Blog

Category: Data breach

Secure collaboration is key to working remotelyCollaboration has always been a key to a successful business.  Whether working on a project or sharing documents as part of standard business operations, numerous people need to see and act on information quickly.

While ad-hoc communication uses tools like Teams, Zoom, and Slack, most people collaborate through documents.

As organizations settle into new business norms, working remotely is very common for a lot of people.  A recent analysis by leading research firm Gartner predicts that by the end of 2023, 48% of knowledge workers will work hybrid and fully remotely. 

Hybrid workplaces require new methods of collaboration since employees and contractors may work a few days in the office and a few days remotely.  They need to collaborate securely with colleagues, partners, and customers regardless of location to stay productive and meet deadlines and goals.  While video chat and instant messaging let you communicate, most of us work together to complete a project or develop ideas using documents.  You need to easily share documents, make sure everyone is working on the most recent version, and guarantee that only authorized users can see the information inside.

Deploying a collaboration platform on the fly is not something you can do overnight, since it costs both time and money.  The fastest way to hit the ground running and share files without losing valuable time is to use a cloud-based system with a web interface.  This keeps projects on track with minimal disruption.

A key ingredient to secure collaboration is not burdening your employees or third parties with making security decisions.  Wrapsody eCo is a secure and reliable collaboration platform that encrypts all shared files and makes it easy to collaborate securely. By configuring workgroups with built-in policies and permission management, your employees continue to work without worrying if decisions don’t follow policy.  You can set an expiration date for your projects or revoke access to documents immediately, which simplifies security for users.  They have a job to do and don’t need to worry about setting security policies.

Users can easily create a workgroup for a project and define security parameters, like permissions on downloaded files or view access to a document in a browser.  Project managers can invite employees, partners, and customers to the workgroup with a few clicks.  As project members upload documents, they are automatically shared with the workgroup.  Authorized users get real-time and email notifications of document changes so interested parties are informed immediately of updates.  Each workgroup has a centralized policy making it easier to enforce security on all documents.

Sometimes members of a project team need to interactively review a document.  Creating a quick video chat with all authorized users of the document is usually faster than typing into a chat or instant messaging window.  Wrapsody eCo lets you connect your Zoom account so you can quickly schedule a meeting from within the portal and get your business done.

As people work from home, they may fall into bad habits like downloading documents from protected cloud applications to work on locally.  This is especially true if they do it out of frustration because the internet is slow or they are having problems with their VPNs.  That could lead to emailing files, only exacerbating unsafe data handling practices.   Secure in the Wrapsody eCo environment, downloading documents locally is a non-issue.  When a user downloads a file, they can only open it if they have access permissions.  If someone accidentally sends the file to an unauthorized user, the unauthorized user cannot view the contents.  Of course, if you send it to someone who should access it, they can easily request access.

Remote workers could be anywhere, not only working from home.  With our current hybrid and mobile working environments, people time shift schedules and work almost anywhere and anytime.  When collaborating it’s critical that project members work on the latest document.  Finding and using the latest documents is always a problem since most of us use numerous devices and can’t always be sure what’s current. 

If you update a financial spreadsheet, for example, you can’t work on an old version.  With Wrapsody eCo, you always work on the current version.  As soon as you update the file and close it, it automatically syncs to a central location.  This works whether you are accessing the document on your work laptop, a home PC, or opening it from a cloud location.  The next time you open it, you get the latest version, secure in the knowledge that your data is protected and only available to authorized users.

This even works on your mobile device.  If you are running to a meeting or trying to catch up in an Uber, you can review the latest document on your phone or tablet.  If you want to see a previous version, that’s as easy as a few taps.

Another problem with collaborating is making sure you get input from everyone.  Rather than sending emails to everyone bugging them about reading the document and providing questions or updates, you can comment on the document and have it appear in real-time on people’s devices.  You can also send a view alert to quickly bring it to everyone’s attention.

You can also review logs of user activity on the document.  It tells you who viewed and edited the document and when.  If someone edits a document locally or in a browser, the document updates to a new version upon saving it.  If you need to retrieve an earlier version, it’s a click or tap away.

Working remotely has become standard for a lot of people.  Collaborating securely and effectively can ease the burden and ensure your data security controls protect your most sensitive information.  And that should give you peace of mind.

 

Learn more about how Wrapsody eCo makes it easy for your remote workforce to securely collaborate.

Prevent a data breach by encrypting sensitive dataThink about your worst nightmare.  Someone steals confidential information about your customers or company and posts it on the Internet.  You lose all credibility and your business suffers.

You pay stiff financial penalties and you face lawsuits from regulators and your customers.  If you are a public company, you face shareholder lawsuits.

This situation is more commonplace as hackers exploit weak human and technology systems to gain access to your most important business information.  With new technologies like ChatGPT allowing AI-driven malware, more phishing scams, and ever more sophisticated attacks, it’s not a matter of if you will be compromised, but when.

In the last year, there have been a number of large data breaches that caused big problems for the victims.  In 2022, U.S. organizations issued 1,802 data breach notifications, reporting the exposure of records or personal information affecting more than 400 million individuals.

Nissan recently had customer information compromised by a partner in their supply chain.  Avamere Health Services lost files with patient personally identifiable information (PII) and personal health information (PHI).  Other major brands like Toyota, Twitter, and Cash App had critical information downloaded from databases or files stolen from misconfigured systems.  A common approach is to target smaller companies within a supply chain whose security may not be as sophisticated as larger companies.

While a lot of the headlines talk about compromised databases, a lot of confidential and sensitive information is in documents.  All organizations need to determine what is sensitive and where it exists.  Then determine who has access to that information.  The last step is to encrypt these documents with a persistent security policy that controls who can access the content and what they can do with it.

At a minimum, you should encrypt documents with personal information, such as customer and employee name, password, email, street address, phone number, social security or insurance number, birth date, and financial information. Next is anything critical to your business, such as budgets, strategic plans, product designs, software code, proprietary processes, and algorithms.  Think about the secret formula for Coke or the search algorithms for Google.  If it’s unique to your business and important, protect it.

Here are a few tips to prevent a data breach.

  1. Identity sensitive data – before you can prevent a data breach, you need to know the sensitive data you collect, store, transmit, or process.  Hackers and malicious insiders target non-public personal information (NPI), personally identifiable information (PII), and intellectual property, like designs, patent documents, or trade secrets.  You need to identify it before you can protect it.
  2. Encrypt sensitive data – encryption with a centralized access policy helps protect the security and privacy of files as they are transmitted, while on your computer, in the cloud, and in use.  Encrypt all sensitive information with a data-centric security policy using Advanced Encryption Standard (AES) 256-bit cryptography.  Only give access to those who need it to do their jobs.
  3. Protect sensitive data when printed – with so many remote workers, you need to protect documents and other sensitive data sources with a visible watermark when users choose to print them.  This becomes more of an issue as people continue to work from home and use local printers to print and review information.  While many of us view information on screens, there are still many times when it’s easier to print something for review, and you should be able to trace the printout to its source in the event of a data breach.

Preventing data breaches is not complicated when you think about protecting the data.  Protecting servers, networks, and storage locations is important, but focusing on the data is the most important thing.  The best way to protect information that is critical to your business is to encrypt documents with a persistent security policy.  If an unauthorized person gets your document, it’s useless to them, since they can’t read the information inside without your express permission.

Give yourself some piece of mind by finding and protecting the information that is most critical to your business.  You will prevent a data breach, protect your company and sleep better at night.

