In 2022, the average cost of a data breach in the financial services sector was $5.97 million. Financial institutions are heavily targeted and regulated because of the amount of Personally Identifiable Information (PII) and Payment Card Industry (PCI) data they have.
External threats and hacking tend to make the news, but managing threats from current employees and partners with privileged access to sensitive data is also critical. Without a first line of defense, your data is exposed and available to risk.
Here are five use cases for protecting your sensitive data.
Stop Unauthorized Use of Confidential Data
Allow employees and contractors to work with confidential customer data while minimizing the risk of a data breach by sharing it with unauthorized users.
Your employees access sensitive and confidential customer information so they can do their jobs. Once the data leaves the protected confines of an information repository, file share, or cloud-based service, your authorized users can share it with anyone, do anything with it and compromise your customer’s confidential information. You may be subject to regulatory fines, not to mention losing customers because they cannot trust you to maintain their confidentiality. You need to persistently protect confidential data, so that customer information is protected regardless of where it goes and who has it.
As an example, a former employee of a large financial company pleaded guilty to stealing confidential data from about 730,000 customer accounts. He copied names, addresses, account numbers, investment information, and other data to his home computer so he could work on it. While improperly accessing the information, he was interviewing for a new job with two competitors.
Fasoo Enterprise DRM protects customer information by encrypting the files and applying persistent security policies to protect them regardless of where they are or their format. Once the data is protected, you can safely share sensitive files through email, USB drive, external portal, or any cloud-based file-sharing site. The files are not accessible on unmanaged devices, including personal PCs, unless you choose to allow that. File access is tracked in real-time for precise auditing, and you can revoke access instantly. Fasoo not only ensures that you meet privacy regulations and safeguard customer confidentiality but truly protects and controls sensitive information while at rest, in motion, and in use.
Safeguard M&A Deals by Limiting File Access
Protect M&A transactions so that only deal participants can securely share confidential documents.
Mergers and acquisitions (M&A) often involve intensive collaboration between investment bankers, lawyers, accountants, auditors, and other deal participants from different companies. They share countless confidential M&A documents, and it is crucial to safeguard them during and after the process. Deal participants may download and share sensitive documents from a virtual deal room to non-participating members or other unauthorized users, deliberately or by mistake. This could put your deal at risk. All sensitive documents in local servers, cloud storage locations, and personal devices should be discarded once the M&A project is complete.
Fasoo Enterprise DRM provides data-centric security to secure virtual deal rooms. All M&A-related documents in the virtual deal rooms are automatically encrypted at download, and only specific groups can access the protected documents. After closing an M&A deal, the deal room or other repository stores the final copies. All transaction documents on desktops, on mobile devices, in email, on file servers, and other storage locations are revoked by the security administrator, disabling user access to all other copies.
Allow users to view sensitive data without compromising privacy or Security
Defend against unauthorized screen captures and sharing of sensitive information.
Most customer service and contact centers use terminal sessions or remote desktops to control access to highly confidential information in databases and websites. Financial institutions protect information while it is within a database but struggles to protect data when viewed within the terminal session or remote desktop. Protecting data from users who click the print screen key, run screen capture tools, or take pictures of the screen with a phone is one of the many challenges companies face in preventing data breaches.
Fasoo Smart Screen allows specific groups to access terminal or server-based computing (SBC) consoles while preventing the user from capturing sensitive data. When an authorized user accesses sensitive data, the user cannot take a screenshot, and a visible watermark displays on the screen showing the user’s name, company information, IP address, time, and date. This deters the user from taking a picture of the sensitive data with their phone and prevents computer image capture tools from taking a screenshot and sharing it with unauthorized people.
Protect PII Documents Handled by Authorized Users
Keep PII documents secure and only accessible to authorized users.
Financial organizations deploy firewalls, DLP, full disk encryption, and network transport encryption (TLS/SSL) to prevent data loss from unauthorized users. Threats from authorized users are increasing, whether accidentally or deliberately. Data breaches often result in serious litigation and severe contingent liability. Users send PII information to the wrong person through email deliberately or by mistake. Unprotected sensitive documents residing on an employee’s PC or in another storage location can increase the risk of a data breach.
Fasoo Data Radar allows financial institutions to discover sensitive data based on content patterns and enforce policy (encryption/re-classification) on the data without user intervention. It automatically detects and encrypts or reclassifies documents containing PII while the documents are in use. A central security policy continuously discovers and encrypts unprotected documents as they appear on PCs, file servers, and other locations. Dynamic access controls limit what a user can do once they open the document to protect your PII from misuse and potential litigation from a data breach.
Secure Data Downloaded from Databases and Information Systems
Automatically protect financial and customer reports downloaded from database-driven systems.
Financial organizations maintain relatively strong protection policies for structured data in databases using various security tools or techniques. When authorized users access this structured data for legitimate purposes like data mining or other analysis, they can extract or export the data into XLSX, CSV, or PDF files. This new unstructured data is vulnerable to misuse and often overlooked as a source of a data breach. Allowing authorized users to download structured data into files while maintaining persistent protection of sensitive data is critical to protecting your customers and your business.
Fasoo Enterprise DRM automatically encrypts and applies protection policies to reports when saved (localized) to desktops. For example, when an authorized user extracts structured data and saves it in XLSX/CSV format, the files are automatically encrypted and only accessible by authorized users. When a user copies the file to an external storage device or a cloud location or shares it through email, unauthorized users are not able to access the file. This ensures your sensitive data remains in the hands of authorized users.
Learn more about how Fasoo protects sensitive data and prevents data breaches in Financial Services.
IT, security, compliance, and risk management leaders need a reference of terms, acronyms, and key people in the enterprise digital rights management (EDRM) domain. Some terms may be confusing since different companies use different terms for the same thing.
This Enterprise DRM Glossary will be updated regularly and provides clarity for leaders and practitioners. The EDRM glossary draws on various sources, including books, periodicals, websites, subject matter experts, and Enterprise DRM users.
We welcome your feedback and suggestions of terms to include. Contact us at info@fasoo.com.
CAD security, also referred to as CAD file security or CAD protection, describes the methods, means, and measures available to protect specifically Computer-Aided Design (CAD) / Computer-Aided Manufacturing (CAM) / Computer-Aided Engineering (CAE) tools and documents against unauthorized access and use.
CAD files, such as 3D CAD drawings, are unstructured data. Manufacturing companies and design engineering firms looking to protect CAD files face particular challenges. The primary reasons are:
the wide range of niche applications and file formats not covered by information rights management solutions for common office document formats (example: Microsoft AIP),
the lack of end-to-end encryption and loss of oversight and control in many organizations when sharing CAD files by email or in the cloud.
Examples are the automotive industry and the mobility sector in general, where CAD files often contain a company’s most valuable know-how. CAD file protection gaps at the endpoint and remote work risks were exacerbated during the coronavirus pandemic. They contributed to an increase in IP theft by insiders and data exfiltration by external threat actors.
