In the first of this two-part series brought to you by staff from the FTC’s East Central Region, we discussed the first five lessons to protecting your company against vulnerabilities in data security. In part two, we round out the top ten lessons, distilled from over 50 law enforcement actions brought by the FTC.
Lesson No. 6: Secure remote access to your network
Business doesn’t just happen in the office. While a mobile workforce can increase productivity, it also can pose new security challenges. If you give employees, clients or service providers remote access to your network, have you taken steps to secure those access points?
Ensure endpoint security
Just as a chain is only as strong as its weakest link, your network security is only as strong as the weakest security on a computer with remote access to it. Take care to ensure that computers with remote access to your network, including those with remote login accounts or access through an online portal, have appropriate endpoint security, including firewalls and updated antivirus software.
Put sensible access limits in place
Not everyone who might occasionally need to get on your network should have an all-access, backstage pass. That’s why it’s wise to limit access to what’s needed to get the job done, including adequately restricting third-party access to your network. Consider placing limits on third-party access to your network—for example, by restricting connections to specified IP addresses or granting temporary, limited access.
Lesson No. 7: Apply sound security practices when developing new products
So you have a great new app or innovative software on the drawing board. Early in the development process, think through how customers will likely use the product. If they’ll be storing or sending sensitive information, is your product up to the task of handling that data securely?
Train your engineers in secure coding
Have you explained to your developers the need to keep security at the forefront? The FTC has alleged in several cases that companies failed to train their employees in secure coding practices, leading to questionable design decisions, including the introduction of vulnerabilities into the software. For example, the FTC alleged that one company failed to implement readily available secure communications mechanisms in the logging applications it pre-installed on its mobile devices. As a result, malicious third-party apps could communicate with the logging applications, placing consumers’ text messages, location data and other sensitive information at risk. The company could have reduced the risk of vulnerabilities like that by adequately training its engineers in secure coding practices.
Follow platform guidelines for security
When it comes to security, there may not be a need to reinvent the wheel. Sometimes the wisest course is to listen to the experts. The FTC alleged in three actions that companies failed to follow explicit platform guidelines about secure development practices, by, for instance, turning off a critical process known as SSL certificate validation in their mobile apps, leaving the sensitive information consumers transmitted through those apps open to interception through man-in-the-middle attacks. This vulnerability could have been prevented by following the iOS and Android guidelines for developers, which explicitly warn against turning off SSL certificate validation.
Verify that privacy and security features work
If your software offers a privacy or security feature, verify that the feature works as advertised.
Test for common vulnerabilities
There is no way to anticipate every threat, but some vulnerabilities are commonly known and reasonably foreseeable. In more than a dozen FTC cases, businesses failed to adequately assess their applications for well-known vulnerabilities like those identified by the Open Web Application Security Project (OWASP).
Lesson No. 8: Make sure your service providers implement reasonable security measures
When it comes to security, keep a watchful eye on your service providers—for example, companies you hire to process personal information collected from customers or to develop apps. Before hiring someone, be candid about your security expectations. Take reasonable steps to select providers able to implement appropriate security measures and monitor that they’re meeting your requirements.
Put it in writing
Insist that appropriate security standards are part of your contracts. Businesses can include contract provisions that require service providers to adopt reasonable security precautions—for example, encryption.
Asking questions and following up with the service provider can help ensure that the service provider is performing in a manner consistent with your privacy and security policies and the terms in the contract designed to protect consumer information.
Lesson No. 9: Put procedures in place to keep your security current and address vulnerabilities that may arise
Securing your software and networks isn’t a one-and-done deal. It’s an ongoing process that requires you to keep your guard up.
Update and patch third-party software
Outdated software undermines security. The solution is to update it regularly and implement third-party patches.
Heed credible security warnings and move quickly to fix them
Have an effective process in place to receive and quickly address security vulnerability reports. Consider a clearly publicized and effective channel (for example, a dedicated email address like security(@)yourcompany.com) for receiving reports and flagging them for your security staff.
Lesson No. 10: Secure paper, physical media and devices
Network security is a critical consideration, but many of the same lessons apply to paperwork and physical media like hard drives, laptops, flash drives and disks.
Securely store sensitive files
If it’s necessary to retain important paperwork, take steps to keep it secure. Storing sensitive consumer information in boxes in a garage or leaving faxed documents that include consumers’ personal information in an open and easily accessible area are both situations that the FTC has alleged increased the risk to companies’ customers.
Protect devices that process personal information
Securing information stored on your network won’t protect your customers if the data has already been stolen through the device that collects it. Attacks targeting point-of-sale devices are now common and well-known, and businesses should take reasonable steps to protect such devices from compromise.
Keep safety standards in place when data is en route
Businesses can reduce the risk to consumers’ personal information by implementing reasonable security policies when data is en route. For example, when sending files, drives, disks, etc., use a mailing method that lets you track where the package is. Limit the instances when employees need to be out and about with sensitive data in their possession. But when there’s a legitimate business need to travel with confidential information, employees should keep it out of sight and under lock and key whenever possible.
Dispose of sensitive data securely
Companies can reduce the risk to consumers’ personal information by shredding, burning or pulverizing documents to make them unreadable and by using available technology to wipe devices that aren’t in use.
Looking for more information?
The FTC’s Business Center has a Data Security section with an up-to-date listing of relevant cases and other free resources
The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. You can file a complaint online at www.ftc.gov/complaint or by telephone at 1-877-FTC-HELP (1-877-382-4357).