Another day, another… $853K?

Deborah Kish Cybersecurity, Data breach, Data security, Insider threat, Privacy

This has been on my mind. A lot. Every day, I open my email to find news about how a company needs to pay a fine or a fee to either an individual or a regulator because data was leaked or stolen. This one in particular caught my eye because it is a classic example of data being accessed by likely the wrong individual and shared with someone who should definitely not have been able to see it. This one seems to be an access control and encryption play.  If they were in place, this healthcare entity wouldn’t have to shell out $853K.

And this one! It dates back to 2015, but it is still one of the largest hack attacks to date, and the settlement (which was just reached) is nearly $1 million dollars!  All because a sophisticated attack allowed the hackers to steal user credentials and 3.5 million patient records.   As a result (besides the $900K) MIE has a laundry list of technologies they will be required to invest in as well as implementing “controls during the creation of accounts that allow access to ePHI”.

This tells me something.  It tells me that there are still so many companies that do not have strong sensitive data security and privacy controls in place.

And, it leads me to feel even more strongly about the “file centric” approach. A file centric approach means that you are focusing on the actual data, (in both of these cases, PII) rather than the location of the data. Encryption and access control in these cases could have made a significant impact and saved; the victims of the breaches from potential harm like ID theft AND the entities themselves a lot of money.  I’ll be talking more in detail about this in my upcoming webinar “Overcoming Unstructured Data Security and Privacy Choke Points” this Thursday, June 6th at 1:30 pm. I’ve embedded the link so you can go ahead and register.

See you then!

Still Thinking About Regulatory Compliance?

Deborah Kish Cybersecurity, Data breach, Data security, Insider threat, Privacy

I sure hope so!  Well, the one year anniversary of GDPR is upon us and the challenge of effective, easily managed data security and regulatory compliance is palpable.  So, what did Fasoo do? We developed Data Radar (well, it has been around for a long time now) to deliver a unified unstructured data security and privacy approach that addresses the challenge of the evolving, complex compliance regulations like GDPR and CCPA across verticals ranging from healthcare to finance to manufacturing.

Data Radar is worth investigating if you want a solution that can automate unstructured data discovery, classification, protection, tracking, and compliance reporting. It’s got some cool unique features like:

It’s file-centric, meaning it doesn’t matter where it is because it isn’t chasing locations!

It encrypts and can apply access control, meaning the data itself is secure and only those with a valid need can see what it is.  So if it gets lost, stolen, sent to someone who does not have access, it is both private and secure!

It “Tags” the file by embedding a unique identifier which provides visibility, tracking and audit reporting capability.  You can see who, what, when and where that file has been!

It gives you easy automated expiration power!  You set the date for expiring the data and it’s gone!  No need for manual tracking and destruction of data.  You decide when it is no longer part of your unstructured sensitive data footprint.   Now you can concentrate on other important things.

You’ll hear more about it in the first of 3 webinars on Thursday June 6th at 1:30 pm.  Register by clicking here !

Ok, the results are in!

Deborah Kish Data breach, Data security, Privacy Leave a Comment

Thanks to all of you who responded to my last blog post regarding unstructured data security and privacy topics you’d like to hear more about. Here’s a sampling:

Why do so many data loss prevention projects either stall or de-scope? Why with significant industry expenditures in the space do we continue to experience record-breaking instances of data breaches and exfiltration? What are the latest methodologies and technologies security and privacy executives should consider implementing to protect their sensitive data and comply with stricter and pervasive privacy regulations such as GDPR and CCPA?

Whew, that’s a lot of ground to cover – but, it confirms the complexities that surround unstructured data challenges and the uncertainties security and risk professionals face as they consider ways to attack the problem.