In response, manufacturers are adopting Enterprise Digital Rights Management – Enterprise DRM – to ensure end-to-end CAD file protection and centralized policy management and control beyond the company’s IT perimeter. This approach is based on a data-centric security model. Solutions such as Fasoo Enterprise DRM ensure CAD file security at rest, in transit, and in use. Derivatives, for example, 3D models excerpted as PDF files, automatically inherit the file security of the enterprise DRM-protected CAD file, which can include secure print protection.
A centralized security policy simplifies managing permissions on documents and ensures a consistent policy across an organization. The policy is persistent yet flexible and allows the organization to manage security rather than relying on individuals to make security decisions. Compare this to the built-in PDF password protection feature provided by Adobe.
From the organizational perspective, the latter means putting the document’s fate into the hands of its creator. The business relinquishes control to individual users. When they leave, the company is forced to dedicate valuable resources to special recovery efforts, or even loses access completely. It also forces users to become security experts.
In comparison, the advantage of the centralized policy management provided by Fasoo Enterprise DRM is that the organization always maintains control over its documents and what happens with them, wherever they go. This includes changing policies for a user or group at any time, regardless of where the document resides.
Users can be granted the right to maintain complete control over their documents, in those situations where it’s warranted. This provides a layered approach giving users and groups autonomy for certain documents while maintaining centralized control of the organization.
For example, a Finance user creates a document and it is encrypted upon saving it. All users in the Finance group automatically have access to the document. The user decides she needs Legal to review the document, so she can manually grant them access. If the user leaves the company or moves to another department, the document is still accessible by Finance and Legal. The organization maintains control.
For solutions without centralized control options, like Microsoft AIP, it is difficult to implement and change security policies with many users and constantly changing roles. The considerable burden of keeping up-to-date and in sync with the needs of departments or business units often falls on the individual creator of the document.
*
Data-centric Security
The data-centric security model aims to enhance information protection regardless of where the data resides or with whom it is shared. It is considered a core part of a Zero Trust approach to information security. Data-centric security is independent of networks, servers, locations, and devices and marks a departure from the traditional “device-centric” or location-centric security model.
Enterprise DRM applies the data-centric security model by taking a file-centric approach to secure unstructured data, such as MS Office documents, CAD/CAE files, PDF, plain text, and other digital media file types. This approach means that, in contrast to other methods, persistent encryption and Identity and Access Management (IAM) are tied to and travel with the file.
Data-centric security management requires organizations to know what data they have and its security and privacy requirements. To make data-centric protection of unstructured data feasible at scale, they have to rely on standardized mechanisms to catalog and categorize data. Fasoo Enterprise DRM, for example, applies file-centric protection based on data classification tags to
Encrypt the file contents: If exfiltrated, the sensitive data is obfuscated and is of no value to threat actors;
Limit file access to authorized users only: Users can be individuals, departments, business units, or defined by role or title.
Historically, organizations adopted file-centric solutions for specific use cases. Modern solutions take advantage of the latest in software tools like RESTful APIs and open operating system standards to work transparently across the enterprise. Centralized policy management ensures IT and data owners can grant access and apply protection consistently across all networks, devices, endpoints, and cloud services.
Data Loss Prevention (DLP) describes tools and methods to prevent sensitive data, such as Personally Identifiable Information (PII) or business-critical intellectual property, from leaving an organization without proper authorization.
To that effect, DLP software categorizes documents and emails and analyzes user behavior to restrict the transfer of data. The underlying rules and filters have to be maintained and adjusted by IT in coordination with other stakeholders to minimize workflow interruptions.
Organizations can apply DLP only to their internal data flow. Other than Enterprise DRM, it does not protect confidential information once data has been intentionally or unintentionally exfiltrated. A typical example is an email mistakenly sent to the wrong address. Like antivirus software or web filters, DLP components have become a staple of information security in the enterprise. As part of the point solutions mix, they often complement particular applications or tools, such as cloud security services or Microsoft AIP.
Larger organizations frequently leverage DLP to ensure compliance with data protection regulations such as GDPR, CCPA, or HIPAA. Critics blame DLP for creating a false sense of security and point to its blindspots (USB drives, SaaS file-sharing applications, enterprise messaging apps) and its focus on internal file downloads and sharing.
Digital Rights Management (DRM) describes the tools, systems, and data-centric process used to automatically encrypt files and control file access privileges dynamically of unstructured data at rest, in use, and in motion. In the consumer space, DRM aims to control the use, modification, and distribution of copyrighted material, such as computer software and multimedia files.
In business, Enterprise DRM ensures data-centric document protection inside and outside the IT perimeter and along an organization’s supply chain to protect sensitive information against theft or misuse by insiders and unauthorized access from the outside.
The term encryption describes the cryptographic transformation of data into a form that conceals its original content to prevent it from being known or used. Decoding the encoded information requires the correct key.
Enterprise DRM provides an additional layer of security through its data-centric combination of encryption and access control. Fasoo Enterprise DRM, for example, encrypts files containing sensitive unstructured data and limits access to the encrypted file to authorized users only within their given permissions. This approach helps organizations minimize and mitigate risks such as data leaks, insider threats, and advanced persistent threats (APT).
Fasoo EDRM encrypts files using a Packager. DRM-enabled documents cannot be opened without a DRM Client, which requests a “license” from the DRM Server. The DRM Server issues that license according to the security policy for the user and the document, which can be applied and flexibly adjusted using centralized policy management and exception handling. The DRM Client then decrypts the DRM-enabled document and sends the data to a rendering application, such as Microsoft Word, a PDF reader, or a CAD engineering tool.
Document encryption with Fasoo is based on FIPS 140-2 validated cryptographic modules that meet the requirements of the Cryptographic Module Validation Program (CMVP) run by the United States National Institute of Standards and Technology (NIST). Fasoo uses AES 256-bit encryption which is a symmetric key encryption using block ciphers. This is the same encryption the National Security Agency (NSA) and banks use to protect sensitive data. Using FIPS-validated modules means it delivers the encryption strength required for organizations that are part of or do business with the U.S. federal government.
Enterprise Digital Rights Management (Enterprise DRM, EDRM)
Enterprise Digital Right Management (EDRM)enables organizations to persistently protect, control and track sensitive documents at rest, in transit, and in use. Also referred to as Information Rights Management (IRM), this data-centric protection applies to any device throughout the entire document lifecycle.
By encrypting files and leveraging granular controls through centralized policy management, Enterprise DRM allows organizations to limit viewing, editing, printing, and sharing of sensitive content with unauthorized users within and outside the organization’s IT perimeter.
Historically, the challenges associated with persistent policy enforcement account for the reputation of many enterprise DRM solutions being complex to deploy. This perception has changed, and industry observers agree.
According to Gartner analysts, enterprise DRM now “is one of the only mechanisms for retaining control of unstructured data transferred to business partners in secure collaboration scenarios.”
Industry observers credit Fasoo Enterprise DRM with driving much of this development. Its flagship installation spans over 170,000 internal users and over 700,000 total users of affiliates and partners worldwide.
An insider threat is defined as the potential for a person with authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the organization’s integrity, confidentiality, and availability, its data, personnel, or facilities.
