On September 1, 2017, the FTC released its sixth “Stick with Security” principle, which highlighted the steps businesses can take to ensure that “outside entryways” into network systems are secure. Securing remote access to a network involves two aspects:
Ensure Endpoint Security
A company’s network is only as secure as the least safe device that connects to it. Before giving employees, clients, or service providers remote access, make sure to: set security ground rules, communicate those rules clearly, and verify compliance with them. Furthermore, off-site devices used for remote access should have updated software, patches, antivirus protections, and additional security measures to shield against threats. Such additional security measures could include a dynamic security code that must be entered to access the network. A company would also be wise to regularly reevaluate its requirements in the face of emerging threats and devices with outdated security.
Put Sensible Access Limits in Place
The FTC offers a few illustrative examples to explain its view concerning what qualifies as sensible access limits. In particular, it stresses limiting the scope and duration of remote access. For example, in the ordinary course of business, a retailer may give a contractor remote access to portions of the network system that are needed to complete the contractor’s task, but should restrict access to other parts of the system. Further, when the contractor’s work is completed, the requisite authorization should be discontinued. Lastly, if a contractor or vendor needs multiple employees to share remote administrative access, the retailer or company should have methods to audit and attribute account use to a particular employee.