 

Learn more about how the Fasoo Data Security Platform can help you prevent a data breach.

 

Fasoo zero trust data security platform protects your sensitive unstructured dataZero Trust is a major trend in 2022 and one that affects public and private sector organizations alike.  Last year when the Biden administration in the US issued its Executive Order on Improving the Nation’s Cybersecurity, zero trust was a major component of this initiative.

Organizations implement traditional perimeter-based security strategies on the assumption that the perimeter is secure inside.  Zero trust assumes that no person or device inside or outside of an organization is trusted.  It is a system that requires thorough verification of all users, data, and devices, and allows only minimal privileges.

The concept of zero trust is not new.  It was suggested in 2010 by analyst John Kindervag of Forrester Research to denote stricter cybersecurity programs and access control within corporations.

Now 12 years later, security experts agree that a zero-trust-based security strategy is needed, not perimeter-based security.  The reason is simple.  The environment is changing.
 

Why zero-trust now?

The pandemic-driven transition to a hybrid workplace has become the norm.  As telecommuting and remote work becomes common, concerns about perimeter-based security are growing more than ever before.  This is because the boundaries of the work environment have become blurred, driven in part by the increased adoption of mobile and cloud services.  This will inevitably lead to a security vacuum.

The environment surrounding data security faces a variety of changes, including cyber warfare caused by the conflict between Russia and Ukraine, cyberattacks on companies by hacker groups like Lapsus$, and numerous incidents of corporate data breaches by trusted insiders.

In this environment, it is natural for zero-trust-based solutions to be in the spotlight.  It’s the data itself that we need to protect, so we need a data-driven security system that can safely protect our data in a rapidly changing environment.

 

Zero Trust Data Security

Protecting sensitive data first requires identifying it, classifying or labeling it, and then determining who should have access to it.  This requires constant authentication and verification of user identity.  Fasoo’s zero-trust approach to safeguarding sensitive unstructured data goes beyond just access controls.  It layers three powerful security methods to achieve a strong, proactive first-line defense again external and insider threats.

  • Encryption
  • Adaptive Access Control
  • Control Data in Use

 

Cloud misconfigurations, user errors, and work from home environments all expose sensitive files to breaches that access control alone can’t prevent.  A true zero-trust approach secures the file at all times – at rest, in transit, and while in use – and continuously monitors user, device, and other contexts to adaptively evaluate access permissions.
 

Encrypt Files

The best way to protect a sensitive file is to encrypt it.  It ensures files are protected while at rest and in transit no matter the location or network.  This sets the foundation for a zero-trust approach on which other safeguards build.

  • Automatically discover, classify and encrypt sensitive files when created or modified, all transparent to the user. User errors are eliminated and workflows are uninterrupted.
  • Encryption keys are centrally held and controlled by the company – not by the user, cloud provider, or any other third party. This is increasingly important in hybrid and multi-cloud workplaces as privacy regulations become more proscriptive regarding data residency and access rights.

 
Encrypted files ensure any exfiltration of sensitive information is safe from misuse.  Many privacy regulations exempt encrypted file exfiltration from breach reporting or significantly reduce any fines.  It all negates one of the worst risks related to today’s ransomware threats – exploitation of exfiltrated data.
 

Apply Access Control

User verification is enforced each time the file is accessed and incorporates contextual information about the user and device to dynamically adapt to grant or deny access.

  • User access to a sensitive document is automatically applied as part of the initial discovery process with presets that are centrally configured and provide flexible and practical settings. Individual users, departments, roles in the organization, and “all internal share” are examples of preset alternatives.
  • Fasoo enables a range of other elements, including device identity, time of day, and geolocation to be assessed as part of its adaptive zero-trust access approach. This dynamic linking of multiple verification points ensures the highest degree of trust can be enforced for sensitive data.

 

While centralized control of document access is the default, the platform provides flexibility so that document owners can unilaterally change access, if business needs dictate.  This allows those closest to the data to make security decisions without needing to involve security or IT.  Continuous monitoring of user behavior reports such exceptions for line manager and compliance team inspection.  Such analytics are also applied to continuous monitoring of device and location information.
 

Control over Data

Insider threats expose a major gap in many declared zero-trust solutions.  Once a verified insider gains access to the file, it’s a free pass to use corporate sensitive data.  Joiners and leavers in a transient workforce, work from home environments, and supply chain collaboration opens the door for inadvertent or malicious insider data breaches.

  • True zero-trust requires control over usage as well as access. Forward, cut and paste, copy, print, and screen capture are examples of the many ways insiders can maliciously or unintentionally expose sensitive information to unauthorized parties.
  • Usage controls must consider the sensitivity of the data, and the context in which it’s being used and enable a wide range of permissions, from restricting actions to watermarking files, to address insider threats.

 

Fasoo enables a comprehensive set of file permissions to control what authorized users can and can’t do with a document in use.  Central pre-set policies can be implemented at the user, department, or organization-wide level as well as by role (all Directors) or project (M&A, Drug Approval).

Proactive control over data usage is essential to a true zero-trust approach.

Talk with us about how Fasoo Data Security will strengthen your zero-trust initiatives.

Protect data in the cloud with Fasoo encryption, access control and in-use protectionThe enterprise is moving to the cloud to ease collaboration for partners and employees. The cloud enables work-from-home and hybrid working models and enhances productivity.

But the cloud is vulnerable to human error and misguided settings, putting your data at risk of unauthorized access. According to Gartner, preventable misconfigurations and end-user mistakes cause more than 99% of cloud breaches. Cloud providers use a flavor of security. But data needs its own protection.

What’s the risk of storing data in the cloud?

End-users share Dropbox links and credentials from personal smartphones via Wi-Fi hotspots. They email documents to friends and unauthorized third parties. You’d no more send your data out into the world without policies, access controls, and encryption than send a child out into the cold without a coat. But if you leave security to the cloud, who knows where your data ends up.

Amazon S3 buckets include unlimited storage. But weak settings leave default credentials intact, granting limitless access to criminal hackers who automatically search and exploit bucket links. When criminal hackers kidnap your files, cloud cyber defenses seldom follow behind. You need centralized control with enterprise security that wraps your data and sticks with it.

Enterprises work with many cloud providers, passing data from one environment to the next, one job to the next. You may have some visibility when you pass data directly to the cloud. But what happens when that cloud routes your data to other cloud environments for processing? It’s one thing to entrust your child to someone you know; it’s another to let them hand her off to someone they know.

Cloud providers may offer security policies, identity and access controls, and encryption for data in transit and at rest. But those stop short where the cloud ends, leaving your intellectual property (IP) open to theft by criminal hackers and exploitation by unscrupulous competitors.

How do I protect my sensitive data in the cloud?

Enterprise Digital Rights Management (EDRM) eases moving to the cloud, binding location-agnostic security controls to unstructured data. EDRM embeds encryption, persistent IDs, and access control policies with sensitive documents. Your custom controls travel with your files into unmanaged, unsecured environments.

EDRM maintains data governance policies and controls on your confidential documents whether you move them to Salesforce, Box, Microsoft Azure, or AWS. You can track documents in and beyond the cloud, maintain access controls, and change granular permissions and privileges at any point using centralized policy management.

You don’t have to care what cloud has your data; EDRM keeps it safe when cloud security fails. If the cloud provider has a breach, so what? EDRM maintains the security policies, controls, and enforcements you’ve set in motion, no matter who has your data.