Insider threats, such as IP theft by employees or contractors, are among the main risks to be considered when securing sensitive information in the form of unstructured data, such as office documents, PDFs, or CAD files. According to a 2020 survey conducted by the Ponemon Institute (PDF) and sponsored by ObserveIT and Proofpoint, 60% of polled organizations worldwide encountered more than 30 insider-related incidents per year involving digital assets.
The National Insider Threat Awareness Month library at the Center for the Development of Security Excellence offers guides, real-world case studies, videos, and web-based games to help organizations detect, deter, and mitigate insider threats.
The term Intellectual Property Theft (IP Theft) describes the act of stealing ideas, creative expressions, inventions, or trade secrets – collectively known as Intellectual Property (IP) – from the person or company who owns them. IP theft is against the law. Patent, copyright, and trademark laws, among others, aim to protect intellectual property owners.
In the digital sphere, most intellectual property exists in the form of unstructured data. Movies, music, and computer software all can be targets of IP theft, as can confidential office documents (example: pricing discounts), PDF files (example: employee W-2 forms), images (example: product concept studies), or CAD templates (example: digital blueprints of manufacturing designs).
Who is committing IP theft? According to experts, insiders – i.e. (former) employees, contractors, or supply chain partners – are behind most IP theft cases. Many perpetrators knowingly or unknowingly play into the hands of people outside their organization, such as agents for a foreign power or corporate spies hired by a competitor.
Western counterintelligence professionals attribute the rise of IP theft in the U.S. and the European Union mainly to China. Its Thousand Talents Plan, conceived by the Chinese Communist Party, drives the recruitment of engineers and scientists in the US and the EU as part of a state-sponsored IP theft campaign on a global scale.
In more than 50% of documented IP theft cases, the perpetrators were employees who quit and took proprietary information with them because nothing stopped them. This risk has significantly increased with the shift to remote work caused by the COVID-19 pandemic.
How can companies prevent IP theft? Increasingly, larger organizations deploy Enterprise Digital Rights Management (EDRM) to secure documents and eliminate opportunities for IP theft across the enterprise and along its supply chain. Information security experts see EDRM as uniquely positioned for preventing IP theft respectively further damage, in cases where protected files may have been exfiltrated.
Information security professionals describe mainly three reasons for Enterprise DRM’s effectiveness in protecting large organizations against IP theft:
EDRM combines access control with data-centric security that protects files at rest, in use, and in transit. This device-agnostic protection applies inside and outside the organization’s IT perimeter from the point of creation throughout the document lifecycle.
Centralized policy management and flexible exception handling enable IT and document owners to eliminate IP theft blindspots. It also lets them quickly adapt document use policies to meet the demands of dynamically changing environments, such as remote work scenarios (see also: Secure Print). Fasoo Enterprise DRM is an example. It empowers organizations to maintain granular control over sensitive data even if that information is shared – intentionally or mistakenly – outside the organization.
EDRM delivers comprehensive document security at scale, encompassing the broad spectrum of document formats and applications common in globally operating organizations. Fasoo Enterprise DRM, for example, supports more than 230 file formats, including a wide range of PDF and CAD types.
In the fight against IP theft, the capabilities listed above put designated EDRM solutions like Fasoo Enterprise DRM at a distinct advantage. Point solutions developed to protect primarily one document software ecosystem and a limited number of 3rd-party file formats (example: Microsoft AIP) cannot provide the same coverage.
Azure Information Protection (currently known as Purview Information Protection) is a data protection solution developed by Microsoft. It lets organizations discover, classify, and protect documents and emails. AIP was designed primarily to protect the document ecosystem of Microsoft Office and a limited number of third-party file formats. It focuses on end users or data owners making all security decisions on documents rather than allowing a centralized approach to security.
Purview Information Protection (formerly known as Azure Information Protection and Microsoft Information Protection) is a data protection solution developed by Microsoft. It is part of the larger Microsoft Purview suite of tools that lets organizations discover, classify, and protect documents and emails. It was designed primarily to protect the document ecosystem of Microsoft Office and a limited number of third-party file formats. It focuses on end users or data owners making all security decisions on documents rather than allowing a centralized approach to security.
Many cybersecurity professionals consider PDF security an oxymoron because of the weaknesses of the password protection and encryption of Adobe’s platform-independent file format.
Depending on the use case, adequate PDF document protection can require a combination of various 3rd-party tools and methods. Examples are PDF password protection, encryption, on-screen protection, secure print, PDF sanitization, PDF usage monitoring.
In large organizations, the number of PDF files and versions to be secured adds to the challenge. IT can overcome this challenge with Enterprise DRM, which provides an additional layer of PDF protection.
One example is Fasoo Enterprise DRM, which integrates the most powerful PDF protection mechanisms. It supports more than 230 file formats and ensures that sensitive PDF files are protected at rest, in use, and in transit.
Permissions are required to perform a particular action, such as View, Edit, and Print, on a document secured with Enterprise DRM. A user can only perform an action on a secured document when granted the proper permission, either as set via centralized policy management, a data owner granting specific permission or upon requesting provisional permission.
Personally Identifiable Information (PII) is defined as any data that permits the identification, by either direct or indirect means, of an individual to whom the information applies.
PII can directly identify a person (examples are name, address, phone number, social security number, any other ID number or code, and email address) or allow indirect identification in conjunction with other data elements. Such elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors.
PII is often maintained in the form of unstructured data, i.e., in Microsoft Office documents, PDF files (example: W-2 records), or computer printouts. Files containing PII are best protected by encrypting them at the point of creation. Adequate protection covers the document lifecycle in its entirety and includes provisions for data transfers to other media, i.e., screen photos or print.
When a user does not have permission for a specific action in a document secured with Enterprise DRM, the user can request temporary permission or exemption to the current security policy. If approved by the administrator or document owner, the user can perform that action with the given provisional permission for a time period defined by the policy.
Secure file sharing (also referred to as secure file exchange) describes the process of making unstructured data available to other authorized users while preventing access by others who lack proper authorization. In business environments, secure file sharing with Enterprise DRM enables individual users to transfer Microsoft Office documents, audio or video files, images, PDFs, or CAD drawings, for example, within or outside their organization, without exposing sensitive information to data theft or manipulation by unauthorized parties.
Modern digital rights management solutions enable secure file exchange based on a data-centric security model. This approach overcomes the weaknesses and limitations of traditional device-based security or file password protection (see also: PDF Security and CAD Security). It also surpasses the protection provided by file-sharing tools such as Box, Dropbox, or OneDrive, which offer encryption in the cloud and in transit, but fall short once a document reaches the recipient. Fasoo Enterprise DRM, for example, automatically encrypts each file at the point of creation and applies access policies that are centrally managed.
Files secured with Enterprise DRM remain protected no matter where they go. This way, the data owner remains in control of if and how a shared file can be accessed, regardless of its location. The protection is device-agnostic and travels with the file. Users can securely share files without risking protection gaps on portable storage media, cloud storage services, home office printers, or when documents are sent as email attachments, for example.
Source: Enterprise DRM Glossary. Reference: Data-centric Security (Fasoo Blog Archive)
*
Secure Print (Secure Printing)
Secure print capabilities that enable the prevention and detection of document leaks or exfiltration via print output. In Enterprise DRM, policy-based print protection lets data owners centrally set and manage print rules for printing on-premises or remotely and watermark unauthorized printouts.
