This week’s article, which is part of our new ongoing weekly series, “Cyber Insurance Compliance Insights from FTC Investigations” will reflect on why it is important for companies to segment your network and monitor who’s trying to get in and out.
Our weekly blog series is a spinoff of the new “Stick with Security: Insights into FTC Investigations”. This new weekly blog article series provides a recap of the FTC’s new weekly blog insights on data security and how these measures can help companies demonstrate cyber insurance compliance. For companies looking to obtain cyber insurance, it is essential to be able to effectively demonstrate that they have implemented baseline security measures.
Based on FTC cases, closed investigations, and questions posed by businesses, below are examples illustrating the benefits of securing remote access to your network.
Ensure Endpoint Security
According to the FTC, your network is only as secure as the least safe device that connects to it – and whether it is an employee working from home or travelling or a service provider accessing your network remotely, your company needs to ensure that those that work and connect to your network remotely are following your company’s Remote Access policy and procedures.
Furthermore, the FTC recommends that companies take steps to make sure that devices used for remote access have updated software, patches, and other security features designed to protect against evolving threats.
FTC Provided Example: Before allowing employees to access the company network remotely, a business establishes standard configurations for firewalls, antivirus protection, and other protective measures on devices used for remote access, and conducts periodic in-house training. It also provides a token with a dynamic security code that the employee must type in to access the company’s network, and maintains procedures to ensure that employees’ devices have the mandated firewalls, antivirus protection, and other protections in place. In addition, the company regularly re-evaluates its requirements in light of emerging threats and blocks remote access by devices with outdated security. By approaching endpoint security as an ongoing process, the company has taken steps to reduce the risks associated with remote access.
Put Sensible Access Limits in Place
Just as security-conscious companies restrict in-house access to sensitive data on to only those authorized employees with a business need for the data, they also put sensible limits in place for remote access. It is no secret, that Target’s data breach was caused by a third-party HVAC vendor who had their Target network user login credentials stolen, which led to the data breach. Nonetheless, had Target implemented measures for controlling what third-parties can do on their networks, the breach might not have been as big or costly.
FTC Provided Example: A retailer hires a contractor to revamp its online payroll system. The retailer gives the contractor remote access to the portions of the network necessary to complete the task, but restricts the contractor from other parts of the system. In addition, the retailer discontinues the contractor’s authorization as soon as the task is complete. By limiting the scope and duration of the contractor’s remote access, the retailer has taken steps to protect confidential data on its network.
Cyber Insurance Compliance Insights: Secure remote access to your network
You can’t see, what you can’t see, which is why a Remote Access policy must be in place for remote workers and service providers so that they can follow your company’s remote access security ground rules. You will also want to verify that the employee, client, or service provider is in compliance with the company’s Remote Access policy. In addition, a good best practice is to have remote workers and service providers access your company’s network via a (VPN) Virtual Private Network, which offers an encrypted tunnel between a remote user’s device and your company’s server.
Today, your company is only as secure as its weakest link, and that can mean employees, vendors, service providers and the endless number of devices connected and connecting to your company’s network.
Please be sure to check back next week for more Cyber Insurance Compliance Insights from FTC Investigations.