So, here’s what I am going to try and do over the next 90 days – between this blog, our upcoming webinars and my session (Tuesday the 18th @ 10:45 am, Potomac A, Ballroom level) at Gartner’s Security and Risk Management conference next month (oh, and come visit our booth #563)  – essentially, offer an insider’s playbook to implementing an unstructured data security program while enabling privacy controls.  Whether migrating from existing DLP point solutions or wondering where your unstructured data lives today, my goal is to provide a life-cycle perspective as to the best methodologies and how to avoid the pitfalls that have plagued enterprise projects.  Learn ways to streamline, simplify and fast-track your unstructured data project to protect it and comply with privacy regulations.

Fasten your seat belts and stay tuned!

What’s Next from Deborah’s Desk

Deborah Kish Cybersecurity, Data security, Insider threat, Print security, Privacy Leave a Comment

So, in my last post, I mentioned a series of webinars and thought this would be a good opportunity to provide a little preview into some of the topics we’re planning on discussing.

Unstructured data, of course!  But what about it?  I’ll be discussing the challenges… kind of a “What I heard from you as a Gartner data security analyst” in a “How to navigate through the maze of methodologies, governance and technologies” sort of way.

Unstructured data is a live and growing thing that often gets overlooked.  Remember the “Wild Wild West” comment from my last post?  So I’m here and excited to help you discover new simpler approaches to gaining visibility and control over the growing unstructured data all organizations are facing.   How to discover, classify and encrypt unstructured data and prepare for and adhere to privacy regulations like GDPR and CCPA.

If you are a CISO, DPO or CDO, or even a business unit lead within your organization, you should join these sessions.  If you struggle with what functions to automate or are trying to get out from under or improve the traditional rules based approach, you should join  Would you rather have your staff spend less time fielding false positives and more time on the things that really matter? Please, join and learn how Fasoo’s extensive product capabilities can help.

Here’s the thing… maybe I didn’t hear EVERYTHING, so I’d like to shout out to the readers… I would love to get your thoughts, suggestions, and field any questions.  I want to hear from you and keep the conversation alive.  In the meantime, stay tuned… I’ll be back.

What’s New at Fasoo?

Deborah Kish Cybersecurity, Data breach, Data security, Insider threat, Privacy Leave a Comment

Data security Deborah Kish expert joins Fasoo

Me! After over 20 years with leading IT consultancy, Gartner, I am excited to announce that I have recently joined data security vendor Fasoo. At Gartner, my focus on enterprise data security and compliance challenges, products and technologies led me to really understand the significance of the “Wild Wild West” nature of unstructured data. On average, I advised 30 CISOs and CIOs and other security professionals every month on the challenges they face with respect to data security and privacy.

At Fasoo, I will lead marketing and product strategies in the unstructured data security and privacy space and will do this through a series of webinars, white papers and blog posts. My mission is to provide end user organizations insights into how Fasoo’s extensive suite of product capabilities can help meet data security and privacy goals because arming your organization with the right tools is an important step toward protecting unstructured data. I will also help guide organizations through the file and people centric approach that will foster stronger unstructured data security and privacy controls.

I’ve often said in my previous role at Gartner, “It has never been a more important time to be a data security analyst” and that translates to my passion to wanting to help organizations get this problem under control. I hope you will join me in the journey. Stay tuned.

Don’t Complicate Data Discovery and Classification

Ron Arden Data breach, Data security, Privacy

Classify sensitive data as confidential and encrypt itData discovery and classification is an important first step to protect your confidential data and comply with privacy regulations.  You need to identify the location of your data and its value to your organization before determining how to protect it.  Done right, this leads to a data-centric security and compliance program that is critical to your corporate brand and competitive advantage.

Unfortunately many discovery and classification projects stall or fail because solutions try to address all data needs, not just security and privacy.  Organizations get caught up in the process and lose focus of the goal, which is to protect and control sensitive information.

