“Start with security- a guide for business”, a publication circulated by Federal Trade Commission, Government of U.S.A. has survived 5 years since its publication in 2015 but referred by millions of businesses, both small and big repeatedly. Its advice, written in simple language but the most useful for implementation is being explained by me since our country has witnessed a loss of data innumerable times.
A copy of the same is reproduced from the web for reference.
https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf
What is so important for a business to secure the data it acquires in a routine course of business?
One of my clients, well past 80 years living comfortably in U.S.A. learnt on one fine morning that one of the leading private sector banks from India, operating from one of its branches in U.S.A. informed him loss of Rs 10 lac from his savings fund account maintained in India. He receives regular pension, interest payments from bank accounts and regular dividends from leading companies in India. In spite of his regular follow up and repeated telephone calls, the said bank did nothing but gave limited replies. This illustrates one of the million cases of identity theft from bank accounts, credit card misuse, unauthorized use of debit cards, the illegal draw of funds from ATM machines or misuse of checkbooks stolen from a common man.
If the business would have taken adequate steps to save the data or followed any of the discussion that would take place in this article, perhaps their clients would not suffer. With the tightening of rules, RBI or any other regulatory authorities may stipulate heavy fines on business for their delinquencies in this area.
Let us follow the pattern advised in the publication.
Start with security.
Let me nail it with advice from them directly.
“Factor it into the decision-making in every department of your business – personnel, sales, accounting, information technology, etc. Collecting and maintaining information “just because” is no longer a sound business strategy. Savvy companies think through the implication of their data decisions. By making conscious choices about the kind of information you collect, how long you keep it, and who can access it, you can reduce the risk of a data compromise down the road.”
It is no more business as usual. Conscious secured maintenance of data is a must. No more laxity.
Please do not collect the information you don’t need. A commercial bank, if it is nationalized collects nearly 43 signatures in opening a simple bank account. Recently, during my visit to one of the biggest nationalized banks I was informed that the form signed by my business was also shown to RBI officials who were sitting in the first floor. Too much fuss for nothing. Frequent interference in routine operations of the banks by regulatory authorities has wrecked the confidence of the operational staff. Does a bank operating a simple savings fund account, nowadays a necessity to get regular monthly salaries require tens of documents which are self-authenticated several times?
Please do not collect unnecessary data which you as a business do not need.
Please secure the information collected like Aadhar card, driving license, pan card, etc. safely by electronic means and dispose of the paper trails immediately.
Allowing service providers with information from ordinary account holders is a big crime. As a senior citizen, I believe big banks have adequate restrictions on others to view it. Even bankers must refrain from playing with personal data.
Control access to sensitive data
It is sad but true that Indian businesses, state authorities, regulatory authorities, utilities, educational institutions or even ticket checking in a bus, airplane, or train need several times confidential information and take photocopies but fail to protect them. As a business, please control access to sensitive data by not acquiring them when not needed. Only senior personnel at emergent situations need to refer sensitive data but not regularly.
Require secure passwords and authentication
Let me quote sensible advice from the communication which has been very useful for business.
“If you have personal information stored on your network, strong authentication procedures – including sensible password “hygiene” – can help ensure that only authorized individuals can access the data.”
Not only that authorized individuals access the data, they even do not share the same with anyone. Recently, the biggest fraud which rocked one of the biggest nationalized banks starting with their branch in Mumbai related to so-called jeweler exporters gave a simple case of an Asst General Manager allowing the employees of the accused to work regularly in the bank like any other employee and using the password of the senior officer. It was also reported that the bank employees do not change their passwords frequently.
Let me give an absurd but actual usage of a password in a commercial bank.
“Agarwal”, “Xavier”, or any other name which is totally wrong by modern standards.
How can improve this simple password? “Agarl12@” or “Agarrw156$”. Ideally, the most commonly used words need no retention. Many software programs insist on regular basis change at periodical intervals. It is not unusual for the program to judge the strength of the password from “unacceptable” to a” strong” one.
But never share the password with any one or face dire consequences and huge loss for the business.
Store sensitive personal information securely and protect it during transmission.
Let us visit another situation actually happened with my bank whose branch got burnt recently in one of the most popular markets in New Delhi. Its ground floor records were left with burnt marks and all records vanished.
Since the ground floor records got burnt and the whole operations were shifted to the first floor, the following advice would have been the most appropriate one.
“For many companies, storing sensitive data is a business necessity. And even if you take appropriate steps to secure your network, sometimes you have to send that data elsewhere. Use strong cryptography to secure confidential material during storage and transmission.
The method will depend on the types of information your business collects, how you collect it, and when you process it. Given the nature of your business, some possibilities may include Transport Layer Security/Secure Sockets Layer (TLS/SSL) encryption, data-at-rest encryption, or an iterative cryptographic hash.
But regardless of the method, it’s only as good as the personnel who implement it.”
I sincerely wish those who were deputed to shift the electronic and most sensitive financial data exercised the most secure way of transmission of data and continue to preserve them in the new area of operation.