You can ease moving to the cloud by mitigating your risk. The Discovery Classification Tool (DCT) identifies old, redundant, and obsolete data. You can delete obsolete files and duplicates and archive data you must keep, reducing your attack surface, data management requirements, and cloud costs. Then use EDRM to apply policies and encryption to the data you use, and move it to the cloud.

Chat with the Fasoo team and discover how your peers deploy Enterprise DRM in the cloud.

 

Remote worker in home office settingGartner predicted that roughly 50 % of knowledge workers worldwide should be logging in remotely by now. More remote work puts more sensitive data at risk, which increasingly also impacts manufacturing companies. Check out the following ten tips to ramp up your document protection program in 2022.

*

Quick question: What do automated ransomware campaigns conducted by external attackers have in common with data theft committed by corporate insiders?

In the light of recent incident reports, I can think of three answers off the bat – at a minimum:

 

  • In both categories, incidents are on the rise.
  • Both target sensitive data, since more ransomware attacks begin with stealing confidential documents for extortion or sale on the dark web before encrypting the victim’s data.
  • Both increasingly exploit work-from-home data security weaknesses.

 

Examples of the latter include unsecured WiFi networks, unmanaged devices, and endpoint vulnerabilities. At the same time, IT lacks visibility into the online activities of remote employees and contractors.

In a nutshell, this example shows how remote work has become the primary source of risk to digital assets in the enterprise. Now the Omicron variant is pushing even more organizations (back) into remote or hybrid work arrangements.

Additional factors exacerbate the crisis going into 2022. The automotive industry and its supply chains feel the impact. Key employees leverage the “Great Reset” in the industry and leave to join competitors, sometimes taking trade secrets with them. IT teams struggle with staff shortages and often only learn about what happened when it’s too late.

Does this sound familiar?

 

10 tips to boost your remote work document protection

 

Get ready for 2022 with our ten tips on how to protect unstructured data in remote work settings:

 

    1. Identify the threat.

Beware intellectual property theft by insiders. In more than 50 % of documented IP theft cases, the perpetrators were current or former employees or contractors. In addition, when external attackers exfiltrate sensitive information, employee negligence often plays a role.

 

    1. Identify what’s most at risk.

In most innovation-driven companies, trade secrets are stored in the form of unstructured data. Think confidential Microsoft Office documents, CAD/CAE files, digital images, or PDFs. They come in various (legacy) formats and are often scattered across the organization and along its supply chain. Securing them will be an uphill battle, especially in remote work environments, without the right strategy.

 

    1. Identify your data protection strategy.

The push into remote and hybrid work environments requires a comprehensive approach to data protection, rather than merely a mix of device-centric endpoint and data loss prevention (DLP) solutions. Recognizing this, more technology companies are adopting a data-centric security model.

With sensitive documents, this means they remain protected regardless of where a file resides or with whom it is shared. The data-centric model ensures document protection independently of networks, servers, locations, and devices, such as unmanaged home office printers.

 

    1. Protect data throughout its lifecycle.

Digital Right Management (DRM, sometimes also referred to as Information Rights Management, IRM) is based on the data-centric security model at the core of any Zero Trust strategy. Fasoo Enterprise DRM (EDRM) enables organizations to persistently protect, control and track sensitive documents at rest, in transit, and in use. Encryption, flexible policies, and granular controls govern how and by whom a file can be viewed, edited, printed, and shared within the organization’s IT perimeter and outside – like in the home office.

 

    1. Protect sensitive files without exceptions.

Does the Enterprise DRM solution you’re evaluating support all industry-relevant CAD and CAE applications? In the automotive industry, support for tools such as AutoCAD, CATIA, or PTC Creo (and many more) and a broad range of PDF file formats is considered essential to ensure future-proof document protection.

 

    1. Protect workflows and productivity.

Some information protection solutions lack centralized policy management. This shortcoming is known to slow down workflows to a trickle, especially when remote contributors are involved. Fasoo combines central control options with flexible exception management. Exception approval for accessing particular documents from the home office, for example, can be delegated to managers or coworkers instead of waiting for IT.

 

    1. Control confidential data wherever it goes.

A supplier’s design engineer working from home is requesting remote access to sensitive documents? With Enterprise DRM, it’s just another day in the office. Gartner analysts describe DRM as “one of the only mechanisms for retaining control of unstructured data transferred to business partners in secure collaboration scenarios.”

 

    1. Control print.

Fasoo takes a printer-agnostic approach to secure printing. This approach eliminates most challenges that commonly arise in remote work environments with home printers or print drivers. It enables data owners to centrally set and manage print rules for printing on-premises or remotely and watermark unauthorized printouts. Fasoo Smart Print also lets you set print protection policies for plain documents not secured by EDRM.

 

    1. Control the screen.

Concerned about a remote team member capturing sensitive data on a screen during an internal Zoom or Skype call presentation? Enterprise DRM provides a screen security component, Fasoo Smart Screen, enabling IT to block and monitor screen capture attempts. For deterrence, it can also imprint documents with a watermark that contains tell-tale user-specific information.

 

    1. Control data without alienating workers.

Fasoo’s centralized policy management enables flexible, people-centric document protection across organizational boundaries. Everyone who needs to can keep tabs on documents’ whereabouts and protection status, without risking privacy complaints and lawsuits from home office workers. Fasoo Enterprise DRM integrates with all leading federated authentication services, enabling IT to automatically revoke access to EDRM-protected documents once an employee leaves.

 

Contact the Fasoo team and find out how others in your industry deploy Enterprise DRM in remote and hybrid work environments.

M&A Leaks: Image shows a leaking bucketMergers and acquisition (M&A) activities pose major document protection challenges for all parties involved. Leaked or stolen data has caused bidding wars, broken deals, cost millions of dollars in damages, and ruined reputations. How can M&A teams ensure maximum document security without impeding productivity?

*

Merger and acquisition teams typically range in size from a handful of members in smaller or medium-sized organizations to several hundred internal contributors at enterprise scale. That’s on the buyer’s side as well as on the seller’s teams and includes investment banks or Private Equity (PE) firms. 

This headcount, however, doesn’t yet include external contributors. Think research analysts, M&A advisories, outside legal counsel, data protection and privacy compliance consultants, and IT integration specialists. Most of them are involved at one stage or another of the M&A process.

Since the beginning of the COVID-19 pandemic, many internal and external M&A team members have accessed sensitive documents from their home offices. On tight deadlines, they collect, create, review, edit, and share sensitive data that can make or break a deal – or kill it, if that data falls into the wrong hands.

 

M&A activities at an all-time high – and deal leaks, too

The shift to remote and hybrid work is a powerful driver behind banks and their corporate clients leveraging enterprise-level Digital Rights Management (DRM) to secure M&A-relevant unstructured data. The reasons quickly become clear when we look at a real-life example. 

A global automotive component manufacturer is planning with its investment bank the acquisition of a publicly traded semiconductor design and manufacturing company.

Table Overview: Deal Leaks by Sector

Source: SS&C Intralinks 2020 M&A Leaks Report[PDF]

 

It’s high season for M&As, and the planned deal seems like a match made in heaven. Yet from an M&A security perspective, the timing couldn’t be worse. M&A leaks have been spiking recently, according to the SS&C Intralinks 2020 M&A Leaks Report [PDF]. This development means all new M&As face an unprecedented challenge. 

 

The challenge: Remote work amplifies M&A security risks

We’ve highlighted document security risks for banks and financial firms resulting from remote work before. The threat level is even more elevated for members of the extended M&A team who work from home. Preparation and execution of most mergers and acquisitions involve a wide variety of confidential documents – in some cases, thousands of them. 