Fasoo Enterprise DRM, for example, takes a printer-agnostic approach to secure printing. This approach eliminates problems with using different printers or print drivers. Here’s how it works:
The basic print permission setting is part of the Fasoo-encrypted document. In addition, Fasoo’s secure printing component – a.k.a. Fasoo Smart Print – lets organizations apply print protection policies on various levels for plain and EDRM-secured documents alike.
85% of today’s digitally stored information consists of unstructured data, which means it lacks a pre-defined data model or internal data organization. Examples include office documents, CAD/CAE files, PDFs, emails, videos, blogs, customer support chat logs, and social media.
Structured data, by comparison, is defined as data that is easily grouped, processed, and analyzed by rows and columns in relational databases. It only accounts for 15% of today’s information.
Unstructured data poses numerous security and regulatory compliance challenges. They are not addressed by the traditional network, device, and application cybersecurity and risk management approaches. This coverage gap is the reason why storing and sharing sensitive information in free-form documents creates numerous opportunities for leakage or exfiltration of proprietary or otherwise sensitive data.
Confidential files containing intellectual property, PII, or printouts of HIPAA-protected personal health information (PHI) are three examples of unstructured data potentially at risk of unauthorized access due to negligent or malicious insider behavior or cyber-attacks.
Sensitive unstructured data falls into two broad categories: regulated or unregulated. The adequate protection of regulated unstructured data is required by law (examples: GDPR, CCPA). Unregulated data includes both business-sensitive and publicly known information. Determining what content requires protection is left to the discretion of the business that owns, stores, or processes it.
Zero Trust document protection describes minimizing uncertainties in enforcing accurate access decisions regarding unstructured data. It delineates the shift from a device and location-centric security model to a predominantly data-centric approach.
The goal is to prevent unauthorized access to files containing confidential data by making access control enforcement as granular as possible. The Zero Trust approach requires fine-grained security controls between users, systems, data, and assets. Enterprise DRM is considered a cornerstone of any viable Zero Trust document protection strategy, according to document security experts. They point to its data-centric security model, strong encryption, and tight integration with all leading identity and access management systems.
The Zero Trust approach achieved official cybersecurity policy status with the 2021 Executive Order on Improving the Nation’s Cybersecurity issued by the Biden administration. While the directive primarily aimed to move federal agencies to secure cloud services and a zero-trust architecture, it since has sent ripple effects through the private sector.
As more operations move to the cloud, employees, contractors, and partners access sensitive data through a browser or remote desktop. Frequently users run reports to localize the data for further analysis.
Protecting this sensitive data when viewed on your computer or mobile screen is critical to protect the data from unauthorized use and ensure you aren’t subject to litigation and fines for violating privacy legislation.
Here are four use cases for using Screen Security to protect your sensitive data.
Protect PII and PHI on the screen
Allow employees and contractors to work with sensitive data while minimizing the risk of a data breach by sharing pictures of sensitive data with unauthorized users.
ERP, CRM, EMR, financial, and other business systems provide users with easy access to detailed personal and company information. This information is not adequately protected against malicious or inadvertent screen capturing, especially with so many remote workers and people working from home.
Users can access sensitive data on web-based applications and share it with anyone. They can capture the screen content with an image capture tool or by taking a picture with a phone. This can lead to a data breach that violates privacy legislation and can lead to litigation, fines, and reputational damage.
Fasoo Smart Screen can block screen capture attempts from specific applications and websites by blocking access to sensitive content with a secure image warning users they are trying to copy sensitive data. By allowing specific users to access applications while preventing them from capturing sensitive data, you minimize potential data breaches. You can even forcibly minimize target applications when known capture tools are launched to deter further sharing of sensitive data.
Prevent pre-release of information in files and on internal websites
Stop data leaks by blocking screen capture attempts of product designs, media, and other sensitive information in files and on internal websites.
Internal websites showcase new products and other strategic information that employees and contractors need for planning marketing and sales activities. Sometimes, these users take pictures of this information and use it for personal gain, send them to competitors, or share them on social media.
These actions may cause competitive pressures that can lead to loss of sales or market share if your competitors get ahold of them. Since anyone with a phone can take a picture and share it, you need to deter this from creating a loss of competitive advantage.
Fasoo Smart Screen can block screen capture attempts of sensitive data on websites and apply visible watermarks to trace potential data leaks to the source. Dynamic watermarks appear in certain applications and specific URLs showing the user’s name, IP address, and timestamp to deter screen capture. By blocking screen capture tools on specific URLs, administrators can control sharing of sensitive data and even see image logs of attempted screen captures.
Protect sensitive data in call and contact centers
Minimize the risk of data leaks by applying a visible watermark to trace sensitive data back to call or contact center employees.
Customer service and contact centers use virtualized or remote desktops to control access to highly confidential information. Workers could take a screen capture of PII or take a picture with their phone and share that information with unauthorized people outside the company. This is especially risky with outsourced vendors who may have a high turnover of employees and contractors, and who allow many people to work from home.
Anyone with sensitive data on the screen can easily use a screen capture tool or take a picture of the screen with a phone and share it with colleagues and friends. If this information becomes public, your company may be subject to fines and litigation.
Fasoo Smart Screen discourages screen capture attempts by applying visible watermarks with user and company information to trace potential data leaks to the source. A customizable, visible screen watermark appears on websites, specific applications, and sensitive documents showing the user’s name, company name or logo, IP address, and timestamp. Administrators can see image logs of attempted screen captures. The visible watermarks deter leaking sensitive data since the user’s name is on the captured image.
Safeguard sensitive financial information in documents
Reduce the possibility of customer and supply chain loss by blocking screen capture attempts of sensitive financial information in files.
Employees and contractors share documents containing sensitive financial information as they work with customers and suppliers. Someone may create a document and share it or run a report from a financial system. The users could take a screenshot of the content and share it with anyone, either inside or outside the organization.
If a public company shares this data prematurely, it may disrupt markets and run afoul of SEC rules. If competitors have this data, they may undermine your supply chain or make a run at your customers with discounts and other strategies to steal them. Since anyone with a phone can take a picture and share it, you need to stop this from causing problems.
Fasoo Smart Screen can block screen capture attempts of sensitive data in documents and apply visible watermarks to trace potential data leaks to the source. Dynamic watermarks appear in sensitive documents and deter users from sharing images of them since the user’s name, timestamp and other identifying information are visible. If a user tries to take a screenshot of the document, an image appears over the content preventing the attempt. Administrators can see image logs of attempted screen captures to help address potential leaks with users.
Learn more about how Fasoo Smart Screen can help you protect sensitive data shared on screens.
Think about your worst nightmare. Someone steals confidential information about your customers or company and posts it on the Internet. You lose all credibility and your business suffers.
You pay stiff financial penalties and you face lawsuits from regulators and your customers. If you are a public company, you face shareholder lawsuits.
