The FTC recently released a business guide that summarizes compliance lessons learned from the more than 50 data security settlements to-date. Start with Security: A Guide for Business offers actionable data security tips based on real-life security incidents and subsequent law enforcement actions. Whether organizations are reading this brochure or are reading about a breach in the news, there are always “compliance nuggets,” as the FTC notes, that can be learned from.
The FTC has distilled 10 common-sense lessons from the settlements it has reached:
- Start with security – factor the management & security of data into every decision, which in turn will dictate keeping less data from the start and over time
- Control access to data sensibly – restricting user access and administrative access
- Require secure passwords and authentication – while also not allowing employees to store passwords insecurely
- Store sensitive personal information securely and protect it during transmission – which is about managing data through its entire lifecycle and having a way to verify it’s protected (the vulnerability of encryption is addressed here)
- Segment your network and monitor who’s trying to get in and out
- Secure remote access to your network – which includes endpoint security, ensuring remote connections from employees and contractors are secure and logins cannot be exploited
- Apply sound security practices when developing new products
- Make sure your service providers implement reasonable security measures – which requires you to verify contractor compliance and also monitor for security incidents
- Put procedures in place to keep your security current and address vulnerabilities that may arise – patching and prioritizing / responding to security vulnerabilities is key
- Secure paper, physical media, and devices – this duplicates the need for endpoint security, which is about securing data outside the corporate network
In addition to this guide, the FTC has amassed its growing resources on business security in a new microsite. This new landing page outlines case studies, reports, education, tutorials and up-to-date news as it relates to data security and FTC enforcement of data security incidents. As the FTC notes, its actions are based on the idea of “reasonableness,” where an organization’s data security measures must reasonably reflect the sensitivity and volume of data it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities.
At Absolute, we want to support your organization with technology solutions to make data protection easy. Solutions such as automated patch deployment with Absolute Manage and the persistent ability to monitor encryption status on the endpoint with Absolute Data & Device Security (DDS), are just some of the ways we can help. Learn more at Absolute.com