In its third post in the “Stick with Security” series, the Federal Trade Commission (FTC) suggested that access to sensitive data should be sensibly limited.
“Not everyone on your staff needs unrestricted access to all confidential information you keep,” wrote Thomas B. Pahl, acting director of the agency’s Bureau of Consumer Protection. “The better practice is to put sensible controls in place to allow access to employees who need it to do their jobs, while keeping others out.”
Companies should exercise the same level of care with sensitive customer or employee data as they do when locking doors or prohibiting customers on a factory floor. The first step: Restrict access to sensitive data.
“If employees don’t have to use personal information as part of their job, there’s no need for them to have access to it,” the FTC said. For physical paperwork, a locked cabinet should suffice, while separate user accounts that limit who can view sensitive files or databases is an effective option for network data.
Pahl praised a “clean desk” policy that requires employees to lock up sensitive documents at the end of the day, as well as procedures whereby multiple employees in a small company may share a single workstation but have individual, password-protected access to separate databases. Both instances demonstrate how companies can reduce the risk of unauthorized access to or use of company data, the FTC said.
On the other end of the spectrum, the agency frowned on a company that provided all employees (including IT staff, sales representatives, HR personnel and support staff) access to customer profiles that included personal medical information. According to Pahl, “By giving access to sensitive data to staff members who don’t need it for the performance of their duties, the company has created a situation that could put highly confidential information at risk.”
Businesses should also limit administrative access, the FTC recommended, as “[a]n untrustworthy administrator—or too many employees with admin rights—can undo the steps you’ve implemented to keep your system secure.”
One bad idea: using the same login for all employees—from the company’s receptionist to a sales assistant to a summer intern—that permits administrative rights. “The wiser approach is for the company to require different logins with only those privileges necessary for that employee to do his or her job,” the agency advised.
To read the FTC’s blog post, click here.
Why it matters: “The lesson for businesses is to restrict ‘backstage passes’ to confidential information,” Pahl concluded his blog post. “Limit access to sensitive data to staff members who need it for the performance of the duties.” Having already walked companies through the first steps in the series—starting with security and controlling access to data—the FTC will focus its next installment on secure passwords and authentication.