3 takeaways from the FTC’s action against Chegg for lax cybersecurity.

Published on 17th November 2022 Author: Rob Black

We are in the process of selling our house. We love our home — we have been here for 11 years — but an opportunity presented itself nearby that looks to be an even better fit for the long term.

We knew things needed a bit of fixing up before putting the house on the market. Nothing too major, but with little kids (and dads) banging around over the years, there were plenty of things that needed painting, fixing, and various other forms of remediation.

And that’s not even counting all the “stuff” we have accumulated: clothes that our kids have outgrown, toys that haven’t been touched in years, and several boxes of “save this just in case” items that probably should have been tossed long ago.

Of course, none of this happened overnight.

Week by week, month by month, home owner entropy took over. The next thing we knew, 11 years had passed and what had once been a perfectly functional, uncluttered house now requires visits from multiple handymen and several trips to the town “Transfer Station” (AKA, dump) to get things back ship shape.

Cybersecurity Needs Ongoing Vigilance

Like a home you’ve lived in for a long time, your cybersecurity practices can also lose their shine if left unattended.

Here, too, the reduction in performance and risk management doesn’t happen overnight. But slowly, over time, the systems and practices that may have once been perfectly sufficient — and that up until now have resulted in minimal problems — are no longer up to the task.

Consider the example of education technology provider Chegg Inc., against which the Federal Trade Commission (FTC) recently took action for, “its lax data security practices that exposed sensitive information about millions of its customers and employees, including Social Security numbers, email addresses and passwords.”

Just a few days later, the FTC issued another finding against Drizly, an alcohol delivery service since acquired by Uber. In this case, not only was Drizly named, but the CEO of Drizly was personally cited as well.

As a result, the FTC issued pages of requirements for these companies to follow, including what controls had to be put in place, how third-party assessments needed to be performed, and reporting to the FTC that would now be required.

What’s any of this got to do with me?

Two things are happening in the world of cybersecurity, both of which can have potentially bad consequences for small and midsize businesses.

First, the FTC has had a change in philosophy.

Five years ago, the “only” downside to a breach was the event itself and whatever direct fallout resulted. Today, there is a new regulatory appetite to go after companies — of all sizes — that don’t take cybersecurity seriously. If you’ve never even heard of Chegg or Drizly, well, that’s kind of the point. It’s not just the big guys who are being scrutinized.

In short, the FTC has decided that being deceptive (e.g., claiming you have better safeguards in place than you do) or irresponsible regarding your security program is something they are going to investigate and take action on.

Second, this is the beginning, not the end.

This is going to continue to ramp up. Over the next few years, you will feel an increase in cybersecurity expectations from your board, your customers, and any other stakeholders connected to your business.

Now is the time for companies to take a good look at their cybersecurity programs and take steps to make whatever changes are needed.

Three suggestions…

#1. Don’t ignore the warning signs.

I have seen many organizations experience a cybersecurity incident, resolve it, and say “Phew, glad that’s over” — and then go right back to doing (or not doing) whatever they had done before!

Hello? If you walked into your kitchen and found a big puddle of water on the floor, you wouldn’t just mop it up. You would figure out what caused it and get it fixed, before something even more serious happened. The same logic applies here.

#2. Put somebody in charge.

Your cybersecurity program, like your payroll process, is not something that should be happening on an ad hoc basis whenever “somebody” finds the time. You want a designated person with the required skills, the ability to influence the rest of the organization, and the funding necessary to get the program launched and running continuously.

If you have someone with the influence and budget but not the skills, you can hire or contract the rest. Just make sure the leader is involved and focused on improving the program on a regular basis.

#3. Bring your checkbook.

Nobody loves paying for all this – it can be hard to justify the budget for something whose measure of success is “nothing bad happened today.” And it’s’ true… 95% of the time, you’re probably just fine with an inadequate or outdated security program. But, as we have seen time and again in the news, that other 5% can be disastrous.

“Disastrous” can mean many things: weeks or months of work and disruption; embarrassment in front of customers and the marketplace; loss of tens of thousands of dollars (or more) paid in ransomware. Sometimes, it can lead to FTC judgements or, potentially, bankruptcy.

As to “how much,” most 50+ employee organizations should be spending hundreds of thousands of dollars annually when counting personnel and direct security costs. And if you just spit out your coffee while reading that last line, I understand. But if you think it’s expensive spending money on a security program, imagine what it is costing our friends at Chegg and Drizly now!

Now is the Time

As I face the pile of boxes in my attic and the list of odds and ends that need repair inside and outside of my house, I have to admit, I’m wishing I had paid more attention along the way. Thankfully, the “cost” of my lack of vigilance over the past decade is low, and certainly not existential.

Not so with cybersecurity. As with most types of insurance, the likelihood of something going horribly wrong is small, but the fallout from even one incident can lead to a really, really bad day!

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).