You’ve heard about Newton’s laws regarding objects at rest and objects in motion. A 21st century corollary is protecting sensitive information while it is at rest on the network and implementing effective protections while it is in motion (for example, when customers transfer confidential information from their computers to your systems). Prudent companies will adopt the “start with security” advice, securely store sensitive personal information and protect it during transmission.
One strategy is surprisingly simple. Hackers can’t steal what you don’t have, so only collect and maintain confidential information when you need it. Asking for sensitive information from your clients is not a wise strategy in the unlikely event that you might use it for something one day. It’s smarter to wisely limit what you collect and then store it securely. It’s also a cost-conscious approach, as it’s cheaper to protect a small amount of data stored in a designated location than a large amount of sensitive data scattered across the company.
An important security tool is encryption. Encryption is the process of transforming a message so that only the person (or computer) with the key can read it. Companies can use encryption for sensitive data at rest and in transit to help protect it across websites, devices or the cloud.
How does your business securely protect data, including during data transmission? Here are some recommendations gleaned from FTC settlements, closed investigations, and questions raised by businesses.
Ensure the security of sensitive information throughout its lifecycle.
You can’t keep your information safe unless you know exactly what you have and where you have it. The first step is to understand how sensitive data enters your company, how it moves through the company, and how it exits. Once you master its journey through your system, it becomes easier to stay alert at every stop along the way.
example: An online sporting goods retailer lets customers choose a username and password. The company stores all usernames and passwords in clear, readable text. By not storing this information securely, retailers increase the risk of unauthorized access.
example: Recipe websites allow customers to create personal profiles. When designing the registration page, the company considered the many categories of information that might be requested and narrowed it down to information that was justified for business reasons. For example, the company considered asking users for their date of birth in order to tailor the site with recipes that might appeal to that demographic, but then decided to let consumers choose an age range. By considering the need for information and collecting less sensitive data, the company makes safer choices but can still customize the user experience.
example: Real estate companies need to collect sensitive financial information from potential home buyers. The company uses appropriate encryption to protect the security of the information when it is sent from the customer’s browser to the company’s servers. But when the information arrives, the service provider decrypts it and sends it to the company’s branch in clear, readable text. Real estate companies take careful steps to ensure the security of information by encrypting the initial transmission of information. However, by allowing service providers to send unencrypted data to branch offices, the company did not fully consider the importance of maintaining appropriate security throughout the lifecycle of sensitive information.
example: One company uses state-of-the-art encryption technology but stores the decryption key along with the encrypted data. Companies should store decryption keys separately from the data used to unlock them.
Use industry-tested and approved methods.
Some marketers design their products to have a unique, quirky look. But “unique” and “quirky” are not words you want to apply to your company’s security. Rather than reinventing the crypto wheel, the smarter approach is to adopt industry-tested methods that reflect the collective wisdom of experts in the field.
example: Two app developers are preparing similar products for the market. ABC Company uses its own proprietary method to obfuscate the data. In comparison, Company XYZ uses a proven encryption method approved by industry experts. By using proven forms of encryption, XYZ Corporation has made careful choices when developing its products. Additionally, XYZ’s advertising campaigns can truthfully promote its use of industry-standard encryption.
Make sure the configuration is correct.
A rock climber may have top-of-the-line gear, but if he doesn’t install carabiners and pulleys correctly, or uses them in a manner that the manufacturer warns about, he may suffer a catastrophic descent. Likewise, even if a company chooses strong encryption, they need to make sure it’s configured correctly.
example: A travel company developed an app that allows consumers to purchase tickets to popular tourist attractions. The travel company’s app uses the Transport Layer Security (TLS) protocol to establish encrypted connections with consumers. TLS certificates are used to ensure that the application is connected to a real online service when data is moved between the application and the ticketing company. However, when configuring their applications, travel companies disable the process of verifying TLS certificates. The travel company did this despite warnings from application developer platform providers not to disable default authentication settings or otherwise fail to verify TLS certificates. Travel companies should follow the app development platform’s preset recommendations.
Businesses are reminded that confidential material can enter, move through, and exit your systems in ways you may not have considered. Have you taken reasonable protective measures during the process?
Next article in the series: Segment your network and monitor who is trying to get in and out.
