. One area that many business owners are unaware of is that hackers can access accounts, not by typing in a correct password, but by predicting a specific URL that bypasses the login.

Lesson No. 4: Store sensitive personal information securely and protect it during lifecycle.

Use industry-tested methods and cryptography when transmitting information. Experts may have already developed accepted standards that can be applied to your business. Familiarize yourself with methods that already exist in your industry. In the case of ValueClick Media, the FTC brought action against this company because its encryption method was subject to significant vulnerabilities that were commonly known and easy to protect against.

Ensure proper configuration. Hire experienced personnel to ensure your products are working properly. The FTC alleged that Fandango employees disabled secure encryption, which could lead to a hack. This situation could have been avoided if they had tested to make sure there weren’t any vulnerabilities in play.

Lesson No. 5: Segment your network and monitor who is trying to get in and out.

Only connect people/locations within a company when necessary. The FTC alleged that DSW was compromised because they allowed computers on one in-store network to connect to other in-store networks. If they had segmented branches, they would have reduced the risk of such a widespread attack.

Consistently monitor activity on your network. The FTC alleged that Dave and Busters did not use effective measures to monitor and was consequentially hacked. If the company had been monitoring their system, it’s likely they would have caught it.

Lesson No. 6: Secure remote access to your network.

Ensure endpoint security across all areas. When thinking about security it’s important to consider not only computers being used inside your company walls, but other computers being used outside of your company as well.

Put sensible limits in place. According to the FTC, Dave and Busters didn’t adequately restrict third party access to its networks and therefore a data breach occurred through a vendor. Reduce this risk by restricting connections to your network. One way to do this is to block certain IP addresses; perhaps only allow IP addresses from countries you do business with. Also, allow for temporary third party access only when needed.

Lesson No. 7: Apply sound security practices when developing new products.

Train engineers in secure coding. The complaint against HTC America alleged that the company failed to implement readily available security and therefore malicious third-party apps were able to put sensitive information from the company at risk.

Follow platform guidelines for security. Businesses must verify that privacy and security features work. Snapchat advertised that messages would disappear forever, but it was later discovered the app saved video files in a location that made them easy to recover. Verify that privacy and security features live up to your claims; test for common vulnerabilities and make sure your business is protected against them.

Lesson No. 8: Make sure your service providers implement reasonable security measures.

Put it in writing.  The FTC alleged that GMR Transcription hired people to transcribe audio files but failed to protect the information so it became accessible on the internet. It is important to actually put security requirements into your contracts to ensure service providers are compliant. Make sure companies you are doing business with know you will follow up with them in terms of security issues.

Lesson No. 9: Put procedures in place to keep your security current and address vulnerabilities that might arise.

Update third-party software. TJ Maxx was alleged to have not adequately protected its consumers simply because it failed to update it anti-viral software. In the case against Fandango, the company was notified of a vulnerability but didn’t act because the notification was misclassified. Heed credible security warnings and move quickly to fix them. Consider having a dedicated email address for people to send these problems to and a staff member dedicated to responding.

Lesson No. 10: Secure paper, physical media and devices.

Keep safety standards in places when data is en route. With Accretive Health, personal data was locked in a car that was stolen and, therefore that information was compromised. Information should be out of sight, encrypted, and should not be transported unless absolutely necessary.

Dispose of sensitive data securely. According to FTC complaints in Rite Aid and CVS,  both companies tossed prescriptions in dumpsters. They could have easily shredded and disposed of the materials appropriately instead of putting their consumers’ information at risk. Additionally, wipe hard-drives, photo copiers, and other machines before getting rid of them.

For a full recap of this session, please see the video below.

If you would like more details, consider signing up for information from the FTC because if a data breach occurs or there is a threat out there, the FTC will be talking about it and notifying you. www.ftc.gov



Share
  • Email
  • Next up: Air Sanitization: Which Option Do I Choose?
  • More in Operations
  • Air Sanitization: Which Option Do I Choose?

    Watch GCP's recent webinar about disinfecting air streams.

    Prioritizing decisions that improve indoor air quality has never been more important than it is in the age of COVID. Building owners are putting people first.

    In a recent webinar, we took a critical look at the various air sanitization technologies and broke them down to better understand what application is right for a building. Placement of these specific systems is extremely important to ensure their effectiveness.

    One of GCP’s partner contractors, Air Force One, discussed the benefits of each of these systems to help you make an informed decision for your unique needs.

    Watch the webinar recording below:

     

    Share
  • Email
  • Next up: Back up Power to Create Resiliency and Incentives
  • More in Operations
  • Back up Power to Create Resiliency and Incentives

    Watch the GCP Energy Team's recent webinar about finding the right-sized generator for your business and how a demand response program can benefit you.

    GCP's Energy Team recently hosted a discussion about creating resiliency, reliability, redundancy, and return on investment.

