10 FTC Lessons Learned to Help Improve Data Security
The Federal Trade Commission (FTC) is offering ten “lessons learned” by businesses whose data was breached and the agency took enforcement action.
The ten lessons were distilled from 50 FTC law enforcement actions against various businesses, which ultimately were settled. The alleged lapses by the companies “involve basic, fundamental security missteps,” the FTC notes in the publication “Start with Security, a Guide for Businesses.” The FTC’s ten lessons are:
- Start with security. Collecting and maintaining information “just because” is no longer a sound business strategy. By making conscious choices about the kind of information collected, how long to keep it, and who can access it, businesses can reduce the risk of data compromise down the road. No one can steal what you don’t have. Hold onto information only as long as the business has a legitimate business need.
- Control access to data sensibly. Not everyone in the business needs unrestricted access to the network and the information stored on it. Restrict access to sensitive data.
- Require secure passwords and authentication. “Passwords” like 121212 or qwerty aren’t much better than no passwords at all.
- Store sensitive personal information securely and protect it during transmission. Keep sensitive information secure throughout its lifecycle.
- Segment your network and monitor who is trying to get in and out. Not every computer needs to be able to communicate with every other computer. Protect particularly sensitive data by housing it in a separate secure place on the network.
- Secure remote access to the network. Just as a chain is only as strong as its weakest link, network security is only as strong as the weakest security on a computer with remote access to the network. Not everyone who might occasionally need to get on the network should have an all-access, backstage pass. Limit access to what is needed to get the job done.
- Apply sound security practices when developing new products. Early in the development process, think through how customers will likely use the product. If they will be storing or sending sensitive information, is the product up to the task of handling that data securely?
- Make sure service providers implement reasonable security measures. Security can’t be a “take our word for it” thing. Including security expectations in contracts with service providers is an important first step, but it’s also important to build oversight into the process.
- Put procedures in place to keep security current and address vulnerabilities that may arise. Outdated software undermines security. The solution is to update the software regularly and implement third-party patches. Heed credible security warnings and move quickly to fix them.
- Secure paper, physical media, and devices. Network security is a critical consideration, but many of the same lessons apply to paperwork and physical media like hard drives, laptops, flash drives, and disks. If it’s necessary to retain important paperwork, take steps to keep it secure.
6 July 2015