Information Security … A Guide For Business #6 Secure Remote Access to Your Network

Ten practical lessons businesses can learn from the FTC’s (business.ftc.gov) 50+ data security settlements.  This is part #6.

#6  Secure Remote Access to Your Network!

Business doesn’t just happen in the office. While a mobile workforce can increase productivity, it also can pose new security challenges. If you give employees, clients, or service providers remote access to your network, have you taken steps to secure those access points? FTC cases suggest some factors to consider when developing your remote access policies.

Ensure endpoint security.

Just as a chain is only as strong as its weakest link, your network security is only as strong as the weakest security on a computer with remote access to it. That’s the message of FTC cases in which companies failed to ensure that computers with remote access to their networks had appropriate endpoint security. For example, in Premier Capital Lending, the company allegedly activated a remote login account for a business client to obtain consumer reports, without first assessing the business’s security. When hackers accessed the client’s system, they stole its remote login credentials and used them to grab consumers’ personal information. According to the complaint in Settlement One, the business allowed clients that didn’t have basic security measures, like firewalls and updated antivirus software, to access consumer reports through its online portal. And in Lifelock, the FTC charged that the company failed to install antivirus programs on the computers that employees used to remotely access its network. These businesses could have reduced those risks by securing computers that had remote access to their networks.

Put sensible access limits in place.

Not everyone who might occasionally need to get on your network should have an allaccess, backstage pass. That’s why it’s wise to limit access to what’s needed to get the job done. In the Dave & Buster’s case, for example, the FTC charged that the company failed to adequately restrict third-party access to its network. By exploiting security weaknesses in the third-party company’s system, an intruder allegedly connected to the network numerous times and intercepted personal information. What could the company have done to reduce that risk? It could have placed limits on third-party access to its network – for example, by restricting connections to specified IP addresses or granting temporary, limited access.