Read More

Stop Wealth Management Data Breaches

Ron Arden Cybersecurity, Data breach, Data security, Insider threat

Encrypt and control sensitive wealth management data

The financial services industry is a frequent target of hackers, but a larger threat may be trusted insiders since they have access to a lot of sensitive customer data.  Advisers within wealth management practices regularly share data with other advisers, staff members, a counterparty or a trusted third-party service provider. They may inadvertently or deliberately share that data with unauthorized people and pose a risk to their firms and customers. Once shared, most firms have no control over that data. The Ponemon Institute illustrates this risk by reporting that 65% of cyber breaches originated with third parties.

Insiders regularly share customer or other sensitive information with colleagues and third-parties by generating and downloading reports from a database. Typically the reports are spreadsheets which make it easy to analyze the data. Access to the database may be restricted, but once in a spreadsheet, the sensitive data is easy to share with anyone.

Read More

Fasoo Presents Incident Response Solution

Ron Arden Cybersecurity, Data breach, Data security, Insider threat

Bill Blake shows how Wrapsody helps manage an incident response plan Fasoo sponsored and presented at an event in Columbus, OH on November 13, 2018 entitled “Incident Detection, Response and Recovery” highlighting how to prepare and manage an incident response plan for cybersecurity and data protection.  Presented and cosponsored by Catalyst Solutions, IBM and Huntington Insurance, the event brought together experts in legal, insurance, law enforcement, government, accounting and security disciplines to discuss the legal, technical and business issues of preparing for and responding to a data breach.

Bill Blake, Senior Vice President and CCO of Fasoo, presented Incident Response & Recovery: Secure Collaboration for Critical Information which highlighted the Wrapsody platform as a solution to help manage the development, access and control of an incident response plan (IRP).  Bill showed an example of a CISO, Legal Counsel and an external Advisory firm securely collaborating on an IRP and how to control who could access the plan and any supporting documents involved in a response.  The example showed how easy it is to securely collaborate on developing and managing the plan, but also on limiting access prior to, during and after a breach occurs.  Since Wrapsody encrypts documents and controls their access, it guarantees only authorized users can access them.  This is critical because if an incident response plan got into the wrong hands, malicious insiders or external parties could compromise an organization’s data security.

Read More

Fasoo Highlights Unstructured Data Security at RSA 2018

Ron Arden Cybersecurity, Data security

Fasoo protects unstructured data

Fasoo’s message of finding, protecting and controlling unstructured data definitely made an impact on attendees at the 2018 RSA Conference in San Francisco.  With new regulations like the General Data Protection Regulation (GDPR) coming on quickly and the general feeling that businesses need to do more than just track file access, companies are looking for a more comprehensive and practical approach to providing secure ways to conduct business.

Over 45,000 senior executives and IT security professionals attended this year’s conference with about 2,000 visiting Fasoo’s booth.  Visitors saw hourly presentations and demonstrations on how to manage and control their unstructured data which is by far the largest problem of data security.  While someone hacking a database and stealing credit cards seems to make the headlines, the reality is that the majority of an organization’s intellectual property and sensitive information is stored in documents.  Fasoo staff showed how Fasoo Data Radar, Fasoo Enterprise DRM, Fasoo RiskView and Wrapsody helps manage and protect the critical business information inside documents.

Read More

Can An Oops Data Breach Make You Scramble?

Ron Arden Cybersecurity, Data breach, Data security Leave a Comment

Most of the data breaches you hear about in the news are from external hackers infiltrating a network and stealing credit cards, personal data or intellectual property.  You don’t always hear about the oops or mistake that caused the same problem from a trusted insider.  This past week Heathrow Airport and London’s Metropolitan Police were scrambling to find out how security plans for the airport that included those related to Queen Elizabeth wound up on a USB stick found on a London street.

The USB memory stick had about 2.5 GB of unencrypted data, including details of the route used to convey Queen Elizabeth to the airport, details of every type of identification required to access restricted areas, a timetable of patrols around the airport perimeter and a map of CCTV cameras, tunnels and escape shafts.  Heathrow and the London Metropolitan Police launched an investigation to discover how this information ended up on a street.

Read More