This situation is more commonplace as hackers exploit weak human and technology systems to gain access to your most important business information. With new technologies like ChatGPT allowing AI-driven malware, more phishing scams, and ever more sophisticated attacks, it’s not a matter of if you will be compromised, but when.
In the last year, there have been a number of large data breaches that caused big problems for the victims. In 2022, U.S. organizations issued 1,802 data breach notifications, reporting the exposure of records or personal information affecting more than 400 million individuals.
Nissan recently had customer information compromised by a partner in their supply chain. Avamere Health Services lost files with patient personally identifiable information (PII) and personal health information (PHI). Other major brands like Toyota, Twitter, and Cash App had critical information downloaded from databases or files stolen from misconfigured systems. A common approach is to target smaller companies within a supply chain whose security may not be as sophisticated as larger companies.
While a lot of the headlines talk about compromised databases, a lot of confidential and sensitive information is in documents. All organizations need to determine what is sensitive and where it exists. Then determine who has access to that information. The last step is to encrypt these documents with a persistent security policy that controls who can access the content and what they can do with it.
At a minimum, you should encrypt documents with personal information, such as customer and employee name, password, email, street address, phone number, social security or insurance number, birth date, and financial information. Next is anything critical to your business, such as budgets, strategic plans, product designs, software code, proprietary processes, and algorithms. Think about the secret formula for Coke or the search algorithms for Google. If it’s unique to your business and important, protect it.
Here are a few tips to prevent a data breach.
Identity sensitive data – before you can prevent a data breach, you need to know the sensitive data you collect, store, transmit, or process. Hackers and malicious insiders target non-public personal information (NPI), personally identifiable information (PII), and intellectual property, like designs, patent documents, or trade secrets. You need to identify it before you can protect it.
Encrypt sensitive data – encryption with a centralized access policy helps protect the security and privacy of files as they are transmitted, while on your computer, in the cloud, and in use. Encrypt all sensitive information with a data-centric security policy using Advanced Encryption Standard (AES) 256-bit cryptography. Only give access to those who need it to do their jobs.
Protect sensitive data when printed – with so many remote workers, you need to protect documents and other sensitive data sources with a visible watermark when users choose to print them. This becomes more of an issue as people continue to work from home and use local printers to print and review information. While many of us view information on screens, there are still many times when it’s easier to print something for review, and you should be able to trace the printout to its source in the event of a data breach.
Preventing data breaches is not complicated when you think about protecting the data. Protecting servers, networks, and storage locations is important, but focusing on the data is the most important thing. The best way to protect information that is critical to your business is to encrypt documents with a persistent security policy. If an unauthorized person gets your document, it’s useless to them, since they can’t read the information inside without your express permission.
Give yourself some piece of mind by finding and protecting the information that is most critical to your business. You will prevent a data breach, protect your company and sleep better at night.
The enterprise is moving to the cloud to ease collaboration for partners and employees. The cloud enables work-from-home and hybrid working models and enhances productivity.
But the cloud is vulnerable to human error and misguided settings, putting your data at risk of unauthorized access. According to Gartner, preventable misconfigurations and end-user mistakes cause more than 99% of cloud breaches. Cloud providers use a flavor of security. But data needs its own protection.
What’s the risk of storing data in the cloud?
End-users share Dropbox links and credentials from personal smartphones via Wi-Fi hotspots. They email documents to friends and unauthorized third parties. You’d no more send your data out into the world without policies, access controls, and encryption than send a child out into the cold without a coat. But if you leave security to the cloud, who knows where your data ends up.
Amazon S3 buckets include unlimited storage. But weak settings leave default credentials intact, granting limitless access to criminal hackers who automatically search and exploit bucket links. When criminal hackers kidnap your files, cloud cyber defenses seldom follow behind. You need centralized control with enterprise security that wraps your data and sticks with it.
Enterprises work with many cloud providers, passing data from one environment to the next, one job to the next. You may have some visibility when you pass data directly to the cloud. But what happens when that cloud routes your data to other cloud environments for processing? It’s one thing to entrust your child to someone you know; it’s another to let them hand her off to someone they know.
Cloud providers may offer security policies, identity and access controls, and encryption for data in transit and at rest. But those stop short where the cloud ends, leaving your intellectual property (IP) open to theft by criminal hackers and exploitation by unscrupulous competitors.
How do I protect my sensitive data in the cloud?
Enterprise Digital Rights Management (EDRM) eases moving to the cloud, binding location-agnostic security controls to unstructured data. EDRM embeds encryption, persistent IDs, and access control policies with sensitive documents. Your custom controls travel with your files into unmanaged, unsecured environments.
EDRM maintains data governance policies and controls on your confidential documents whether you move them to Salesforce, Box, Microsoft Azure, or AWS. You can track documents in and beyond the cloud, maintain access controls, and change granular permissions and privileges at any point using centralized policy management.
You don’t have to care what cloud has your data; EDRM keeps it safe when cloud security fails. If the cloud provider has a breach, so what? EDRM maintains the security policies, controls, and enforcements you’ve set in motion, no matter who has your data.
You can ease moving to the cloud by mitigating your risk. The Discovery Classification Tool (DCT) identifies old, redundant, and obsolete data. You can delete obsolete files and duplicates and archive data you must keep, reducing your attack surface, data management requirements, and cloud costs. Then use EDRM to apply policies and encryption to the data you use, and move it to the cloud.
Chat with the Fasoo team and discover how your peers deploy Enterprise DRM in the cloud.
No matter if your company is an automotive OEM, Tier 1-3 supplier, or a small engineering studio that serves component manufacturers across various industries: all eyes are on you.
The eyes of commercial spies, that is.
Intellectual property (IP) theft, most of it on behalf of China, damages the US economy to the tune of about $500 billion a year, says the FBI. Automotive, aerospace, and other innovation-driven tech companies are bearing the brunt of commercial espionage efforts.
What do the nation-states and competitors behind the IP theft have in common? They all rely on a secret weapon: company insiders.
What is an “insider threat”?
The US government’s National Insider Threat Task Force (NITTF) defines an insider as “any person with authorized access to an organization’s resources to include personnel, facilities, information, equipment, networks, or systems.” This not only includes your employees but contractors, partners, and potentially anyone in your supply chain.
In the vehicle manufacturing sector, most sensitive information is now stored and managed digitally: in the form of CAD drawings, for example, or as digital image files, as Microsoft Office documents, or in various Adobe PDF formats, including PDF/A, PDF/E, or PDF/X.
The dependency on these files makes IP theft by company insiders with access to that information the biggest potential security threat for automotive manufacturers and their suppliers today. Under pressure to innovate and develop startup-like cultures, traditional manufacturers struggle to protect their digital IP without sacrificing productivity.
A key security component in this fight is International Cybersecurity Standard ISO/SAE 21434 which specifies engineering requirements for cybersecurity risk management in the design and development of car electronics. It covers cybersecurity governance and structure, secure engineering throughout the life cycle of the vehicle, and post-production security processes. It covers vehicle manufacturers and their entire supply chain. This standard is becoming more important as the industry moves toward autonomous vehicles.
How does someone become an insider risk? What are the warning signs of potential insider theft? Is your company prepared?
