This week’s article, which is part of our new ongoing weekly series, “Cyber Insurance Compliance Insights from FTC Investigations” will reflect on why it is important for companies to segment your network and monitor who’s trying to get in and out.
Our weekly blog series is a spinoff of the new “Stick with Security: Insights into FTC Investigations”. This new weekly blog article series provides a recap of the FTC’s new weekly blog insights on data security and how these measures can help companies demonstrate cyber insurance compliance. For companies looking to obtain cyber insurance, it is essential to be able to effectively demonstrate that they have implemented baseline security measures.
Who’s coming in and what’s going out?
Today in almost every office building (and even residential buildings) in New York City, there is a front desk, a doorman, or security guards waiting to greet and meet you before allowing you to head up the elevator to your destination. You’re often asked to present your ID before being allowed entrance into the elevator. Are you doing the same with your company’s computer systems and network? Are you managing what data is coming in and what’s going out? Is your company monitoring its network activity and using an intrusion detection system and checking those log alerts that show unusual data activity on your company’s network?
Based on FTC cases, closed investigations, and questions posed by businesses, here are examples illustrating the benefits of segmenting your network and monitoring the size and frequency of data transfers.
Segment Your Company’s Network
The FTC states that segmenting your company’s network – for example, having separate areas on your network protected by firewalls configured to reject unnecessary traffic – can reduce the harm if a data breach happens. By segmenting your network, you may be able to minimize the damage of a data breach by isolating data to a limited part of your company’s systems.
FTC Provided Example: A company must maintain records that include confidential client information. By using a firewall to separate the part of its network that contains its corporate website data from the portion that houses confidential client information, the company has segmented its network in a way that could reduce the risk to sensitive data.
As it relates to cyber insurance, if your company has a high volume of customer transactions and records, ideally, an underwriter would prefer that your company is segregating its network and not keeping all of its sensitive records, and processing transactions on the same network. Therefore, it would be wise to avoid keeping all of your eggs in one basket.
Monitor Activity on Your Company’s Network
Indeed, another key component of network security is monitoring access, uploads, and downloads and responding quickly if something seems amiss. There are a number of tools are available to warn you about attempts to access your company’s network without authorization and to spot malicious software when someone is trying to install it on your network.
FTC Provided Example: An up-to-no-good employee decides to steal sensitive customer information. The company has tools in place to detect when confidential data is accessed outside of a normal pattern and to alert the IT staff when large amounts of data are accessed or transferred in an unexpected fashion. Those steps make it easier for the company to catch the data thief in the act – and to protect customers in the process.
The SANS CIS Control #4 states that organizations that do not scan for vulnerabilities and proactively address discovered flaws face a significant likelihood of having their computer systems compromised.
CIS Vulnerability Assessment and Remediation Tips:
Run automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis and deliver prioritized lists of the most critical vulnerabilities to each responsible system administrator along with risk scores that compare the effectiveness of system administrators and departments in reducing risk.
Correlate event logs with information from vulnerability scans to fulfill two goals. First, personnel should verify that the activity of the regular vulnerability scanning tools is itself logged. Second, personnel should be able to correlate attack detection events with prior vulnerability scanning results to determine whether the given exploit was used against a target known to be vulnerable..
Please be sure to check back next week for more Cyber Insurance Compliance Insights from FTC Investigations.