Niche vendors of M&A tool platforms tout the cloud-based Virtual Data Room (VDR) as the solution. Such “deal rooms” have become a fixture in the M&A space. At the same time, data protection experts say that VDRs instill a false sense of security – comparable, perhaps, to standard M&A non-disclosure agreements.

These critics point to the weak – often password-based – security of VDRs and specialized M&A document management systems that can too easily be circumvented. Deal administrators and IT lament interoperability issues with other cloud storage services, as well as manageability and scalability problems.

 

The solution: data-centric M&A security

Enterprise DRM enables IT to strengthen M&A security instead. Fasoo Enterprise DRM, for example, enables data owners to protect confidential content through all stages of a merger or acquisition.

Bar chart: M&A cost distribution, by phase (IBM)

Source: IBM Benchmark Insights: Assessing Cyber Risk in M&A

 

In our example, we focus on negotiations, due diligence, transaction execution, and implementation. These are the M&A stages where data breaches and deal leaks can be most damaging and costly. 

Let’s take a closer look at how the acquirer, its bank, and the acquisition target leverage EDRM to maximize document protection. Enterprise DRM’s data-centric security enables IT and deal administrators to protect, control, and track sensitive data on a per-document basis, on any device, at any time.

 

M&A and beyond: document lifecycle protection

Fasoo encrypts confidential files at the point of creation or before they get uploaded to a VDR, for example. This protection applies throughout the entire document lifecycle, regardless of which M&A platform any contributing organization may be using.

 

  • Negotiations: Centralized policy management enables M&A data owners and deal administrators to remain in control. Fasoo Enterprise DRM lets them flexibly adjust who can access, edit, print, or share sensitive content – including remote workers.

    This phase usually involves a high amount of various
    Microsoft Office document formats and Adobe PDF files. Dynamic permission control enables deal administrators to assign and revoke file access permissions for reviewers on a temporary basis, for example, to facilitate more than one bidding round.

 

  • Due diligence: In our example, the due diligence document list includes (among others)  intellectual property (IP) files, tax records, financial planning P&L documents, electronic design automation (EDA) diagrams, facility blueprints, tax filings, HR records, and all sorts of legal PDFs.Throughout the document review process and beyond, data owners and deal administrators centrally manage who has access to sensitive content. Context-aware and hardware-agnostic secure print and pull print capabilities prevent the unauthorized printing of Personal Identifiable Information (PII) at a home office printer or in a shared workspace, for example. Secure screen and watermarking features (“Fasoo Smart Screen”) block or deter screen capture attempts across all applications, including in Virtual Desktop Infrastructure (VDI) environments and browsers.

 

  • Post-transaction / implementation: M&A security professionals warn that the post-merger integration of the acquired company with the buy-side is fraught with data protection and compliance risks that can cost the acquirer millions or even billions of dollars. Data breaches are one main reason for the high M&A failure rate.In our example, the acquirer already has Enterprise DRM in place across its global organization, not unlike this Fasoo customer in the same industry. This means trade secrets, personnel PII, even sensitive records exported from databases are automatically detected, classified, prioritized and encrypted when they enter the buyer company’s environment from the acquired company.

During each M&A stage and long thereafter, Enterprise DRM provides persistent protection and consistent tracking. A document usage audit trail keeps IT, compliance managers, and financial regulators in the loop. 

After all, “digital M&A became the new norm” during the pandemic, according to the consultants at Bain & Company. This year, more dealmakers discovered the power of Enterprise DRM. They use it to prevent M&A leaks and data breaches from becoming a new norm, too.

 

Top 10 Tips to Stop a Data BreachData breaches continue to torment organizations.  There are numerous examples of malicious or inadvertent data breaches throughout businesses and organizations of all types and sizes.  Hackers get all the press, but insiders pose as great a risk as any external party when it comes to vulnerabilities.

Regardless of who you are, your information is under attack.

With the start of fall and most employers still focused on remote workers, now is a good time for a few tips on preventing a data breach.

  1. Identity sensitive data – before you can prevent a data breach, you need to know the sensitive data you collect, store, transmit, or process.  Hackers and malicious insiders target non-public personal information (NPI), personally identifiable information (PII), and intellectual property, like designs, patent documents, or trade secrets.
  2. Encrypt sensitive dataencryption with a centralized access policy helps protect the security and privacy of files as they are transmitted, while on your computer, in the cloud, and in use. Encrypt all sensitive information with a data-centric security policy using Advanced Encryption Standard (AES) 256-bit cryptography.  Only give access to those who need it to do their jobs.
  3. Secure sensitive customer, employee, or patient files – store paper files containing sensitive information in a locked drawer, cabinet, safe, or another secure container when not in use.  This becomes more of an issue as people continue to work from home and use local printers to print and review information.
  4. Properly dispose of sensitive data – shred physical documents containing sensitive data prior to recycling.  Remove all data from computers and electronic storage devices before disposing of them.  If the documents are encrypted, there is less potential for a data breach even if accidentally left on a device.
  5. Use password protection – password protect your computers, including laptops and smartphones, and access to your network and servers. Since so many applications are in the cloud, consider a single sign-on (SSO) and multi-factor authentication (MFA) solution to strengthen your access policies.
  6. Protect against viruses and malware –  install and use antivirus and antimalware software on all of your computers. Don’t open email attachments or other downloads unless you’re sure they’re from a trusted source.  Phishing attacks are still one of the main culprits of data breaches.
  7. Keep your software and operating systems up to date – install updates to security, web browser, operating system, and antivirus software as soon as they are available.  Hopefully, these processes are automated, but it’s good to check and automate them if possible.
  8. Secure access to your network – ensure your network firewall, proxy server, and other network appliances are up to date with patches.  Enable your operating system’s firewall.  Ensure your Wi-Fi network is password-protected, secure, encrypted, and hidden so that its network name or SSID can’t be picked up by the public.  This is very important for work at home scenarios, even if you are using a VPN to access corporate resources.
  9. Verify the security controls of third parties – before working with third parties that have access to your data or computer systems or manage your security functions, be sure their data protection practices meet your minimum requirements and that you have the right to audit them.  It’s best to have a vendor risk management policy in place to address these needs.
  10. Train your employees – people are the weakest link in security, so make sure your employees understand your data protection practices and their importance. Document your policies and practices, and distribute them to everyone. Review them regularly and update them as required. Be sure to retrain your staff as updates are made.

 

Woman at home office printerDid you know that paper-based incidents still account for a whopping 30 % of data breaches? It’s helpful to keep this statistic in mind and plan for secure print in your organization’s document protection program.

*

How well is your print infrastructure protected against security breaches? When market research firm Quocirca posed this question to more than 500 IT leaders worldwide at the end of last year, their response wasn’t exactly reassuring.

Only 33 % of respondents in the U.S. said they were completely confident, a drop from 50 % before the COVID-19 pandemic. What happened?

Survey chart image: Print-related data loss before / after COVID

Source: Quocirca Infographic

Work-from-home (WFH) arrangements are to blame, says Quocirca. And you thought unmanaged home office computers already created enough of a headache for IT? Well, think again. 

The Quocirca report shines a harsh light on a piece of office equipment that’s omnipresent but often overlooked as a risk factor: the printer. 

 

Increased risk through WFH printers  

Printers remain underestimated as a threat to document security, and not for lack of evidence: 30 % of data breaches last year involved paper documents, according to the 2021 Privacy Incident Benchmark Report published by incident response specialist RadarFirst.