Experts agree: securing unstructured data across the automotive manufacturing supply chain requires a comprehensive approach by Security, IT, HR, Compliance, and Legal. Here’s what they recommend:
1. Raise your organization’s threat awareness.
The battle for the future of mobility is marked by innovation at break-neck speed and tough competition for top performers.
Traditional players find themselves competing with Silicon Valley giants, startups, and nation-state-sponsored groups to recruit and hold on to the best talent. Electric vehicle development, connectivity, battery technology innovation, and the rise of additive manufacturing are changing the industry.
The IP Awareness Assessment, offered by the National Institute of Standards and Technology/Manufacturing Extension Partnership (NIST/MEP), enables affected companies to assess their intellectual property awareness.
Another valuable resource for your internal IP Theft awareness program and training is the National Insider Threat Awareness Month library at the Center for the Development of Security Excellence. It offers guides, real-world case studies, videos, and even web-based games to help organizations detect, deter, and mitigate insider threats.
2. Know the IP theft threatscape.
According to Ponemon Institute research from 2022, 67% of surveyed organizations worldwide reported more than 30 insider-related incidents per year involving digital assets.
In the US and the EU, counterintelligence experts and manufacturing industry security advisers attribute the rise of IP theft mainly to China. Take the Thousand Talents Plan, for example, which was conceived by the Chinese Communist Party.
Officially, TTP is a recruitment program for up-and-coming scientists and engineers to experience China and work side-by-side with their Chinese peers. In reality, it now serves as a vehicle for a state-sponsored IP theft campaign on a global scale, with more than 140 recruitment stations set up in the US alone.
Social media and business networking platforms (LinkedIn, for example) are increasingly used to identify and target company insiders for later exploitation.
To keep you abreast of recent developments and emerging threats, the FBI provides IP theft prevention resources on its website and sends out email alerts.
3. Identify what’s most at risk of IP theft in your organization.
Unstructured data such as CAD/CAE files, digital images, and confidential sales or legal PDF documents contain your organization’s most valuable intellectual property and blueprints for its future. Yet IT and Security face a unique challenge in protecting it against IP theft.
How to secure these files across the enterprise and along its diverse supply chain? IP protection at the document level often requires that the information rights management service supports all industry-relevant CAD applications.
Automotive engineer
Your teams may currently use mainly one or two such tools. But this can change quickly due to new requirements. Effective information rights management in this dynamic environment makes support for tools such as AutoCAD, CATIA, PTC Creo, Siemens NX-CAD, or SolidWorks essential.
PDF file formats are another example. Does the information protection software cover the broadest possible range of documents? Support for at least 200 file formats is considered the bare minimum in a globally integrated enterprise environment.
4. Determine who’s posing an insider threat.
As paradoxical as it may sound, this question is the easiest to answer. Experts will tell you that any executive and rank-and-file employee, contractor, or temp with access to sensitive information is potentially a risk. This includes external business partners and is made even worse by so many people working remotely or from home.
Security professionals differentiate between malicious, negligent, and compromised insiders. The lines between these categories are blurry. Common scenarios resulting in the loss or theft of proprietary information that involves negligent or compromised insiders:
working from home on unsecured WiFi on unmanaged compromised devices with remote access to critical company IP.
All of these examples can result in exfiltrated CAD files, office documents, or process information. IT can minimize the risk of unintentional IP exfiltration by controlling access to proprietary information at the file level and limiting or blocking possible ways of sharing, such as copying, printing, or taking screenshots.
5. Prevent the #1 IP theft scenario.
What about the malicious insiders? In the manufacturing sector, who are the real-life spies?
Let’s forget about James Bond and his Minox camera for a moment. Instead, let’s focus on Jill with a smartphone and money problems. Joe in R&D may fancy making VP at a competitor. Then there’s Jim, the work-from-home (WFH) contract engineer who just got an invite to visit China, all expenses paid, courtesy of the Thousand Talents program.
That last case reminded us that the risk of IP theft is highest when employees leave. In more than 50% of documented IP theft, the perpetrators are employees who quit and take proprietary information with them.
This happens simply because they could. Nothing got in the way.
A design engineer, for instance, may store critical CAD drawings on a private hard disk or personal cloud storage “just in case” and later use them when interviewing with the competition.
IT and other stakeholders need a mechanism that makes it simple to centrally disable access to sensitive documents for a departing employee at the file level, even if that file now resides on an unmanaged work-from-home laptop.
6. Establish or expand your threat intelligence program.
Managing IP theft risk in 2022 requires more than cursory reference checks or LinkedIn profile once-overs for potential hires.
Smaller companies can outsource their pre-hire background checks to background investigation specialists and threat intelligence firms. Large manufacturers may expand their internal open-source intelligence (OSINT) collection capabilities.
This enables investigators and SOC analysts to examine, for example, dark web marketplaces for suspicious data movements.
Where to find private-sector professionals that specialize in digital insider threats on all levels? Industry associations, trade groups, and government resources such as the National Center for Cybersecurity in Manufacturing can help.
7. Monitor to identify insider threat warning signs.
What are the indicators of insider threats that may culminate in IP theft? Behavioral and personality changes can be early warning signs, experts say. Financial problems, a drop in performance, or a sudden interest in files outside the employee’s work scope are indicators as well.
To catch such telltale signs early on, the software selected to secure and manage proprietary information should include the capability to flag suspicious files and user activities. Do they indicate sufficient risk for intervention by business management?
This approach allows the system to establish baseline behavioral patterns and help determine suspicious activities.
Fasoo’s RiskView, for example, provides such UEBA protection for sensitive files. For IT, it serves as an early warning system against infractions by users even with sufficient inside knowledge to bypass other security controls and methods.
8. Choose productivity over paranoia.
Under pressure to innovate and develop startup-like cultures, traditional manufacturers struggle to protect their digital IP without sacrificing productivity.
An overly rigid and inflexible approach to IP protection risks slowing down workflows and alienating top performers.
It also introduces additional risks. A typical example is team members who develop “creative” workarounds to access or share sensitive proprietary information they need to get the job done.
Security or productivity: do we have to choose? It doesn’t have to be an either/or choice. Let’s look at Digital Rights Management (DRM) as an example.
DRM (also referred to as Information Rights Management, IRM) today is at the heart of many enterprise-wide initiatives to prevent intellectual property theft or unintentional digital IP leakage.
How to solve the IP Theft Protection vs. Productivity conundrum? Enterprise IT leaders emphasize the importance of carefully selecting an enterprise DRM software that is flexible and fast at scale.
9. Put manageability and flexibility first.
Can we really expect data owners to become security experts when managing document-level protection for the files they oversee?
We shouldn’t. But that’s what happens, IT says, when the company deploys the kind of information protection service that was developed almost as an afterthought to popular office software and design tools.
Many IT leaders have determined such rights management services are too limited for the use cases in their enterprise-wide deployment. They are also cumbersome to manage and use on the ground.
Exception management is a prime example. How do you give everyone on the team who needs it fast and uncomplicated access to critical IP while ensuring that it doesn’t fall into the wrong hands?
