Data safety starts with a security mindset

For businesses in the promotional products industry, the watchword is safety. But there’s one product that can never be effectively “recalled”—sensitive account or employee information that ends up in the hands of hackers or fraudsters. The Federal Trade Commission has practical suggestions for companies of any size and in every sector about what they can do to help protect themselves from the risks of data theft.

Start with Security: A Guide for Business, a nuts-and-bolts brochure from the FTC, offers advice on raising your defenses. Share the publication and its accompanying videos with your staff, but if you’re pressed for time, it boils down to these 10 steps:

  1. Start with security. Your business needs to maintain certain sensitive information. But in an era of cyber threats and hack attacks, collecting confidential data “just because” isn’t a sound business strategy. If you haven’t recently evaluated the customer and employee data you ask for, think it through with 21st-century risks in mind. Hackers can’t steal what you don’t have. And remember that the best defense against data theft is a workforce trained to start with security.
  2. Control access to data sensibly. Not everyone needs a backstage pass to all confidential data your company maintains—for example, customers’ financial information or employees’ Social Security numbers. Limiting access on a “need to know” basis reduces the risks that an ill-intentioned insider could pose.
  3. Require secure passwords and authentication. It’s impossible to be 100-percent hacker-proof, but at a minimum, you can implement free or low-cost methods to make it harder for them to sneak onto your network. Insist that your employees and affiliates use strong passwords and defend against “dictionary attacks”—programs that systematically try to guess passwords—by locking people out after a reasonable number of unsuccessful access attempts.
  4. Store sensitive personal information securely and protect it during transmission.  Keep confidential information safe when you store it and when you send it elsewhere. Consider whether encryption is an appropriate option.
  5. Segment your network and monitor who’s trying to get in and out. Tools like firewalls can segment your network, thereby limiting access between computers on your network and between your computers and the internet. That can reduce the impact if a hacker makes it past your preliminary defenses. Another useful safeguard: intrusion detection and prevention tools to monitor who’s trying to get into your network.
  6. Secure remote access to your network. For members of the promotional products industry, business on the road is business as usual. But like a raincoat advertised as waterproof, the weaknesses in a company’s security setup sometimes can show up at the seams. If you give employees, clients or service providers remote access to your network, protect your system by shoring up those entry points. Ensure that those security standards remain high when your staff members work from home, attend trade shows, or are out and about in the course of business.
  7. Apply sound security practices when developing or introducing new products. Internet-connected items are hot sellers in the promotional marketplace. But do the manufacturers you work with make it a practice to build security in from the start? Once a product has been distributed to thousands of consumers, it can be difficult to graft security on after the fact.
  8. Make sure your service providers implement reasonable security measures. Keep a watchful eye on service providers. Spell out your security expectations in your contracts and monitor that they’re meeting your requirements.
  9. Keep your security current and address vulnerabilities that may arise. Security isn’t a one-and-done box to check. Two ongoing tasks: Keep third-party software updated and patched, and move quickly to address credible security warnings.
  10. Secure paper, physical media and devices. Maintain high security standards for devices, flash drives and plain old paper. With all the attention on network security, some crooks do business the old-fashioned way. In those cases, old-fashioned security methods—a locked file cabinet, a shredder by the copier or a clean desk at the end of the day—can help keep sensitive data secure.

The FTC’s Business Center, at business.ftc.gov, has more tips for companies, including to-the-point publications to help train your staff on how to start with security.

Lesley Fair is senior attorney in the Bureau of Consumer Protection at the Federal Trade Commission.