5 Ways to Avoid a Data Breach
We’ve heard a lot recently in the news about data breaches. Don’t let your business fall victim to the plethora of threats out there to one of your most vital resources. Keep your data safe and protect confidential information with these five expert tips brought to you by the FTC’s East Central Region in the first of a two-part series.
When managing your network, developing an app or even organizing paper files, sound security is no accident. Companies that consider security from the start assess their options and make reasonable choices based on the nature of their business and the sensitivity of the information involved. Threats to data may transform over time, but the fundamentals of sound security remain constant. As the Federal Trade Commission outlines in Protecting Personal Information: A Guide for Business, you should know what personal information you have in your files and on your computers, and keep only what you need for your business. You should protect the information that you keep, and properly dispose of what you no longer need. And, of course, you should create a plan to respond to security incidents.
There’s another great source of information from the FTC about keeping sensitive data secure: the lessons learned from the more than 50 law enforcement actions the FTC has announced so far. These are settlements—no findings have been made by a court—and the specifics of the orders apply just to those companies, of course. But learning about alleged lapses that led to law enforcement can help your company improve its practices. And most of these alleged practices involve basic, fundamental security missteps. Distilling the facts of those cases down to their essence, staff from the FTC’s East Central Region present in this article five lessons that touch on vulnerabilities that could affect your company, along with practical guidance on how to reduce the risks they pose.
Lesson No. 1: Start with security
From personal data on employment applications to network files with customers’ credit card numbers, sensitive information pervades many companies. Experts agree that the first step in managing confidential information is to start with security. Factor it into the decisionmaking in every department of your business—personnel, sales, accounting, information technology, etc. Collecting and maintaining information “just because” is no longer a sound business strategy. By making conscious choices about the kind of information you collect, how long you keep it, and who can access it, you can reduce the risk of a data compromise down the road. Of course, all of those decisions will depend on the nature of your business.
Lesson No. 2: Control access to data sensibly
Once you’ve decided you have a legitimate business need to hold on to sensitive data, take reasonable steps to keep it secure. Not everyone on your staff needs unrestricted access to your network and the information stored on it. For your network, consider steps such as separate user accounts to limit access to the places where personal data is stored or to control who can use particular databases. For paper files, external drives, disks, etc., an access control could be as simple as a locked file cabinet. Administrative access, which allows a user to make system-wide changes to your system, should be limited to the employees tasked to do that job.
Lesson No. 3 Require secure passwords and authentication
If you have personal information stored on your network, strong authentication procedures— including sensible password “hygiene”—can help ensure that only authorized individuals can access the data.
Insist on complex and unique passwords
“Passwords” like 121212 or qwerty aren’t much better than no passwords at all. That’s why it’s wise to give some thought to the password standards you implement. For example, you can require employees to choose complex passwords and train them not to use the same or similar passwords for both business and personal accounts.
Store passwords securely
Don’t make it easy for interlopers to access passwords. Three of the FTC’s settlements in this area have alleged that:
- The company stored network user credentials in clear, readable text that helped a hacker access customer credit card information on the network;
- The business allowed customers to store user credentials in a vulnerable format in cookies on their computers; and
- A company failed to establish policies that prohibited employees from storing administrative passwords in plain text in personal email accounts.
In each of those cases, the risks could have been reduced if the companies had policies and procedures in place to store credentials securely. Businesses also may want to consider other protections—two-factor authentication, for example—that can help protect against password compromises.
Guard against brute force attacks
Remember that adage about an infinite number of monkeys at an infinite number of typewriters? Hackers use automated programs that perform a similar function. These brute force attacks work by typing endless combinations of characters until hackers luck into someone’s password. Implementing a policy to suspend or disable accounts after repeated login attempts may help to eliminate the risk from brute force attacks.
Protect against authentication bypass
Locking the front door doesn’t offer much protection if the back door is left open. In one settlement, the FTC charged that a company failed to adequately test its web application for widely-known security flaws, including one called “predictable resource location.” As a result, a hacker could easily predict patterns and manipulate URLs to bypass the web app’s authentication screen and gain unauthorized access to the company’s databases. The company could have improved the security of its authentication mechanism by testing for common vulnerabilities.
Lesson No. 4: Store sensitive personal information securely and protect it during transmission
Use strong cryptography to secure confidential material during storage and through all phases of transmission. The method will depend on the types of information your business collects, how you collect it and how you process it. Given the nature of your business, some possibilities may include Transport Layer Security/Secure Sockets Layer (TLS/SSL) encryption, data-at-rest encryption or an iterative cryptographic hash. Make sure the people you designate to do that job understand how your company uses sensitive data and have the know-how to determine what’s appropriate for each situation. Several companies have unnecessarily risked attacks that could have been prevented if the companies’ implementations of SSL had been properly configured.
When considering what technical standards to follow, keep in mind that experts may have already developed effective standards that can apply to your business, including widely-accepted encryption algorithms. Savvy companies don’t start from scratch when it isn’t necessary and could subject data to significant vulnerabilities if deviating from tried-and true industry-tested and accepted methods for securing data.
Lesson No. 5: Segment your network and monitor who’s trying to get in and out
When designing your network, consider using tools like firewalls to segment your network, thereby limiting access between computers on your network and between your computers and the internet. Another useful safeguard: intrusion detection and prevention tools to monitor your network for malicious activity.
The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. You can file a complaint online at www.ftc.gov/complaint or by telephone at 1-877-FTC-HELP (1-877-382-4357).