Cybersecurity Fails: 5 Times Businesses Put Their Customers at Risk

Cybersecurity Fails: 5 Times Businesses Put Their Customers at Risk

 

One of the worst mistakes you can make as a small business owner is thinking you’re too small to be at risk for a cyber-attack. In reality, small businesses are increasingly becoming targets for hackers because of their modest size. These businesses often have limited resources dedicated to cybersecurity, which makes them especially vulnerable to data breaches.

Here’s something else you might not know: The Federal Trade Commission can bring legal action against businesses that put consumers at risk through poor data security practices. In other words, you could be robbed by hackers, suffer massive damage to your public reputation by exposing customer information, and then be sued by a government agency for your troubles — a true nightmare scenario for any business.

The SBA recently hosted a cybersecurity webinar in which FTC attorneys Lisa Schifferle and Katherine McCarron presented lessons from data security cases brought against several big-name companies. How did these companies put their customers as risk, and how can you avoid repeating their mistakes in your own business? Read on for five important takeaways.

The Lesson From Accretive: Treat Personal Information With the Care It Deserves

Collecting and storing sensitive information is a key element of many small businesses, and business owners need to consider the impact of all their data decisions. “By making conscious choices about the kind of information you collect, how long you keep it, and who can access it, you can reduce the risk of data compromise down the road,” said Katherine McCarron, an attorney in the FTC’s Division of Privacy and Identity Protection.

In other words, use some common sense when it comes to your customers’ personal information, and learn from the mistakes of Accretive Health, Inc. The medical billing company needlessly used real people’s personal information when they were doing employee training sessions, then failed to remove the data from their employees’ computers when the training ended.

A data breach occurred when a company laptop — containing 20 million pieces of information on 23,000 patients — was stolen from an employee’s car. Accretive had no apparent policy on electronic devices and data in transit, putting sensitive information at even greater risk.

The Lesson From Twitter: Make Information Available on a “Need to Know” Basis

Does a cashier in your business need access to all of your company’s human resources data? Do human resources need access to all of your customer data? Businesses often worry about hackers and outsiders, but it’s also important to guard against threats from your own employees. That’s why smart businesses grant employees access to networks and information only on a “need to know” basis.

“We know now that organized crime sometimes pays insiders to steal information from companies,” said Lisa Schifferle, an attorney in the FTC’s Division of Consumer and Business Education. “With the increase in identity theft by corrupt insiders, restricting access to sensitive data is important, and access controls make good business sense.”

In the FTC’s case against Twitter, almost all of Twitter’s employees had administrative control at the time the case was filed, which meant that any employee could reset user account passwords, view users’ non-public tweets, and even send tweets on a user’s behalf. If anyone of the employee’s credentials was hacked, it could have led to a major breach[1]. That’s why administrative controls should be tailored to individual job needs. “Administrative access is the key to the kingdom, and those keys need to be carefully controlled,” Schifferle said.

The Lesson From DSW: Segment Your Network

Not every computer in your system needs to be able to communicate with every other one. Segmenting your network involves putting tools like firewalls in place to keep sensitive information in one secure part of the network, limiting access between computers on your network, and between your computers and the Internet.

In the FTC’s case against DSW, the shoe-store chain’s network wasn’t segmented, so a hacker was able to breach one particular store, then break into the corporate network, and finally get to other DSW shoe stores and steal credit card information.

“If DSW had properly segmented its network, the hacker would have been stopped at store #1,” said McCarron.

The Lesson From Fandango: Protect Sensitive Information During Transmission

It’s not enough to secure sensitive customer information when it’s at rest or in storage. Strong encryption must be used during transmission as well.

“You can have a bunch of locks on your house, but if you’re walking down the street with your purse open and money hanging out of your pockets, then you’re not protecting your valuables in transit,” Schifferle explained.

The FTC brought charges against Fandango after discovering that the movie ticketing service failed to follow explicit IOS and Android platform guidelines about secure development practices. Fandango used SSL encryption for its data, but turned off a critical process called SSL certificate validation in its mobile apps, leaving the information that consumers transmitted through those apps open to interception by man-in-the-middle attacks.[2]

The Lesson From GMR Transcription: Make Sure That Data Security Is a Priority for Your Service Providers as Well

Before you hire service providers that will come into contact with sensitive information, explain your company’s security expectations and insist on those standards in your contracts. Then, monitor that your security requirements are being followed.

“Don’t just adopt a ‘take your word for it’ approach, but build in oversight,” Schifferle said. “Ask questions and follow up.”

In the case of GMR Transcription Services, Inc., the company hired service providers to transcribe highly confidential health information, but they failed to require security measures. As a result, very sensitive personal health information was exposed on the Internet. GMR Transcription could have avoided this situation by including contract provisions requiring service providers to adopt reasonable security precautions such as encryption.

Check out the FTC’s “Start With Security” guide for more real-life examples of data security mistakes to avoid, and visit sba.gov/cybersecurity for valuable cybersecurity resources for your business.

[1] It didn’t help that Twitter stored admin passwords in clear text in personal email accounts, allowed its employees to recycle passwords, and didn’t suspend or disable user credentials after a certain number of unsuccessful login attempts, making them susceptible to brute force attacks.

[2] Fandango also fell short when it came to responding and reacting to cybersecurity vulnerabilities. The company relied on a general customer services system to respond to warnings about security risks, and when a researcher contacted Fandango about a vulnerability, the system incorrectly categorized the report as a password reset request, sent out an automated response, and then marked the message as resolved without flagging it for further review. As a result, Fandango did not learn about the vulnerability until FTC staff contacted the company.