    GCP’s demand response partner, CPower and backup generator and monitoring partner, PowerSecure; both market leaders, discussed how you can optimize interior and exterior lighting & controls, HVAC & Mechanical, and Electrical systems, and reduce kWh and your carbon footprint with the right sized generator for your unique needs, and then benefit from participation in a demand response program.

    Watch the recording below:

    Share
  • Email
  • Next up: Connecting Diversity & Inclusion with Sustainability
  • More in Operations
  • Connecting Diversity & Inclusion with Sustainability

    Watch GCP's recent webinar, Connecting Diversity & Inclusion with Sustainability.

    In a recent webinar, the Greater Cleveland Partnership's Nicole Stika, Vice President, Energy Services, discussed the Intersection of Equity & Inclusion and Sustainability in the Workplace with Melanie Larkins, Product Sustainability Leader, Tarkett USA Inc., and Monica Jackson, Vice President, Global Inclusion & Diversity, Eaton.

    Watch the webinar recording below:

    Share
  • Email
  • Next up: Electronic Communications: Employer VS. Employee Privacy Rights
  • More in Operations
  • Electronic Communications: Employer VS. Employee Privacy Rights

    To what extent can employers monitor their employees when it comes to electronic communication? It can be confusing but it's important you know your rights.

     

    As a small business owner, it is important that you are knowledgeable about employee rights, even if you only have a few employees. Workplace privacy rights extend to all employees no matter the size of the business. 

    In simple terms, employee privacy rights are basically the rules that limit how extensively an employer can search an employee’s possessions or person; how much they can monitor employees’ actions, speech, or correspondence; and how much an employer can know about their personal lives. By its very nature, social media has increased privacy concerns and potential issues as people post, tweet or otherwise put personal information out into the electronic universe. So as a small business owner it can be confusing regarding what you can and cannot do regarding employee privacy rights. I will provide some general information and guidance, but when in doubt, always check with your attorney. 

    Electronic communication and social media are huge areas of concern when it comes to employee vs. employer rights. As a general rule, employers have the right to search through anything that appears on company computers, social media and the internet. So basically, as an employer you can review e-mails sent and received through your own server, but you cannot access an employee's personal e-mail account through a password that's stored on a work-issued device. It is important to have a policy that explains to employees how you monitor email and computers and that there is no expectation of privacy when using your computers or property.

    RELATED: Do you have these items in your employee handbook?

    The National Labor Relations Board (NLRB) provides the following guidance:
    Company policies should not bar activity protected by federal labor law, like the discussion of working conditions or wages amongst workers.
    A worker’s social media comments are generally unprotected if they are minor complaints not related to a group activity with employees.

    Employers also have the right to monitor telephone calls placed to and from their locations, but with limits. The Electronics Communications Privacy Act (ECPA) prohibits employers from monitoring employees' personal phone calls even if the calls were made or received on an employer's property. The Act also requires the employer to disclose the fact that calls are being monitored and makes it a civil liability for employers to read, disclose, delete, or prevent access to an employee's voicemail.

    Employers have the right to monitor their employees by camera, including in a parking structure for both security and employee safety. However, employers are required to notify employees, customers, and all others in the range of the cameras that their property is under video surveillance. Video recordings cannot include audio due to federal wiretap laws. And cameras can only be used in areas where there is a legitimate threat of theft or violence and never in break rooms, bathrooms or locker rooms.

    RELATED: Read more by Tim Dimoff.

    As always, there are some exceptions to all of these rules, especially when electronic communications are involved. Make sure you think about who is setting up your business' social media accounts and make sure that they and you have a clear understanding upfront about who is granted access to those accounts and what rights your employees will have with regard to those accounts.

    President, SACS Consulting & Investigative Services, Speaker, Trainer, Corporate Security ExpertTimothy A. Dimoff, CPP, president of SACS Consulting & Investigative Services, Inc., is a speaker, trainer and author and a leading authority in high-risk workplace and human resource security and crime issues. He is a Certified Protection Professional; a certified legal expert in corporate security procedures and training; a member of the Ohio and International Narcotic Associations; the Ohio and National Societies for Human Resource Managers; and the American Society for Industrial Security. He holds a B.S. in Sociology, with an emphasis in criminology, from Dennison University. Contact him at info@sacsconsulting.com.

     
    Share
  • Email
  • Next up: How CEOs Can Help Power an Inclusive Recovery
  • More in Operations
  • How CEOs Can Help Power an Inclusive Recovery

    Watch the latest webinar in the "But What Does It Mean?" series - GCP's Equity & Inclusion's webinar series devoted to translating research studies and data into meaningful action.

    In a recent GCP webinar, presenters from the Metropolitan Policy Program at Brookings - Alan Berube, senior fellow and deputy director, and Reniya Dinkins, senior research assistant - shared findings from recent reports that include key economic performance data for the Cleveland metro area.

    Watch the recording below: 

     

    Share
  • Email
  • More in Operations