An effective DRM solution simplifies and accelerates the process of obtaining exemptions from file access and management restrictions. A user’s legitimate exception request should not increase IT’s workload, be held up by slow support desk response times, or get forgotten in the system once it has been granted.
10. Select DRM that enables centralized policy and visibility
Opportunity makes thieves, as highlighted in Tip # 5. Eliminate the opportunity for digital IP theft with DRM. Protect your IP from the onboarding through the offboarding process, including all user activities on your network in between.
Centralized policy management empowers IT and management to conveniently set and change data-centric and user-centric document use policies at-a-glance.
The past three years have seen a significant uptick in companies looking to deploy EDRM to prevent IP theft. Industry observers attribute this trend primarily to three factors:
the rising threat of IP theft by corporate insiders,
Microsoft now supports its rights management in Azure, on Apple’s iOS, and on Google’s Android,
the pressure to protect intellectual property accessed by remote workers, often on unmanaged home networks and devices.
Fasoo Enterprise DRM’s authentication APIs, for example, supports numerous 3rd party, federated, and proprietary authentication systems. In the enterprise environment with its hybrid mix of on-premises, cloud, and WFH digital assets and devices, this means less headache for IT when securing remote access.
This way, IT can quickly adapt your document use policies to fit remote work scenarios. It also means that when your company shuts off access to an employee for good, it doesn’t run the risk anymore that a critical resource gets overlooked.
Fasoo Enterprise DRM’s encryption renders protected files useless for the former employee and other unauthorized 3rd parties.
*
Talk to our team about how Fasoo Enterprise DRM will complement and strengthen your insider risk program.
This post was originally published in March 2021 and has been updated for accuracy and comprehensiveness.
In the near future, we will see a completely different automobile industry from what we see today. And what’s emerging as one of the most important topics with these recent changes? Security.
In particular, Level 3 autonomous cars, which provide conditional automation that can make informed driving decisions, will start arriving this year. Mercedes-Benz has already received internationally valid regulatory approval to produce vehicles capable of Level 3 autonomous driving. BMW, Audi, Honda, Volvo, GM, and Tesla, among others, also have similar projects in the works.
Level 3 autonomous driving, as defined by SAE International, means that the driver can hand over control to the vehicle, but must be ready to take over when prompted. Autonomous vehicles communicate with and receive data through far more sensors than electric or hybrid vehicles. This means there is a high possibility that the personal information of vehicle owners and important data related to automobile software will be leaked.
Global Security Requirements
Against this backdrop, the global automobile industry is investing heavily in security-related technology development and certification. Automotive security regulations have also been tightened, requiring the United States, the EU, Japan, Korea, and other countries to identify and respond to threats in accordance with the International Cybersecurity Standard ISO/SAE 21434. This standard specifies engineering requirements for cybersecurity risk management in the design and development of car electronics. It covers cybersecurity governance and structure, secure engineering throughout the life cycle of the vehicle, and post-production security processes. The supply chain is also included to cover each step in automotive production.
New cars sold in Europe starting in July 2022 and all new cars sold in 54 countries starting in July 2024 must meet these requirements. The manufacturer must be certified for cybersecurity management capabilities, which include protecting the sensitive data used in the design, development, manufacturing, and servicing of these vehicles.
All phases of a connected vehicle’s lifecycle covering electrical and electronic systems, including their components and interfaces, are covered in ISO/SAE 21434 including:
Design and engineering
Production
Operation by customer
Maintenance and service
Decommissioning
This lifecycle approach to cybersecurity management makes ISO/SAE 21434 one of the most comprehensive approaches to connected vehicle cybersecurity. Certified test reports issued by certification centers are mutually recognized worldwide, including in the United States, Europe, Korea, and Japan, and have equal efficacy and public confidence internationally. Compliance with security regulations now serves as a “right to enter” into new markets, and only companies with this capability can export and gain new supply chains.
Getting TISAX and ISO 21434 Certified
TISAX (Trusted Information Security Assessment Exchange) certification, a cybersecurity framework devised by the German Automobile Industry Association (Verband der Automobilindustrie, VDA), has established itself as an information security standard in the global automotive industry. Sensitive data in CAD/CAE files, office documents, and supplier information, which are the center of corporate competitiveness, are shared within a huge supply chain. Since important information is being circulated on a much larger scale than in other industries, affiliates must prove each other’s security level to prevent information leakage during the collaboration process.
Virtually all companies in the German automotive supply chain (automobile manufacturers, OEMs, partners, suppliers), whether based in Germany or not, must demonstrate a level of information security management in accordance with the requirements set out by the VDA-ISA. The problem is that TISAX and ISO 21434 certifications are complex and difficult to obtain compared to other international standard information security certifications (ISO) or information security management system certifications (ISMS).
Protect Sensitive Vehicle Information
The best approach to meet the certifications and enable selling into global markets is to use a data-centric security approach to protect and manage files that contain the sensitive data used during the design, development, and manufacture of autonomous vehicles.
Enterprise DRM (EDRM) protects sensitive information from unauthorized access and controls what an authorized user can do with it. By encrypting the files and applying dynamic access controls, you can grant or block a user’s ability to view, edit, print, copy, and even take a screen capture of the information. You can control derivatives of documents since engineers and other users frequently share PDFs or other common formats both internally and throughout the supply chain. Since you have a complete audit trail of user and document activity, you know if someone accessed the documents inside or outside your network. You can also revoke access or change permissions after you distribute a document if the sensitivity of the information changes or those who should have access to it.
Protecting your sensitive intellectual property (IP) while complying with ISO/SAE 21434 and TISAX will be critical for any company working in the automotive industry. Using EDRM to protect your files without changing user workflows will meet these requirements so you can compete in this market.
Do you have questions about protecting CAD files and other sensitive data with Enterprise DRM?
Contact us here.
Corporate data is the lifeblood of business and because of remote work and constant competitive pressures, it is more vulnerable than ever. Protecting that data while still making it available to those who need it is why many organizations are turning to Enterprise Digital Rights Management (EDRM).
Information security, privacy, regulatory compliance, and data governance requirements drive how we manage corporate data. Business requires us to share sensitive information with employees, contractors, business partners, and customers, but we need a way to do it securely without impacting everyone’s productivity.
The realities of today mean that many of us may work from any location at any time, using any device. Outsourced functions range from finance and human resources (HR) to design and manufacturing. If you outsource manufacturing or finance to a third party, how do you define your corporate boundary for data, since your sensitive information is in the hands of a business partner? Add to this the real threat of external hackers and insider threats from employees, contractors, and the third parties you use for key business functions.
How do you protect the most important information in your business?
Here are 5 reasons why you should seriously consider Enterprise DRM as part of your information security, data governance, and compliance strategy.
Protect Your Intellectual Property
Intellectual property (IP) is a critical asset for your business. It lets you create unique products and services that drive revenue. It differentiates you from the competition and keeps your customers coming back. If this information accidentally or deliberately leaks, you can suffer financial loss and possibly go out of business.
