3 Challenges of the New FTC Safeguards Rule | Blumira

As all non-banking financial institutions – such as mortgage brokers, auto dealerships and others – prepare for the looming FTC Safeguards Rule deadline, we wanted to dive into three top challenges of meeting the new requirements.

The new Safeguards Rule has nine elements — many with multiple sub-points — that companies must complete to avoid getting hit with fines of $45,000 per violation.

So which of those nine will be the toughest for organizations to complete? 

#3 – A Complete Risk Assessment

A risk assessment means taking a look at every possible threat within your environment — both internal and external — and evaluating the potential risk. This written assessment will vary greatly for each organization as it evaluates the security, confidentiality, and integrity of customer information.

What makes this so difficult?

Required Skill Set. The personnel doing the risk assessment must have the right skill set to not only identify the possible threats but also determine the criteria for evaluating those risks. However, smaller organizations likely won’t have an in-house staff member with these skills, let alone the bandwidth to perform a full assessment.

It’s A Long Process. Just to start a risk assessment you have to complete a full data and systems inventory (its own FTC Safeguards checkbox). Then you’ll need to develop criteria, analyze the risk of each system, and then create the assessment itself.

Download Blumira’s Free Threat Assessment > 

Options To Complete This Element

Option #1: Hire a Risk Assessment Consultant 

• Pros. It’s the easiest and fastest way for a team with limited in-house security resources to get it done. 
• Cons. The cost of a third-party assessment firm ranges from $150 to $400 per hour, according to TechTarget. As most non-financial companies don’t have a lot of budget allocated for security, hiring an expert might be out of the question.

Option #2: Internal DIY with templates, such as a paid template from ComplianceForge or free tools such as SimpleRisk or CISA’s CSET.

• Pros. A paid template will be less expensive than hiring a third-party. Whereas each environment is different, most templates will give guidance on how to assess systems not in the template.
• Cons. Someone internally still has to complete the assessment, which takes time away from their day-to-day tasks and responsibilities.

#2 – Employee Security Awareness Training

According to a recent Stanford study, 88% of data breaches are caused by human error. It’s easy to see why the FTC added security awareness training to the Safeguard Rule. There are two components to this requirement: 1. Ongoing training for all employees and 2. Specialized security training for those running the security program to ensure they stay updated on the latest security trends.

What makes this so difficult?

It involves everyone and is ongoing. Like most things, the more people that have to be involved, the harder it is to do. The FTC also requires “regular refreshers,” which makes this an ongoing process.

It’s very vague. How much training is needed — not just for the general staff, but also for the designated security staff? Do they need certifications or just advanced training? Is there an hours requirement? The FTC doesn’t specify 

Options To Complete This Element

Option #1: Fully outsourced training partner such as KnowBe4 and Curricula

• Pros. It’s the quickest and easiest way to complete the training. Also, most of the software  reminds employees to complete the programs and track employees’ efforts. 
• Cons. It’s going to hit that bottom line again. However, some companies provide free training to get you started.

Option #2: Develop your own training using free tools from CISA or Wizer

• Pros. It’s much more budget-friendly, and you can easily adjust the training so it’s more relevant for your employees. Provide real examples they’d see within your industry or organization.
• Cons. Even if you found enough free templates to create the training, administering it, tracking it, reporting on it can be a lot of work, especially for a team with limited resources.

#1 – Monitor and Log Authorized and Suspicious Activity

Collecting and monitoring system logs is one of the most effective ways to detect and stop suspicious activity. Because of that, the FTC now requires companies to have a system in place to collect logs such as a security information and event management (SIEM) platform, as well as written policies and procedures to support it. Monitoring log activity will help detect unauthorized access or use of, or tampering with, customer information.

What makes this so difficult?

Logs are everywhere. Most likely every software and system you’re using is producing security logs. But who’s looking at them? What story do they tell? It can be difficult to prioritize which logs are most important to ingest — especially if your SIEM vendor charges based on log ingestion. 

Great, you’ve identified a threat. Now what? While the focus of the FTC Safeguard Rule is around logging and detection, the real benefit comes from taking action on the detection. But that’s all for nothing if you don’t have the internal (or external) knowledge to know how to actually mitigate the threat. 

Options to complete this element

Option #1: In-house traditional SIEM

• Pros. It checks the box of what the FTC is looking for with logging, audit trails and detections
• Cons. Traditional SIEMs typically take dedicated staff to properly maintain, not to mention some take months to deploy. This isn’t ideal with December right around the corner.

Option #2: Fully outsource this with a managed service provider (MSP) or managed security service provider (MSSP).

• Pros. Well, they are professionals. This option takes the burden off your team. 
• Cons. Although not significantly more expensive than a traditional SIEM, having someone else run this section of your security operations isn’t cheap. Also, there’s a lot of time where the third-party will still need context from your IT team to make decisions on detections.

Option #3: Use Blumira

Blumira is a cloud-based SIEM that’s built for small teams by doing a lot of the heavy lifting, but with the extra staffing costs. 

Pros:

• Removing The Complexity – Unlike most security solutions today that are built for large enterprises with big budgets, big teams with advanced security expertise, Blumira is designed for organizations with small teams.
• No Additional Resources – We don’t require add’l infrastructure, security skills, or personnel to get operational – and provide real security value
• Automate Tasks For You – We do all the heavy lifting for your team to save them time, including parsing, creating native third-party integrations, and testing and tuning detection rules to reduce noisy alerts.
• Faster Time to Security – Our unique approach to detections notifies you of threats other security tools may miss, sending you real-time alerts in under a minute of initial detection to help you respond to threats faster than ever.
• Easily Meet Compliance – With a year of data retention and deployment that takes minutes to hours, we help you meet cyber insurance and compliance easily and quickly with the team you have today.

Cons. While our pricing model is simpler and tends to me more affordable than other solutions, it’s not free. Oh wait — it is. Our base tier provides logging with detection and response for M365. 

Learn More About Blumira

Interested in learning more about how Blumira can help you meet the new FTC Safeguards Rule? We help check the boxes with more than just logging, including your incident response plan, customer information access controls, data encryption, and pen-testing and vulnerability assessments.

Contact us to learn more.