Can I add that keep sensitive information secure throughout its lifecycle and use industry-tested and accepted methods?
Nationalized banks, huge organizations with lots of bureaucratic controls in India do not share the details of their safe and secured systems since most of them are used by their service providers.
With the assimilation of information being stolen regularly from private businesses, one can only wish that they learn to secure them with the best available technology and continue to use them during transmission or keep them secure in a different place to be used in case of disaster striking them.
Segment your network and monitor who’s trying to get in and out.
It is a simple common sense to ensure that those who enter your system are properly checked by your firewalls, and intrusion detection and prevention tools to monitor your network for malicious activity are used to protect the data. One does not need to learn from newspapers that the systems had been hacked.
With the loud claims of all commercial institutions involving interconnectivity and operations at every corner of the nation, one has to ensure that not all systems need to have connectivity among themselves and adequate protection is taken to secure the various systems separately. Segmentation is always advisable to secure the system of operations. Obviously, separate specialists would continuously monitor who is entering and getting out of the operation cycle.
Secure remote access to your network
With the spread of the notorious virus and total disruption, the order of the day, it has become the onerous duty of the computer department to sensitize the remote access to the network to only eligible employees and the continuous operations are doubly ensured for safety. It is expected that a chain is only as strong as its weakest link: your network security is only as strong as the weakest security on a computer with remote access to it. New lessons on remote access have to be learned and apply at point of need.
Apply sound security practices when developing new products
The introduction of any new app or new online service is not unusual for any commercial institution and are the required safeguards like not turning off a critical process known as SSL certificate validation in their mobile apps, leaving the sensitive information consumers transmitted through those apps open to interception through man-in-the-middle attacks. The companies could prevent this vulnerability by following the iOS and Android guidelines for developers, which explicitly warn against turning off SSL certificate validation.
Let me actually quote from history about what happened with a giant online service. The proof of the pudding is in eating. Is it not?
Quoted from page 14 of the report directly——–
“In TREND net, for example, the FTC charged that the company failed to test that an option to make a consumer’s camera feed private would, in fact, restrict access to that feed. As a result, hundreds of “private” camera feeds were publicly available. Similarly, in Snapchat, the company advertised that messages would “disappear forever,” but the FTC says it failed to ensure the accuracy of that claim.
Among other things, the app saved video files to a location outside of the app’s sandbox, making it easy to recover the video files with common file browsing tools. The lesson for other companies: When offering privacy and security features, ensure that your product lives up to your advertising claims.”
Then test for common vulnerabilities
In Guess’s case, the FTC alleged that the business failed to assess whether its web application was vulnerable to Structured Query Language (SQL) injection attacks. As a result, hackers were able to use SQL attacks to gain access to databases with consumers’ credit card information. That’s a risk that could have been avoided by testing for commonly-known vulnerabilities, like those identified by the Open Web Application Security Project (OWASP).
I do not have actual information in India where the fairyland business does not inform us of its vulnerabilities. Even big commercial institutions just hide under the mist of ignorance.
Make sure your service providers implement reasonable security measures
How can this be done by commercial institutions?
- The blunt message from the report. “When it comes to security, keep a watchful eye on your service providers – for example, companies you hire to process personal information collected from customers or to develop apps. Before hiring someone, be candid about your security expectations”. Do we know what precautions are taken by a big bank like Punjab National Bank, Union Bank, HDFC Bank or ICICI Bank for safeguarding our personal information in case of deposits, depository accounts, borrower accounts or online transactions?
- Just mentioning a few lines in the Balance sheet or its associate reports will not help. Actual IT audit with details is needed to remove the doubts of their inefficiencies since a large number of frauds under the commercial sector are on the rise.
- Let us have a report as to what types of security expectations are to come from service providers like TCS, Infosys, or any other giant and how did they perform. Did they fail or if so, how many times and at what cost? What questions were asked by these institutions and what follow up was done? Yes, in simple terms, please verify their compliance and let the clients of big institutions actually know it.
Put procedures in place to keep your security current and address vulnerabilities that may arise.
- In case of your own software developed in house or third party giants who have been involved since several decades with their own library of software applications, does the system allow upgradations on day to day basis and is there any provision where the customers could point out simple vulnerabilities at the easiest way without getting a college degree to venture in? Confidential but simple informing systems about malware, security alerts or other matters in an email like([email protected]) for receiving reports and flagging them for your security rectification.
Finally, Secure paper, physical media, and devices.
I have written enough about huge paperwork we actually inherit as if they are wills left over by our invaders to inherit. India is too slow to leave the past. Yes, the advice given needs immediate introspection and implementation. Destroy paper trail at the earliest.
Conclusion
The information input from the most celebrated and circulated report of Federal Trade Commission, Government of U.S.A. has been self-explanatory and the tone of the article is on advisory tone. Let all authorities who matter for our online or offline accounts of all forms do immediately protect them from attacks emanating from inland as well as notorious countries inimical to our land.
Author Bio
