used with permission from FTC.gov
by Thomas B. Pahl, Acting Director, FTC Bureau of Consumer Protection
“Sound data security is a process, not a checklist.” We’ve all heard that slogan – and with good reason. The way that sensitive information moves into, through, and out of your company’s networks or the software products you develop is ever-evolving. So, too, are the risks that hackers and data thieves pose as they adapt to the countermeasures you take to foil their efforts. Approaching data security with a one-and-done attitude ignores the here-and-now realities you face. That’s why Start with Security recommends that companies put procedures in place to keep your security current and address vulnerabilities that may arise.
A look at FTC law enforcement actions, closed investigations, and the experiences that businesses have shared with us demonstrates the wisdom of that advice. These examples illustrate why you should keep your security up to date and respond quickly to credible threats.
Update and Patch Software.
Sometimes companies learn that their networks – or third-party software installed on their networks – are vulnerable to a new form of threat. If that’s the case, find out what the experts recommend and act accordingly.
In other instances, a company determines that its own products already in consumers’ hands possess a vulnerability to an existing or new threat. In that instance, take steps to correct the problem with an update or a patch and move quickly to let customers know about remedial steps they should take.
Example: The owner of a home-based business buys a new laptop to manage his venture. He installs anti-virus software from a reputable company. When given the onscreen choice, the business owner allows the software to update the laptop’s anti-virus protection automatically. In that circumstance, opting for automatic updates is a sensible decision.
Example: A regional chain of hair salons uses third-party software to manage retail sales and inventory. When an email arrives from the vendor advising users of software to install a patch to address a security vulnerability, a designated staff member visits the vendor’s site and confirms the authenticity of the message, and then takes the steps necessary to update the software. By having a system in place to monitor and respond to security communications from vendors, the company has helped to keep its security up to date.
Example: A company sells a popular line of personal finance software. After many consumers have already bought the product, the company spots a security vulnerability in the software. The company creates a new version of the software that addresses the vulnerability. However, it doesn’t contact existing customers to offer a patch, and it doesn’t take into account vulnerable software still available on retail shelves. By failing to implement the fix effectively, the company has put consumers’ sensitive information at risk.
Plan How You Will Deliver Security Updates for Your Product’s Software.
No matter how secure you believe your product to be, software vulnerabilities may be discovered in the future. Security-savvy companies have a plan in place to issue timely security updates. The method will depend on the nature of the product, but it’s wise to build those contingencies in before you go to market.
Example: A company manufactures a thermostat that connects to the internet. The company configures default settings to automatically search for and install security updates that the company deploys. By designing its product with a method in place to deliver necessary updates, the company has made a more secure design choice.
Example: A company manufactures a kitchen appliance that connects to the internet. In the initial product development stage, the company determines that automatic security updates aren’t feasible. So the company designs the appliance with an alert button that provides a visual cue that a security update is available online. Furthermore, during the initial set-up wizard, consumers have the option of adding an additional method of communication – for example, text or email – to receive notices when a security update is available. By building those communication channels in from the start, the company has made it easier to tell customers about future security updates or patches.
Heed Credible Security Warnings and Move Quickly to Fix the Problem.
On the subject of security, there’s a lot of cross-talk among tech experts, researchers, government agencies, industry pros, and consumers. With a wealth of expertise out there, it’s wise to keep your ear to the ground when the topic turns to emerging risks and potential vulnerabilities. Pay attention when you get wind of security warnings that could affect your network or your product. Also, if experts are trying to reach your company to sound a particular alarm, will their messages get to the right people quickly?
Example: An app developer receives thousands of emails a day. On its website, it directs people to email customerservice[at]companyname.com with questions or comments about resetting passwords, payments, and other typical consumer issues. In case of a potential security concern, however, it directs people to email ;security[at]companyname.com. The app developer designates a knowledgeable staff member to monitor that mailbox regularly and immediately flag plausible concerns for appropriate personnel – for example, the developer’s software security engineers. By heeding credible security warnings and moving quickly to investigate and resolve them, the app developer may be able to prevent a problem or mitigate a risk.
Example: A security researcher finds a major vulnerability in an app. The researcher tries to contact the app developer, but cannot find a way to reach the company, other than a general corporate phone number. In training, administrative personnel who retrieve voicemails from the general number are instructed to delete messages from unknown third parties. A better practice would be to route communications about potential vulnerabilities – bug reports – to a dedicated channel where they can be evaluated by qualified security personnel.
The lesson for companies committed to sticking with security is to create channels in advance to receive and send critical information about potential vulnerabilities. Move quickly to implement appropriate security remedies.