That’s 13 % down from the year before. But don’t pop open the champagne just yet. This number doesn’t account for sensitive data, such as Personally Identifiable Information (PII) of customers, that was mishandled or intentionally exfiltrated via unmanaged and unmonitored WFH printers. After all, who’d be able to tell?

Charts Infographic: Print-related incidents

Source: RadarFirst Infographic

Let’s put the risk in perspective. It’s helpful to remember that modern printers and print/scan/photocopy/fax multifunction devices are special-purpose computers. As such, they are susceptible to software exploits, online attacks, as well as data theft and leakage by insiders. But unintentional or deliberate misuse of printers and printouts aren’t the only risks to consider.

Auditability and chain-of-custody requirements are of equal concern. For example, in financial services, healthcare, and pharmaceutical companies, regulatory compliance demands the traceability of the PII paper trail. In the criminal justice system, another example, the law requires tracking the movement of evidence through its collection, safeguarding, and analysis lifecycle. This includes documenting when files are printed, by whom, and for what purpose.

I’ve written about printers and their role in data theft and leaks on this blog before here, here, and here. If mortgage applications or medical record printouts, for example, are left unattended in the paper output tray and end up in the wrong hands, the result may be costly. Think brand damages, litigation, or steep penalties and other enforcement action by state and federal regulators.

 

Do we need monitored print stations for remote workers?

Many organizations mitigate such risks to a certain degree by setting up dedicated print stations with closely monitored secure printers. Print activities of remote workers and how they handle the printouts, on the other hand, remain out of sight and beyond the control of staff. So what are IT’s options then?  

Too often, these options are limited by a lack of resources – or outright impractical. Support employee-owned printers? Talk about a rabbit hole. Provision company-owned printers to remote workers and block unmanaged devices? Prevent employees from printing at home altogether? 

Wanted: a sensible yet effective method to prevent confidential data from seeping out of some inkjet printer in a home office nook, without invading the privacy of remote employees. Enter secure print.  

 

What is “secure print”?

The term “secure print” (or “secure printing”) describes functionalities that enable the prevention and detection of document leaks or exfiltration via print output. In digital rights management at the enterprise level (Enterprise DRM or EDRM), policy-based print protection enables data owners to centrally set and manage print-at-home rules, as well as mark unauthorized printouts.

Fasoo Enterprise DRM takes a printer-agnostic approach to secure printing. This eliminates problems with using different printers or print drivers. Here’s how it works:

The basic print permission setting is part of the Fasoo-encrypted document. In addition, Fasoo’s secure printing component – a.k.a. Fasoo Smart Print – lets organizations apply print protection policies on various levels, for plain and EDRM-secured documents alike.

 

Fasoo print protection enables organizations to 

  • prevent printing of files that contain PII or other sensitive information, based on predefined patterns in the document, or mask sensitive data; users can request an exception to print an unmasked version;
  • require authentication before retrieving a printout, and also require users to enter a PIN or use a smart card before releasing a print job for added security;
  • apply visible watermarks that show a user name, date, time, IP address, and other company information to printouts without user intervention, to deter insider theft and as future forensic evidence; users can request an exception to print without a watermark. 

 

Smart Print’s file-centric print protection means that IT maintains control and oversight regardless of which physical or virtual printer is used. A granular audit trail, including the text or image of the actual printed content, ensures maximum visibility into all print activities by employees and vendors. 

For maximum print security in a WFH world, deploy Fasoo Smart Print as your organization’s remote network of monitored print stations – without the creepiness factor.

Find out more about secure printing with Smart Print and Fasoo Enterprise DRM here.

###

Movie Sign: Policy Exception Handling

Wouldn’t it be a shame if it slowed down your business and turned out to be useless for protecting your data? Here’s what I’m getting at:

74 percent of U.S. companies say they will keep some remote work arrangements in place post-pandemic. In other news, roughly 359,000 cybersecurity positions in the U.S. went unfilled at last count.

Taken together, these data points spell trouble. This is where the policy part comes in. Data breaches involving sensitive information have been skyrocketing recently. What about the document access and use policies at the affected organizations? Why didn’t they matter?

You likely know the answer. Remote work, a flood of unmanaged devices, VPN node expansions, and cloud service adoption run wild have created more weak spots than point solutions and understaffed IT teams can handle. 

Patch schedules need to be adhered to. Access controls and policies have to be applied and managed. Not to forget the exception requests. Someone has to follow up. But who? And how? “This support ticket will be automatically closed after 5 days.” Will it get resolved before the workflow turns into a work trickle?

It doesn’t help that many point solutions that promise to keep your data secure foster inconsistent policies that leave security and privacy gaps. Your organization could pay a high price if your document protection strategy doesn’t connect the dots and eliminate the gaps and blindspots. Think stolen intellectual property (IP), legal fees, or brand damages.

BYOD report: “Enterprises are running blind”

The point isn’t lost on Anurag Kahol, the Chief Technology Officer (CTO) of cloud security firm Bitglass. Introducing the company’s 2021 BYOD Security Report, he warned in June: “There has never been a more important time for enterprises to seriously rethink their approach and secure all forms of communication amongst users, devices, apps, or web destinations.”

Source: Bitglass 2021 BYOD Security Report

Source: 2021 BYOD Security Report (Bitglass/Cybersecurity Insiders)

The survey (conducted in collaboration with Cybersecurity Insiders) shows the rapid adoption of unmanaged personal devices connecting to work-related resources (a.k.a. BYOD):
 

  • 47 percent of organizations reported an increase in personal devices being used for work.
  • 82 percent said they now actively enable BYOD to some extent.
  • The most critical concerns of respondents were data leakage or loss (62 percent), users downloading unsafe apps or content (54 percent), lost or stolen devices (53 percent), and unauthorized access to company data and systems (51 percent).

The survey results also show how ill-equipped companies still are to deal with malware and data theft – more than 18 months into the pandemic. The authors conclude: “Enterprises are running blind.”

Their point is validated by the recent escalation of data leaks following extortion attempts. Yet, while IT teams struggle to stem the tide of malware attacks and data theft, it seems that some large organizations seem better prepared than others in preventing confidential information from leaking or getting stolen. So what’s their secret?

Keep tabs on your data and worry less where it goes

Spoiler alert: There isn’t just one answer, and it doesn’t start with an “A”,  as in AI or Automation.  Presumed panaceas can do more harm than good if they introduce more complexity instead of minimizing it. 

One hint comes from Capgemini and Forrester, who published a joint study on cyber resilience in March. It showed that 71 percent of companies planning to increase their cybersecurity budgets said they now prioritized data-centric security.

Growing investments in enterprise-level digital rights management (DRM) are part of this trend. One example is Fasoo Enterprise DRM. Globally operating businesses and U.S. government agencies rely on Enterprise DRM to secure their unstructured data, such as Microsoft Office documents, PDFs, or CAD designs, at the file level. 

Centralized policy management: fewer gaps, faster workflows 

Enterprise DRM enables them to automatically encrypt documents at the point of creation. It applies a persistent yet flexible file policy and puts sensitive files under lock and key. 

This policy is centrally managed by the organization. What’s the advantage of this approach over, say, the built-in PDF password protection feature already provided by Adobe?

I’ve addressed a few known security deficiencies of the latter method in this post. From the organizational perspective, it means putting the document’s fate into the hands of its creator. The business relinquishes control to individual users. When they leave, the company is forced to dedicate valuable resources to special recovery efforts, or even loses access completely. 

