This week’s article, which is part of our ongoing weekly series, “Cyber Insurance Compliance Insights from FTC Investigations” will reflect on why it is important for companies to secure their sensitive data and implement data security best practices.
Securely Store Sensitive Files
While the FTC may not have a data security framework for companies and organizations to follow, they do expect data security controls and safeguards to be in place to securely store and protect sensitive information. All one needs to do is take a look at today’s headlines and open or closed FTC investigations for real world examples of those that failed to securely store their sensitive information and then experienced a data breach. Indeed, the loss of control over protected or sensitive data by organizations is a serious threat to business operations. While a data breach can happen in multiple ways, whether data is leaked internally or lost as a result of theft or espionage, the vast majority of these problems often result from poorly understood data practices, a lack of effective policy architectures, and user error.
Protect Devices that Process Personal Information
At the time of this writing, a major Wi-Fi security vulnerability was announced. The vulnerability affects all major modern devices and operating systems, including Android, Apple, Windows, Linux, and more. What’s critical about this newly discovered vulnerability is that the vulnerabilities described here are in the standard itself as opposed to individual implementations thereof; as such, any correct implementation is likely affected. While this is not a large scale attack, as the attacker needs to be on the same Wi-Fi network as you in order to target you. This should be taken into consideration when assessing your organization’s threat level. Since the attacker needs to be within the wireless communications range, it does not leave an organization vulnerable to a wide-scale internet attack. While fixes can be developed for this problem, these will take time to roll out.
The vulnerability was found in the security protocol WPA2, and is being referred to as a KRACK attack, referring to the “key reinstallation attack” that was used. This weakness allows an attacker to intercept and read sensitive data being transferred over the network. The US-CERT states that impacts may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames.
Indeed, major thefts of data have been initiated by attackers who have gained wireless access to organizations from outside the physical building, bypassing organizations’ security perimeters by connecting wirelessly to access points inside the organization. Therefore, the WPA2 Wi-Fi security vulnerability should not be taken lightly.
Keep Safety Standards in Place When Data is in Transit
Today there are many ways in which data in transit can be manipulated by attackers. The above WPA2 Wi-Fi security vulnerability is a perfect example of how an attacker may be able to disrupt existing communications and data in transit. The FTC advises prudent companies exercise care when transferring sensitive information. The adoption of data encryption, both in transit and at rest, provides mitigation against data compromise. Encrypting data provides a level of assurance that even if data is compromised it is much more difficult for an attacker to access the plaintext data without significant resources.
Dispose of Sensitive Data Securely
To stick with security, the FTC notes that prudent companies should put sensible precautions in place to safeguard paperwork, flash drives, phones, CDs, and other media that may contain sensitive information. The risks of keeping old documents containing sensitive data can be high – resulting in identity theft, fraud and potential financial loss or reputational damage. While there are those industries that are mandated to keep data for specific time periods, whether subject to data retention requirements or not, care must be taken when disposing of sensitive data. Today there are many places where data resides and organizations must have procedures in place to securely erase mobile devices, hard drives, printers, fax machines and photocopiers (and more) before disposal, resale or returning them to the vendor.
Cyber Insurance Compliance Insights: Secure paper, physical media, and devices
Indeed, all it takes is one lost device, file or intercepted WiFi to lead to a data breach. Therefore, it is important that your company or organization has policies and procedures in place and is enforcing them. Indeed, with today’s new technologies, there will always be newly discovered vulnerabilities that will pop up and need to be addressed. Companies and organizations will need to be quick to patch and address new vulnerabilities as they arise. Otherwise, this may lead to their demise.
Please be sure to check back next week for more Cyber Insurance Compliance Insights from FTC Investigations.