Taking Care of Business: Information Retention & Responsibility
Every business accrues data about their current patrons and prospective clients. What information do you collect about your customers? Do you collect only what is relevant or pursue all of the data you can possibly accumulate? No matter what your approach to data collection, or the why behind it, the FTC thinks that it is time that you reviewed those policies. The Federal Trade Commission (FTC) recently released a document entitled “Start with Security: A Guide for Business.” This may initially seem both dry and somewhat irrelevant. However, choosing to ignore or dismiss these guidelines out of hand will ultimately prove to be expensive. On Monday, a ruling from the United States Court of Appeals for the Third Circuit Court has ruled that the FTC has the ability to take actions on the behalf of consumers against companies that do not follow these guidelines. Established within this document are “10 practical lessons businesses can learn from the FTC’s 50+ data security settlements” and for the purpose of this blog post, we will take a look at the first five points on the list.
The first of which asks that you start with security in mind. Until security is breached, companies are often quite confident in their in-house or SaaS security solutions. The issue with this, of course, is that it is a reactionary strategy to security, not a proactive one. If an in-house security team is not given the tools that they need to do the job properly, expecting them to stay ahead of cyber threats is more than a bit unrealistic, it is irresponsible.
The FTC also advocates that companies do not collect personal data that they do not need or retain data longer than necessary. In translation, you are in charge of making decisions regarding exactly what and how much data that you acquire from your customer base and how long you hang on to it. It is worth keeping in mind that whatever you do choose to collect and store, you are responsible for it. The more data you have, the stronger the security solution you will need, so as not to be found liable should that data become compromised.
When considering stored data, one must also consider who within the company has access to what and how much. The FCC recommends creating user accounts for employees based on a need-to-know basis. (This also includes paper data as well as copies stored on external memory hardware including drives and disks.) Companies should not only restrict access to sensitive data but also limit the administrative access of each user. Much of cyberterrorism functions as partially pure code hacking and the rest social engineering. If an employee is tricked into opening a compromised document or visiting a hijacked web page, they may unleash any number of terrors upon your network. Certainly, every business should invest in backups but beyond that, by controlling employee access one also controls the amount of potential employee damage.
The third point the FTC has chosen to make revolves around passwords. It is responsibility of every business to safeguard their data to make sure only the right people can access only the necessary information. They recommend that businesses “insist on complex and unique passwords,” “store passwords securely,” “guard against brute force attacks,” and “protect against authentication bypass.” When considering password safety, creating and reinforcing password protocols is an absolute necessity. Criminals should not be able to guess their way into your system through weak passwords, reveal unencrypted documents that contain sensitive information, take down your network through the use of automated programs that guess at passwords, or be able to discover back doors that allow access.
Information travels and transferring sensitive data is an absolute requirement. This can be accomplished through cryptography, the use of Transport Layer Security/Secure Sockets Layer (TLS/SSL) and other methods. If data is not resting securely, or being transferred securely in the span of its life in a business, then that business can be held liable should predators acquire that data. By using “industry-tested and accepted methods” business owners can take advantage of all the security research that has come before and has been confirmed as functional and safe. Of course without the proper configuration of all of these elements, businesses become vulnerable to such man-in-the middle attacks that are rather infamous in the world of information security. They allow priceless data to slip through the business’s poor execution of the standards they have put in place.
The fifth and final point we will cover is the requirement to “segment your network and monitor who’s trying to get in and out.” This by far, is one of the most vital items on the list. Firewalls are a very effective tool for regulating access to information by segmenting your network. While it is tempting to connect everything, doing so puts your data and your reputation at risk. You are also required to monitor the activity on your network. This may seem like a daunting task, all of those hackers trying to get in to your system so they can get out with sensitive materials. However, there are products available to help you perform this necessary task
The best way to address the first five points is to use a multi-part IDS, such as MetaFlows MSS. Providing your security team with the best software on the market is the only way to make sure that you are in compliance with the most vital of the FTC’s requirements. If a business’ network is compromised because they did not follow these guidelines to the best of their ability, the FTC can and will take action. In just the first five bullet points of the PDF businesses such as Twitter, DSW, Fandango, and Credit Karma were all publicly revealed as companies with insecure systems and networks. It should never be anyone’s goal to join them.