On September 22, 2017, the Federal Trade Commission published the tenth blog post in its “Stick with Security” series. As previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Put procedures in place to keep your security current and address vulnerabilities that may arise, outlines how and why companies should keep their security up to date and respond quickly to credible threats.
The FTC’s guidance lists three ways in which companies can stay current with their security and address vulnerabilities should they arise:
- Update and Patch Software: If a company learns that either its network or third-party software installed on its network have become vulnerable to a new threat, it should act in accordance with recommendations from security experts. If the threat is posed to a company’s product already in the hands of a consumer, measures should be taken to provide an update or patch to customers and to inform them of any remedial steps to take.
- Plan Delivery Methods of Security Updates for Software: Companies that are serious about security have plans in place to release timely security updates. Such plans should be considered before bringing a product to market. For example, the FTC recommends ensuring that a product automatically searches for and installs security updates or provides visual notices and alerts to consumers when a security update is available for download.
- Heed Credible Security Warnings and Move Quickly to Fix the Problem: Businesses should be able to receive communications about security warnings that could affect their network or products. This can be achieved by setting up a dedicated channel (such as an information security email address or phone number) to receive such communications, where they can be evaluated by qualified security personnel who can decide whether further action is needed.
The guidance concludes by noting that the key lesson for businesses is to ensure that appropriate channels are in place that are designed to receive and send critical information about vulnerabilities, and that businesses act quickly to implement appropriate security remedies should any network or product vulnerabilities arise.
The FTC’s next blog post, to be published on Friday, September 29, will focus on securing paper, physical media and devices.