In the latest blog posts in the Federal Trade Commission’s “Stick with Security” series, the FTC focused on the procedures companies should put in place that will keep their security current, will address vulnerabilities that may arise and will keep paper, physical media and devices safe.
Advocating for businesses to follow the slogan “Sound data security is a process, not a checklist,” the FTC frowned on approaching data security with a “one-and-done attitude.” Instead, companies should put procedures in place to stay on top of the ever-evolving risks posed by hackers and data thieves, wrote Acting Director Thomas B. Pahl of the FTC’s Bureau of Consumer Protection.
More specifically, businesses should update and patch software by reaching out to existing customers when a vulnerability arises, and take into account products that are still available on retail shelves. One helpful tip: plan how to deliver security updates in advance by building them into the product’s design, the FTC suggested.
For example, a thermostat company configured the default settings on a product to automatically search for and install security updates via its Internet connection, while a smart kitchen appliance features an alert button that provides a visual cue to let consumers know that a security update is available online.
Pahl also advised businesses to heed credible security warnings and move quickly to fix any problems. Designate a contact person at the company for security issues or create a monitored email account to flag concerns for possible investigation and action. “The lesson for companies committed to sticking with security is to create channels in advance to receive and send critical information about potential vulnerabilities,” the FTC wrote. “Move quickly to implement appropriate security remedies.”
However, a second blog post reminded businesses that some data thieves prefer “old school” methods of security violations—“rifling through file cabinets, pinching paperwork, and pilfering devices like smartphones and flash drives. As your business bolsters the security of your network, don’t let that take attention away from how you secure documents and devices,” the FTC cautioned.
Sensitive files should be securely stored (personnel files in locked cabinets within locked offices) and devices that process personal information should be protected by requiring employees to lock their smartphones with a passcode and encrypt data on the device. When data is on the move, security standards still apply, Pahl reminded companies. Data should be encrypted on an external hard drive when data is shipped to headquarters, or security training should be provided so that employees don’t leave bags filled with customers’ financial information in the back seat of their cars.
Disposal of sensitive data should also be handled in a secure fashion, the FTC said. “Just tossing documents in the bin or clicking DELETE is unlikely to deter infobandits,” according to the blog post. “To prevent them from reconstructing discarded files, responsible companies take the prudent step of shredding, burning, or otherwise destroying documents and using tech tools that truly render electronic files unreadable.”
To read the FTC’s blog post on procedures to keep security current and address vulnerabilities, click here.
To read the FTC’s blog post on securing paper, physical media and devices, click here.
Why it matters: As the FTC’s “Stick with Security” series winds down to a finish, the two blog posts emphasized the need to put procedures in place to keep security current and address vulnerabilities that arise, while remembering that paper, physical media and devices still need to be protected as part of a 360-degree approach to protecting confidential data.