In comparison, the main advantage of the centralized policy management provided by Fasoo Enterprise DRM is that the organization always maintains control over its documents and what happens with them, wherever they go.  This includes changing policies for a user or group at any time, regardless of where the document resides.

So what about centralized solutions designed to protect a broader range of files across the enterprise? Basic PDF password protection marks one end of the spectrum. On the other end, let’s look at Azure Information Protection (AIP) by Microsoft, for example.

AIP was designed with a focus on protecting documents in the MS Office ecosystem. While AIP lets organizations include a limited range of third-party file formats under its protection umbrella, it also still relies on individual users to make security policy decisions on securing documents. Specific training may be required.

In addition, AIP’s lack of centralized control options makes it difficult to implement and change security policies in organizations with many users and constantly changing roles. The considerable burden of keeping AIP protection up-to-date and in sync with the needs of their department or business unit often falls on the individual creator of the document.

Support requests down, document security up with Enterprise DRM

Team members in a Fasoo Enterprise DRM-protected environment, on the other hand, don’t have to worry that a document may lose its protection or become inaccessible when sent as an email attachment or uploaded to the cloud, for instance. 

Each time someone attempts to access a file, this requires a usage license issued by a DRM server. This license is based on parameters such as user, document, device, time, and location. The policy determines who can open a particular file and for what purpose (examples: “view on the screen only”, “view, edit and save “, “print only with watermark”).

The policy applies regardless of which endpoints, storage devices, or cloud services the files traverse. They are protected, and access details are monitored by Fasoo Enterprise DRM, no matter where they wander inside or outside the organization and its supply chain.  

What does this mean in case of a data breach? Files secured with Fasoo DRM – example: W-2 PDF forms – are useless in the wrong hands, should they be exfiltrated for wholesale on the dark web

The same applies to documents with sensitive intellectual property, such as CAD files from the engineering department. If a rogue engineer downloads them to a flash drive to take them to a competitor, like in this case, nothing is lost or compromised. 

Image shows hand with USB
When internal documents leave your organization, are you still in control? Photo: Anete Lusina on Pexels

Safe policy exceptions at startup speed

Why do our customers select Fasoo Enterprise DRM?  One main advantage, they say, is its centralized policy management, which puts admins and data owners in control. Policies are implemented platform-agnostic and consistently across the entire data inventory.

Equally important, they stress, is that these policies can be flexibly adjusted at a moment’s notice to support the workflow of global companies running at startup speed.

Customers praise its capability to quickly accommodate changes in security policy to meet changing business needs.  Suppose a document owner leaves the organization or changes jobs. In that case, a department manager, IT, or security can easily grant or remove access to the document with the click of a button, regardless of the document’s location.

Another example is the way the exception management approval system handles temporary document permissions. Fasoo Enterprise DRM facilitates a pre-approval, post-approval, or self-approval workflow. Exception approval can be delegated to department heads, managers, or coworkers so that the organization doesn’t have to rely on IT.

Centralized policy management and flexible exception handling are critical for Fasoo customer ZF Group, a global automotive industry supplier. The company deploys Fasoo Enterprise DRM to secure critical IP, such as CAD drawings and process information, in tech centers on three continents. 

“You have to find the right balance between maximum IP protection on one side, and productivity on the other,” said Markus Fischer, VP Engineering at ZF Group’s Active Safety Systems. “You need to be able to quickly adjust access privileges on a granular level, without delay.”

###

Find out more about Fasoo Enterprise DRM and its centralized policy management capabilities here.

Protect your sensitive data with FasooInformation security is a big arena, and it seems like there are more and more holes to plug every year.  Most organizations focus on perimeter-based security intending to keep out the bad guys.  Unfortunately, that doesn’t address the accidental or malicious exposure of sensitive information by trusted insiders.  Enterprise based data-centric security is security for individual files that keep data safe even after it’s left a company’s secure network — and that can be a lifesaver.

To understand why let’s look at the story of Company X.  The Company was a strong, growing, medium-sized enterprise that was earning a reputation in its field.  Leadership was aware of the need for strong data security, and the top-level executives invested a lot of time, effort, and money into securing the Company’s network and backing up all files.  Its information security efforts focused both internally and externally: they went far beyond a firewall to keep out hackers, implementing smart policies and security controls on internal users to prevent intentional or accidental breaches of sensitive files.

They did everything correctly, right?

Not quite. Their security-savvy measures did not include enterprise-based data-centric security, and that became a fatal weakness when the company sent one of its VPs to a major conference (yes they are coming back).

Like most leaders, the VP—let’s call him Rob—needed to work while he traveled.  In addition to presenting and networking at the conference, he reviewed progress on a new project still in development.  This included both getting reports from team members back at the office and working with a few other colleagues who had come to the conference.

Rob had remote access to the Company’s secure server and was able to work on files on his secure laptop.  All of this was fine until he needed to share something.  While talking with one of his Company X colleagues at the conference, Rob shared a draft of one of the files.  He moved it to a shared Dropbox folder so the colleague could see it.

What Rob didn’t realize was that this folder had already been shared with other, non-Company peers at the conference.  In other words, the competition.

When a few curious conference goers saw the file, they opened it.  They weren’t asked for a password or any kind of authentication.  And now they had Company X’s trade secrets for the yet-to-be-unveiled project.

Situations like this are not uncommon.  Rob certainly didn’t mean to leak secrets or betray his company.  It was an honest mistake.  And if Company X had had enterprise-based data-centric security, it would have been a harmless mistake.  Instead, the lack of data-centric security meant that Company X’s secrets were out in the open, never to be secured again.  All they could do is hurry forward on their project and hope to minimize the damage.  And, most likely, rethink Bob’s tenure.

Contact us today and protect your business tomorrow with enterprise-based data-centric security.

 

Photo credit DonkeyHotey

World IP Day 2021 Image - Technology

Did you know April 26th is World IP Day? It was designated by the member states of WIPO, the IP forum of the United Nations, to increase the general understanding of intellectual property and how it enables technological innovation.

Let’s celebrate with a roundup post. Perhaps you enjoyed the recent discussion on this blog with GE Gas Power cybersecurity researchers Hillary Fehr and Chris Babie of the challenges involved with protecting IP in manufacturing? Or the insights shared by Markus Fischer, VP Engineering at ZF Group’s Active Safety Systems division, into IP theft and IP protection of CAD files in the automotive industry?

We know we did. For this World IP Day post, we asked more IP protection thought leaders what they think the biggest challenge is for manufacturers battling IP theft. Read their responses below:

“Fair is where you take your kids to eat cotton candy”

G. Mark Hardy, President, National Security Corporation

Photo shows G. Mark HardyFor manufacturing companies, the fight against IP theft is complicated by:

  •  lack of uniform laws throughout the world
  • governments that “borrow” IP and control their own courts
  • the expense of onshore manufacturing in the US

There is no “international patent.” To protect IP, one must file separately in each jurisdiction. Fees, different processes, and delays consume years while market opportunity erodes. Further, few comprehend the expenses and logistics involved in defending a patent overseas. Holding a patent only conveys the right to make a lawyer wealthy. It is no guarantee against unethical behavior.

Allegations of nation-states “borrowing” technology are well-founded. SolarWinds, Hafnium, and next week’s breach-to-be-discovered combine to yield varying estimates in the hundreds of billions of dollars.

Yet few executives invest in defenses against a phalanx of professional uniformed hackers. Contractors to the US Department of Defense (DoD) are getting religion in 2021, as failure to properly implement NIST SP 800-171 will result in sudden revenue loss. DoD realizes that wars are won on battlefields, not courtrooms. Denying unauthorized access to IP is the best form of offense.

