In a recent COSE WebEd Series Webinar, the FTC's Amy Hocevar shared her thoughts on lessons you can learn from real world FTC cases.
The FTC helps ensure consumers have accurate information and promotes competition so that we have better products, lower prices, more innovation and a better economy. The FTC’s provisions prevent companies from engaging in unfair or deceptive ad practices, and prohibits unfair methods of competition.
FTC’s role in cybersecurity
The FTC has taken action against hundreds of companies who did not follow its guidelines regarding spam, spyware, general security cases and cybersecurity. The following four points guide the FTC’s enforcement:
FTC guideline No. 1: Information security is an ongoing process.
FTC guideline No. 2: A company’s security process must be reasonable and appropriate in light of the circumstances (volume, sensitivity of information, cost of tools available, etc).
FTC guideline No. 3: A breach does not necessarily show a failure to have reasonable security measures—there is no such thing as perfect security.
FTC guideline No. 4: Your practices may still be unreasonable even if you haven’t had a breach—it doesn’t mean there aren’t things you can improve or that a future breach isn’t possible.
The following 10 lessons on cybersecurity are based off of some of the FTC’s actual cases, including some well-known company names.
Lesson No. 1: Start with security. The idea of protecting your company should be factored into every decision within your business.
Don’t collect information you don’t need. In the case with a company called Rock You, consumers had to provide email addresses and email passwords in order to access all features, which led hackers to access information of up to 32 million users. The FTC said this company created an unnecessary risk to email accounts by collecting sensitive information that it didn’t need. In the case of BJ’s Wholesale Club, the FTC said that credit card information was stored long after the sale was complete. Hackers stole personal information from BJ’s consumers, leading to fraudulent charges all because the company did not securely dispose of the information when the company no longer had a legitimate need for it.
Don’t use personal information when not necessary. The FTC alleged that Accretive Health, instead of using fictitious data, used real consumer information in employee training sessions but failed to remove it from machines when the sessions were over.
Lesson No. 2: Control access to data sensibly.
Restrict access to sensitive data. In a case with Morgan Stanley, the company did a lot of things right, but an employee gained access to a report where the security settings were configured incorrectly. While a breach did occur, the FTC closed its investigation, highlighting that the company had reasonable protections in place.
Limit administrative access. Only employees tasked with a specific job should have access to that particular information. The FTC brought a case against Twitter, discovering that the company granted almost all of its employees access to passwords, email addresses, phone numbers and other information. Hackers were able to gain administrative control on multiple occasions in the Twitter system.
Lesson No. 3: Require secure passwords and authenticity.
Store passwords securely. In a case against Guidance Software, the FTC alleged that the company failed to protect information due to the way they stored network user credentials in clear, readable text. It is essential for companies to have strong policies to store passwords and that check-ins are conducted to make sure those policies are being followed.
Guard against brute force attacks. The FTC says that not disabling accounts after a certain number of unsuccessful login attempts may unreasonably place networks at risk.
Protect against authentication bypass. One area that many business owners are unaware of is that hackers can access accounts, not by typing in a correct password, but by predicting a specific URL that bypasses the login.
Lesson No. 4: Store sensitive personal information securely and protect it during lifecycle.
Use industry-tested methods and cryptography when transmitting information. Experts may have already developed accepted standards that can be applied to your business. Familiarize yourself with methods that already exist in your industry. In the case of ValueClick Media, the FTC brought action against this company because its encryption method was subject to significant vulnerabilities that were commonly known and easy to protect against.
Ensure proper configuration. Hire experienced personnel to ensure your products are working properly. The FTC alleged that Fandango employees disabled secure encryption, which could lead to a hack. This situation could have been avoided if they had tested to make sure there weren’t any vulnerabilities in play.
Lesson No. 5: Segment your network and monitor who is trying to get in and out.
Only connect people/locations within a company when necessary. The FTC alleged that DSW was compromised because they allowed computers on one in-store network to connect to other in-store networks. If they had segmented branches, they would have reduced the risk of such a widespread attack.
Consistently monitor activity on your network. The FTC alleged that Dave and Busters did not use effective measures to monitor and was consequentially hacked. If the company had been monitoring their system, it’s likely they would have caught it.
Lesson No. 6: Secure remote access to your network.
Ensure endpoint security across all areas. When thinking about security it’s important to consider not only computers being used inside your company walls, but other computers being used outside of your company as well.
Put sensible limits in place. According to the FTC, Dave and Busters didn’t adequately restrict third party access to its networks and therefore a data breach occurred through a vendor. Reduce this risk by restricting connections to your network. One way to do this is to block certain IP addresses; perhaps only allow IP addresses from countries you do business with. Also, allow for temporary third party access only when needed.
Lesson No. 7: Apply sound security practices when developing new products.
Train engineers in secure coding. The complaint against HTC America alleged that the company failed to implement readily available security and therefore malicious third-party apps were able to put sensitive information from the company at risk.
Follow platform guidelines for security. Businesses must verify that privacy and security features work. Snapchat advertised that messages would disappear forever, but it was later discovered the app saved video files in a location that made them easy to recover. Verify that privacy and security features live up to your claims; test for common vulnerabilities and make sure your business is protected against them.
Lesson No. 8: Make sure your service providers implement reasonable security measures.
Put it in writing. The FTC alleged that GMR Transcription hired people to transcribe audio files but failed to protect the information so it became accessible on the internet. It is important to actually put security requirements into your contracts to ensure service providers are compliant. Make sure companies you are doing business with know you will follow up with them in terms of security issues.
Lesson No. 9: Put procedures in place to keep your security current and address vulnerabilities that might arise.
Update third-party software. TJ Maxx was alleged to have not adequately protected its consumers simply because it failed to update it anti-viral software. In the case against Fandango, the company was notified of a vulnerability but didn’t act because the notification was misclassified. Heed credible security warnings and move quickly to fix them. Consider having a dedicated email address for people to send these problems to and a staff member dedicated to responding.
Lesson No. 10: Secure paper, physical media and devices.
Keep safety standards in places when data is en route. With Accretive Health, personal data was locked in a car that was stolen and, therefore that information was compromised. Information should be out of sight, encrypted, and should not be transported unless absolutely necessary.
Dispose of sensitive data securely. According to FTC complaints in Rite Aid and CVS, both companies tossed prescriptions in dumpsters. They could have easily shredded and disposed of the materials appropriately instead of putting their consumers’ information at risk. Additionally, wipe hard-drives, photo copiers, and other machines before getting rid of them.
For a full recap of this session, please see the video below.
If you would like more details, consider signing up for information from the FTC because if a data breach occurs or there is a threat out there, the FTC will be talking about it and notifying you. www.ftc.gov