Cyber security

On June 9, 2023, the Federal Trade Commission (FTC) rolled out updates to its Standards for Safeguarding Customer Information. Because managed service providers (MSPs) play a crucial role in ensuring the security of customer data and applications, some of the responsibility for data protection now falls to them.

This article will summarize some of the key updates to the FTC standards. Additionally, it emphasizes the importance of monitoring SaaS business applications, particularly Microsoft 365 and Google Workspace, and outlines compliance requirements and best practices for them to follow when safeguarding customer information for their clients.

FTC safeguard standards

While primarily targeting financial clubs, it also applies to various other entities, including MSPs

The recent National Cybersecurity Strategy released by the Biden-Harris administration has led to the FTC updating its Standards for Safeguarding Customer Information, known as the Safeguards Rule. The rule provides guidelines for developing and maintaining administrative, technical, and physical safeguards to protect customer information.

While primarily targeting financial institutions, it also applies to various other entities, including MSPs working with covered entities. Adhering to these standards is essential for effectively protecting sensitive customer information, and for maintaining compliance with government regulations.

enhanced cybersecurity in SaaS business applications

SaaS business applications such as Microsoft 365 and Google Workspace have revolutionized business operations, enabling remote work and collaboration. However, the increased reliance on these applications also exposes businesses to higher risks of data breaches and unauthorized access.

To comply with FTC standards, MSPs must proactively monitor and secure these platforms to protect customer information and maintain trust.

Standards for safeguarding customer information

Key elements of the security program must include designating a qualified individual

According to the Safeguards Rule, covered entities must establish and maintain a comprehensive security program that includes administrative, technical, and physical safeguards appropriate for their operations. The security program’s objectives are to ensure the security and confidentiality of customer information, protect against anticipated threats, and prevent unauthorized access.

Key elements of the security program must include designating a qualified individual, conducting regular risk assessments, implementing access controls and encryption, monitoring user activity, and having an incident response plan in place.

The role of managed service providers in strengthening security

MSPs have a crucial role in enhancing security and protecting customer information. They should work with their customers to establish comprehensive security programs that include the required policies, procedures, and controls. Each customer will need to designate a qualified individual to work with them and oversee implementation, conduct regular risk assessments, and keep the program up to date.

It’s important that they carefully manage access to customer information, implement multi-factor authentication (MFA), and employ encryption. Monitoring user activity and regularly testing and updating safeguards are also vital. MSPs should prioritize security awareness training and develop incident response plans to promptly address security events.

FTC multi-factor authentication (MFA) requirements

Multi-factor authentication isn’t just an optional extra layer of security anymore. It’s a necessity for all covered entities. This security measure ensures that a single compromised password isn’t the gateway to a system-wide breach.

Under the FTC’s mandate, MFA goes beyond simple password protection. It requires at least two of the following factors:

  1. Knowledge Factors: Things they know, like passwords or answers to security questions
  2. Possession Factors: Things they possess, such as a security hardware key or specific devices
  3. Inherence Factors: Physical characteristics unique to an individual, such as fingerprints or retina scans

The FTC explicitly emphasizes that companies should opt for phishing-resistant MFA. This means the commonly used SMS-based or push notification one-time passwords (OTPs) just don’t make the cut. Citing risks and vulnerabilities, the FTC stresses that MFA should not be just another data collection measure, but a robust security mechanism.

Why the emphasis on phishing-resistant MFA? 

Phishing remains one of the top cybersecurity threats. Even with MFA, if one layer, like a password, can be easily phished, the entire system’s integrity is jeopardized. Hence, methods like OTPs or security questions, which can be socially engineered or easily gleaned from public data, should be avoided.

Instead, the FTC advocates for solutions based on secure protocols and public key infrastructure. The gold standard, as recognized by the Cybersecurity and Infrastructure Agency (CISA), is FIDO-based authorization.

Leveraging SaaS security platforms for enhanced protection

SaaS Alerts provides an advanced SaaS security platform designed to assist MSPs

SaaS Alerts provides an advanced SaaS security platform designed to assist MSPs in monitoring and securing Microsoft 365, Google Workspace, Slack, Dropbox, and Salesforce.

The platform offers real-time monitoring and alerts for potential threats, incident response with automated remediation, compliance reporting, and risk assessment across the aforementioned SaaS applications. By leveraging these features, MSPs can strengthen security measures, maintain compliance, and ensure the confidentiality, integrity, and availability of customer data for their clients.

Advanced SaaS security platforms

MSPs have a significant responsibility in safeguarding customer information, especially in the context of the updated FTC Standards for Safeguarding Customer Information.

By implementing comprehensive security programs, monitoring user activity, employing access controls, and utilizing advanced SaaS security platforms like SaaS Alerts, MSPs can more effectively protect customer data in the SaaS business applications that their clients rely on.

Discover how AI, biometrics, and analytics are transforming casino security

Related white papers
Aligning Physical And Cyber Defence For Total Protection

Aligning Physical And Cyber Defence For Total Protection

Download
Combining Security And Networking Technologies For A Unified Solution

Combining Security And Networking Technologies For A Unified Solution

Download
System Design Considerations To Optimize Physical Access Control

System Design Considerations To Optimize Physical Access Control

Download
Related articles
How Physical Security Consultants Ensure Cybersecurity For End Users

How Physical Security Consultants Ensure Cybersecurity For End Users
How Managed Detection And Response Enhances Cybersecurity Management In Organizations

How Managed Detection And Response Enhances Cybersecurity Management In Organizations
Drawbacks Of PenTests And Ethical Hacking For The Security Industry

Drawbacks Of PenTests And Ethical Hacking For The Security Industry