Data Security: 10 Lessons Learned from Real World FTC Cases

Aug 26, 2015 12:02:27 PM

10 tips for data security
Stay ahead of the data security threat by learning real life lessons from the new “Start with Security” white paper published by the Federal Trade Commission (FTC). This guide draws on the lessons learned from over 50 data security cases handled by the FTC.  What’s interesting is that most of the issues that caused data breaches are the result of basic, fundamental security missteps.

Although the FTC is responsible to bring cases when businesses put data at risk, they also want to help companies avoid problems in the first place. The “Start with Security” Business Education Initiative is designed to do that.

Sound security is no accident. The FTC has observed that when companies consider security from the start, it leads to better data security decisions based on the nature of their business and sensitivity of the information involved. The white paper outlines 10 lessons learned that touch on vulnerabilities that could affect your company. It also reviews cases that correlate to the lesson learned and provides practical guidance on how to reduce the risk.

Sound Data Security Starts with These 10 Tips

Following are the highlights from the 10 lessons learned:

1. Start with Security

Make conscious decisions about the kind of information you collect, how long you keep it and who can access it.  Don’t collect personal information you don’t need.  Hold on to information only as long as you have a legitimate business need. People can’t steal what you don’t have.  Factor security into the decision making in every department in your company.

2. Control Access to Data Sensibly

Put controls in place to make sure employees have access on a need to know basis.  For your network consider steps like separate user accounts to limit access to the places where personal data is stored or who can use a database. For paper files, external drives or disks place them in a locked filing cabinet.

3. Require Secure Passwords and Authentication

When developing your company’s policies insist on complex and unique passwords. Be sure to store passwords securely and consider other protections like two-factor authentication. Protect passwords from brute force attacks by implementing a policy to suspend or disable accounts after repeated login attempts. Protect against authentication bypass by testing form common vulnerabilities.

4. Store Sensitive Personal Information Securely and Protect it During Transmission

Data does not stay in one place and that’s why it’s important to keep sensitive information secure throughout its entire lifecycle. Use strong cryptography to secure confidential information during storage and transmission. Look to tried and true industry-tested and accepted methods for securing data.

5. Segment Your Network and Monitor Who’s Trying to Get In and Out

Every computer in your systems does not need to communicate with every other one. Limit access with firewalls between computers on your network and between your computers and the internet. Use intrusion detection tools to monitor and detect unauthorized activity on your network.

6. Secure Remote Access to Your Network

The world is mobile and so is your business. If employees, clients or service providers have remote access to your network, take steps to ensure endpoint security. Also put sensible limits in place.  Not everyone who wants to access your network needs the same level of access.

7. Apply Sound Security Practices When Developing New Products

Early in the development process think through how customers will use the product. If they’ll be storing or sending sensitive information, is your product built to handle data securely? The FTC recommends training your engineers in secure coding practices to reduce the introduction of software vulnerabilities. Sometimes the wisest course is to listen to the experts. Follow explicit platform guidelines about secure development practices.  Verify that your privacy and security features work and test for common vulnerabilities.

8. Make Sure Your Service Providers Implement Reasonable Security Measures

Before hiring a service provider make your security expectations clear.  Put it in writing by including your security standard in the contract. Be sure to verify compliance…security cannot be left to “take our word for it”.

9. Put Procedures in Place to Keep Your Security Current and Address Vulnerabilities that May Arise

Security is on ongoing process that requires you to keep your guard up.  Have a process in place to update and patch third party software. When credible security warnings arise, move quickly to fix them.  Have an effective process in place to receive and address security vulnerability reports.

10. Secure Paper, Physical Media and Devices

Don’t forget paperwork, and physical media like hard drives, laptops, flash drives and disks. If you must retain important paperwork, take steps to store the documents securely. Protect devices like point-of-sale from compromise. Keep data safety standards in place when data is en-route.  Limit the instances when employees need to be out and about with sensitive data in their possession.  If there’s a legitimate business need to travel with confidential information, employees should keep it out of sight and under lock and key when possible.

Istonish works to bring people and technology together to create results.  Implementing sound data security practices is a great example of the need to balance the expertise of your team with the right technology.  The end result is data security practices that protect your company and deliver a great customer experience.

Download the complete FTC Start with Security guide and visit the FTC Data Security website to learn more.

How Secure is Your Data? Find Out with a Free Cyber Threat Assessment.

Topics: Security

Istonisher

Written by Istonisher

Lists by Topic

see all

Posts by Topic

see all

Recent Posts