Why not just manufacture everything domestically? In a word, cost. Salaries, benefits, regulation, liability, and lawsuits all encourage taking on the risk of overseas manufacturing. This creates a vicious cycle of race-to-the-bottom cost to beat out foreign competitors in a global market, who are enabled to achieve low cost without R&D expense through IP theft. Tariff wars offer temporary sanctuary but ultimately have adverse secondary effects.

Bottom line — don’t expect others to be fair. Fair is where you take your kids to eat cotton candy. The best offense is a powerful defense. Protect leading-edge IP like your life depended on it and relegate the other 95% to cheap manufacture. 

Combine your protected, domestically managed IP at final assembly, and build in anti-tampering / anti-theft to drive up the cost of theft as much as possible. 

You can’t totally prevent IP theft, but you can make the other guy have to work damn hard to earn a paycheck.

 About the author:

G. Mark Hardy (LinkedIn profile) is founder and president of National Security Corporation, providing cyber security expertise to government, military, and commercial clients for over 35 years. A retired U.S. Navy Captain, he was entrusted with nine command tours throughout his career. A co-host of the CISO Tradecraft podcast, Mr. Hardy has presented at hundreds of events worldwide, providing thought leadership over a range of security fields. A graduate of Northwestern University, he holds a BS in computer science, a BA in mathematics, a master’s in business administration, a master’s in strategic studies, and holds the CISSP, CISM, GSLC, and CISA certifications.

*

From trusted employee to thief: When did they flip?

Josh Linder, Principal Value Consultant at OpenText

The photo shows Josh Linder (OpenText)


The “biggest challenge” when battling IP theft? It’s really three things that come together in the end.

The first challenge is knowing where content exists. You can’t protect what you don’t know. With a greater focus on electronic tools and the cloud, information is everywhere, and normally poorly classified and secured. The irony is that employees and trusted parties often struggle to find data, and then are much more haphazard than attackers, who clean up nicely and cover their tracks.

Second, detecting insider threats poses a particular challenge. Organizations struggle to determine who “flipped” from being trusted to thief now (and when did they “flip”?). The reasons for insider theft (of intellectual property) are many. They tend to result from selfish motives (profit, vandalism, or, as a growing vector, disagreement with corporate social justice positions).

The final challenge is the one which people most often jump to first – blocking external threat actors. However, the work of external adversaries is not a single challenge – it is the culmination of inadequate protections against IP theft, rather than the root cause.

Tracing external threat actors to their origin is nearly impossible. Stopping them – taking action – is even harder. China, India, and Russia are cited as the most common origins of illegal IP usage, but talented, well-funded thieves are spread across the globe.

Many foreign countries are ripe for theft, since they give little credit to intellectual property rights and patents, with difficult legal systems favoring local firms over companies from abroad. Stealing and using recipes, plans, and fabrications is profitable and benefits everyone but the rightful owner.

In summary – the three parts of the challenge are: 1) knowing where the IP lives, 2) understanding internal threats, and 3) guarding against external risks.

About the author:

Josh Linder (LinkedIn profile) is a principal value consultant at OpenText, the leader in information discovery. He has over 20 years in cyber security, information management, marketing and business strategy. Josh previously advised security startups in the areas of marketing, business development, sales, and architecture.

*

“IP risks don’t get no respect “

The photo shows Paul Rohmeyer, Stevens Institute of Technology

Paul Rohmeyer, Stevens Institute of Technology School of Business

Large-scale consumer data breaches are regularly chronicled by business media. However, risks to intellectual property don’t seem to get the same attention and scrutiny. Despite IP’s high intangible business value, this may be one of the most significant inhibitors to securing IP.

IP and consumer data are both intangible assets. Without proper monitoring, leakage of either can go unnoticed. In both cases, data owners and custodians are victimized without their knowledge, as neither are deprived of their respective data assets in a breach (exception: ransomware attacks). 

Manufacturing organizations, by nature, are built upon foundations of innovation. They are the product of sustained focus on research and development as well as obtaining new IP via business acquisitions. It is hard to overstate the importance of protecting the IP base accumulated by most manufacturing enterprises, because the impact from IP theft can be substantial. 

Lost business opportunities, disrupted customer relationships, and reputational damage can have catastrophic effects on an enterprise in the long term. The immediate dangers are considerable as well. One example is a reduction in company value. This could influence merger and acquisition discussions, as well as stock valuation.

So why does battling IP theft still present such a challenge? The answer lies in the complexities of our interconnected IT and supply chain environments. This may also be why IP theft doesn’t get the same media attention as, say, major ransomware attacks.

Starting with a data inventory may be fundamental in theory. In practice, it proves uniquely challenging for many manufacturers and often requires specialized technical capabilities. Ideally, the identification of IP assets that need protection stretches across the increasingly complex supply chains to account for third-party risks.

Knowing where IP resides allows organizations to focus their IP protection and IP theft prevention resources more precisely on the most valuable assets. To accomplish this, organizations can rely on fundamental risk management techniques, starting with identification of IP in all forms and locations, both logical and physical.

The clear threats to IP, commonly known cyber risks, and substantial consequences of IP breaches need to guide the creation of an appropriate controls architecture. On the operational level, this will enable more active monitoring for signs of an attempted breach. Deployed strategically, its capabilities provide a critical basis for periodic re-evaluations of specific risks to IP.

About the author:

Paul Rohmeyer (LinkedIn profile) is an Associate Teaching Professor at the Stevens Institute of Technology School of Business in Hoboken, New Jersey.

*

“Growing focus on regulatory compliance”

Dr. Emma Bickerstaffe, Senior Research Analyst, Information Security Forum (ISF)

Photo shows Dr. Emily Bickerstaffe

Manufacturers have long been aware of the need to protect intellectual property, as it is often information of great value to the business that would cause a major impact if compromised.

However, efforts to secure IP have recently come under intense regulatory scrutiny, with a host of legal obligations that manufacturers must now adhere to as their IP traverses a tangled web of suppliers.

Legislative reform has meant that manufacturers are not only subject to stringent data protection laws, but must also comply with legislation that specifically governs the protection of trade secrets – a form of IP.

In the European Union, for instance, member states have all enacted legislation to implement the EU Trade Secret Directive into domestic law. In several jurisdictions, this marked the introduction of the first statutory definition of a trade secret, imposing strict legal requirements for confidential business information to qualify as a trade secret and benefit from legal protection.

This growing focus on regulatory compliance has compelled manufacturers to put in place technical, organizational, and contractual measures to safeguard their IP against cyber theft, corporate espionage, and misappropriation.

While a hefty challenge in itself, the real challenge lies in making sure IP receives the same level of protection when it is shared with third parties, such as business partners, suppliers and customers. Identifying exactly who has access to this sensitive data and how it is handled is a vital first step for manufacturers to protect their IP from adversaries and maintain their competitive advantage.

About the author: 

Emma Bickerstaffe (LinkedIn profile) is a Senior Analyst at the Information Security Forum, leading its research on cyber insurance, information security laws and regulation, data leakage prevention and building successful SOCs. Prior to joining the ISF, Emma worked for the New Zealand Government, providing policy advice on defense and security issues. Emma holds a PhD in international law from the University of Cambridge.

*

For more information on document protection and enterprise digital rights management, and to learn about the steps manufacturing companies take to counter IP theft, check out IP Theft in the Automotive Industry: 10 Tips to Counter the Insider Threat on this blog.

Would you like to be included in Fasoo’s next IP protection-related roundup post? Drop us an email !

Protect CAD drawingsThe rising wave of industrial espionage and intellectual property theft has manufacturers on edge. Are you tasked with finding the right Enterprise Digital Rights Management (EDRM) solution for your company?

Check out these five tips from IP protection experts in manufacturing. 

*

Are you looking into EDRM solutions to ramp up your organization’s IP protection?  Congratulations, buckle up and hold on for the ride. 

Because this is mission-critical to your company’s future, it’s only natural that you feel the pressure to dot all the I’s and cross all the T’s. The tips below will help you zoom in on the essentials quickly. The good news is that you’re not alone.  Due to the recent surge in IP theft cases in the automotive industry, defense, and aerospace, or other tech sectors, the heat is on for manufacturers.  US and EU authorities are urging companies to ramp up their IP protection.

The response on the ground has been slow, but as an industry insider, you already know: it’s not for lack of threat awareness anymore.  Most have read the memo: 

  • We know who’s behind it.  In more than 1,000 IP theft cases worked by the FBI in 2020, federal agencies found a connection with China.  Officials warn that China’s theft of trade secrets costs the US almost $500 billion a year.
  • We also know who does most of the actual stealing or often unintentionally facilitates it: insiders.  Manufacturing companies suffered more incidents attributed to malicious or negligent employees or contractors than any other industry except the healthcare sector (Verizon 2020 Data Breach investigations Report).
  • The question many manufacturers keep grappling with: How to effectively stop IP theft without putting the brakes on workflows and productivity?

Most acknowledge that (E)DRM, also referred to as Information Rights Management (IRM), holds the key to IP protection.  It enables companies to encrypt and keep tabs on their unstructured data, such as text documents, spreadsheets, images, or CAD/CAE files.

EDRM’s main advantage is its file-centric approach.  This model lets organizations safeguard the information itself, at rest, in transit, or use, rather than relying on – often unreliable – perimeter and device security. 

That’s the theory.  What about the practice?

 

How to Find a Manufacturing EDRM Solution That Supports Your Workflow

It’s the trenches of IP protection where things get murky.  The differences between various EDRM solutions even in the same field could not be starker.

The EDRM field is void of standards.  Many products are plagued by performance issues at scale.

Another problem is that even some larger EDRM vendors struggle to keep pace with application and document format updates, which renders their software ineffective and leaves their customers vulnerable to exploitation. 

In practice, this means that many EDRM offerings keep adding to the category’s historical reputation of being complex to deploy and manage.  That compounds the pressure on those tasked with identifying and evaluating EDRM software for their organization.

Protect manufacturing IP using Fasoo Enterprise DRM
In manufacturing, you’ll find plenty of EDRM vendors to choose from.  The downside: IT leaders and EDRM project managers tasked with evaluating, comparing, or upgrading an existing digital rights management package have to pick their way through a crowded field.

The offerings range from specialized niche packages for engineering studios to information protection modules tacked on by software giants to support their proprietary document ecosystems. 

 

Balance Between Security and Productivity is Key

Some boast only a few brand name deployments.  Others may have a broad installed base across various verticals. 

Fasoo Enterprise DRM, for example, is known for its ability to secure information across global organizations without compromising performance.  Our flagship installation serves more than 170,000 internal users and more than 700,000 users at the customer’s affiliates and partners worldwide.

Our customers in the manufacturing sector tell us the main challenge for them was finding a future-proof ERDM solution that strikes the right balance between IP protection and productivity. 

What do you have to look for in EDRM to ensure it will facilitate your company’s particular information workflow, without putting disproportional strains on IT and budgets? 

With the recent shift to remote work, finding the answer has become more urgent, likely in your organization as well.  How can manufacturers secure, control, and track sensitive information accessed by employees from their work-from-home WiFi networks? 

Which EDRM system can guarantee maximum IP protection and interoperability with the broadest range of applications and document formats used in your company and its digital supply chain?

 

5 Tips on How to Choose Enterprise DRM in Manufacturing

We asked our customers and other conversation partners in the manufacturing sector what IT leaders and program managers should keep in mind when selecting EDRM. They shared valuable tips that can help you save time and avoid costly mistakes:

 

1.  Ensure that your EDRM provides full support for the broadest range of CAD/CAE applications and CAD file formats possible.

Why? Because the digital blueprints, design files, and computer-aided manufacturing instructions hold your company’s most valuable intellectual property and the keys to its future.  While your company’s design or engineering team may only use two or three of these tools, this can change tomorrow due to an acquisition or outsourcing partnership. 

Yes, out-of-the-box EDRM support for file formats rendered by Microsoft Office, Adobe Reader, business graphics applications, Geographic Information System (GIS), and software development tools is essential, too.  As a rule of thumb, the EDRM system should support the 200 most common file formats at a minimum.

Yet, it’s the range of relevant CAD file formats the EDRM system can protect, control, and track that makes it viable and future-safe for deployment in manufacturing.  In the automotive sector, for example, this means support for applications such as AutoCAD, Autodesk Inventor, PTC Creo, CATIA, NX-CAD, and SolidWorks, to name a few.

 

2.  Make EDRM exception management easy and straightforward.

If it holds things up and puts additional burdens on the data owner or IT, it will not serve your company well.

Many manufacturers have engineers working from home and plan to bring on new team members even during the pandemic that will need to get up to speed fast.  IT has its hands full with accommodating and securing remote work.

Does the EDRM software under evaluation require team members to file a ticket with support and hope for the best each time they need access to a document that’s necessary to get the job done?

Expect additional burdens on IT and productivity slowdowns.  Plus, beware of users finding “creative” shortcuts (like sharing access credentials for an account with higher privileges) that put your IP at more risk than it was before.

 

3. Centralized policy management = better IP protection

If EDRM requires data owners to become security experts and check a confusing list of boxes without fully grasping what they mean and the implications, overall security suffers.  A centralized EDRM security policy management that plays nice with all leading federated authentication systems ensures maximum protection with minimum disruption.

This way, EDRM improves oversight, ensures smooth workflow changes, employee moves to other departments or roles, and onboarding/offboarding.  It minimizes the risk of sensitive information left open to access by employees who have left the company. 

 

4.  Ask (if applicable): Can the EDRM deploy self-contained on-premise?

SaaS is great but doesn’t always make sense for manufacturing companies who have to protect their investments in ERP and on-premise document systems.  If yours is one of them, make sure the EDRM package you pick can fit right in with your IT environment.

 

5. Select an EDRM solution that supports any backend infrastructure.

In a sector known for its prolonged backend IT lifecycles, the enterprise DRM software you select should be ready for seamless integration with your existing backend IT infrastructure – and prepared for changes that may incorporate the cloud and SaaS.

 

These five tips for DRM considerations in the manufacturing enterprise should enable you to speed up the selection process and find the most effective and efficient digital rights management software to keep your company’s sensitive information safe. 

Intellectual property theft is costing America’s manufacturing companies billions of dollars.  To provide appropriate IP protection and prevent your organization from becoming just another FBI statistic, the EDRM tools you choose for your fast-changing manufacturing environment need to ensure maximum IP protection without making productivity suffer.

To be effective, the new EDRM package should support all relevant CAD/CAE tools, workflows, and IT infrastructure, now and in the future.

Want to find out more?  Read in this case study why an international automotive parts manufacturer selected Fasoo Enterprise DRM [PDF] to protect its designs and process information for conventional and autonomous vehicles.

For further information, contact our team here. 

Categories
Book a meeting