EDRM protects your intellectual property from unauthorized access and controls what an authorized user can do with it. You can grant or block a user’s ability to view, edit, print, copy, and even take a screen capture of the information. You can control derivatives of documents since people share IP in PDF or other common formats with both internal and external recipients. Since you have a complete audit trail of user and document activity, you know if someone accessed the documents inside or outside your network. You can also revoke access or change permissions after you distribute a document if the sensitivity of the information changes or those who should have access to it.
Protect Customer Data
Any business that deals with personal information or takes credit cards must protect it from unauthorized access. Regulations such as GDPR, CCPA, HIPAA, PCI DSS, and other numerous laws mandate that third-party data is under strict control and only authorized people can access it. Violations can result in hefty fines and cause major legal and business problems.
EDRM controls how employees, contractors, and business partners use this sensitive information. It can prevent sharing the data with unauthorized users by controlling access, screen captures, and adding visible watermarks to both printed documents and those viewed on a screen or mobile device. Since third-party data typically has a shelf life, you can limit access to a specific time and revoke access to any distributed files immediately, regardless of location.
Protect Your Customer’s Intellectual Property
You may also be a steward of your customer’s intellectual property. Manufacturing and business services organizations commonly have sensitive designs or client data that is worth stealing. An organization’s supply chain can be the weakest link in its security which makes it an easy target for hackers and trusted insiders. Your customers trust you with keeping their intellectual property safe and out of the hands of their competitors.
Enterprise DRM protects your customer’s intellectual property from unauthorized access. You can automatically encrypt and assign access controls to sensitive documents as you save them. If different groups use this information, you can easily limit access based on projects or customers. If an employee working with one customer’s data accidentally shares it with another customer, you are protected since only authorized users can see and use the data. This provides built-in safeguards for those people working on multiple projects.
Protect Employee Privacy
HR, Finance, and other departments have a lot of sensitive employee data, including social security and insurance numbers, health information, salary data, and the results of drug tests or criminal background checks. Controlling its access and distribution is part of the social and legal compact any employee has with her or his employer.
Enterprise digital rights management can limit access to private information by controlling the users and groups that can see it. You can control access dynamically through your identity access management (IAM) system so that as roles change in your company, so do access rights. For information you share with outside service providers, you can provide read-only copies that you can revoke at any time. Only recipients granted access can see the data, so your employees and outside providers can’t share the data with unauthorized users.
Provide Audit Trails
Regulatory compliance is a requirement for many businesses to prove they can manage critical information in a way that ensures chain of custody and proof that only authorized users had access. Compliance is not just a matter of the law but is generally considered good business practice. Compliant companies can prove they take information security and governance seriously and can use this as a selling point to their customers.
Enterprise digital rights management provides an audit trail of all user and file activities to ensure a chain of custody of information for electronic discovery and proves that only authorized users have access to sensitive data. This helps your organization understand the flow of important information and simplifies eDiscovery in the event of litigation. Since many regulations require you to prove to a regulator that you meet their requirements for protecting privacy, audit trails are easily available in downloadable reports.
Enterprise DRM can help you meet information security, regulatory compliance, and data governance objectives, ensure privacy and protect the digital assets of your company. It is the best way to protect your most important business information and get a good night’s sleep.
Which blog posts about document security and protection attracted the most visitors to the Fasoo website in 2021?
Let’s face it: the ins and outs of Digital Rights Management (DRM) in the enterprise don’t exactly make for blog topics that get most people’s juices flowing.
The good news is that content that draws on the insights shared by Fasoo’s longtime, recent, and not-yet customers can overcome this hurdle. Readers interested in Enterprise DRM clearly prefer blog posts that answer relevant questions and provide hands-on advice for IT decision-makers and their teams.
Which Fasoo blog posts hit a nerve in 2021? These were the Top 5:
*
# 5: Your questions about Fasoo Enterprise DRM vs. Microsoft AIP, answered
“How does Fasoo Enterprise DRM (Fasoo EDRM) compare to Microsoft Azure Information Protection (AIP)?” In one version or another, this was one of the most frequently asked questions the Fasoo team had to answer in 2021.
It’s a tricky one. After all, Microsoft AIP was developed primarily with the document ecosystem of Microsoft Office plus a few third-party file formats in mind. Fasoo DRM, on the other hand, provides document protection at scale and for more than 200 file formats in large organizations and along their supply chain.
Photo sources: Dreamstime / Ford
So can you compare the two at all? We tried. Let’s just say minivans keep us moving, but for serious business, you may want to consider a super-duty truck.
It seems like many readers have been looking for answers to EDRM-vs.-AIP-related questions. Did you miss the post?
How can you protect digital assets against intellectual property (IP) theft? Without adequate – data-centric – protection, trade secrets can end up with a competitor or a foreign government in a matter of minutes, even seconds: on a USB device, say, or uploaded to a personal cloud storage account from an unmanaged remote work laptop.
And they do. 2021 was marked by the “Great Reset” in the automotive industry. Employees working from home or leaving for a competitor (or both) posed the biggest threat to their company’s proprietary information. How to prevent intellectual property theft in the automotive sector? Many blog visitors turned to our 10-step guide here:
Enterprise-level DRM can be confusing. The – often niche-specific – solutions of the past were expensive, complex to deploy, and difficult to scale. As a result, IT teams weren’t exactly gung-ho about exploring today’s DRM-based information protection.
This has changed. Enterprise DRM solutions have come a long way, which has caused a resurgence of the category and considerable change in perceptions. In 2021, this trend had more IT professionals asking about specifics.
So we dedicated 2021 to cutting through the fog of related terms and acronyms for this growing audience. A timely decision, judging by our blog traffic numbers. The Enterprise DRM Glossary became the 3rd-most frequented post of 2021:
You would think that 28 years after Adobe first introduced its platform-independent “secure” PDF file format, all related document protection questions should be settled. Far from it, as you may know.
Yet PDF files are making up a large share of unstructured business data. Do you know how well all your sensitive PDFs are protected? If the answer is no, consider yourself in good company.
According to a 2021 report, researchers who analyzed publicly accessible PDF files of 75 government security agencies identified only seven that had removed sensitive information before publishing. Ouch.
This data point doesn’t make you feel better? In that case, the # 2 on our Top-5 list of document protection blog posts provides relief. It gives a hands-on introduction to various approaches to securing PDF documents against unauthorized access, including editing, printing, copying, or screenshots:
And the winner is… Boasting not one, but two industry acronyms in the headline, the chart-topper on this Top 5 list defied headline writing best practices and search engine odds in 2021.
DRM and DLP – Data Loss Protection – both aim to protect sensitive documents against leakage and exfiltration. They are frequently weighed against each other, but that doesn’t explain why this blog post piqued that much curiosity.
Maybe it’s because it fundamentally questioned the traditional “either/or” perspective? If you haven’t read it yet, you can find it here:
Gartner predicted that roughly 50 % of knowledge workers worldwide should be logging in remotely by now. More remote work puts more sensitive data at risk, which increasingly also impacts manufacturing companies. Check out the following ten tips to ramp up your document protection program in 2022.
*
Quick question: What do automated ransomware campaigns conducted by external attackers have in common with data theft committed by corporate insiders?
In the light of recent incident reports, I can think of three answers off the bat – at a minimum:
In both categories, incidents are on the rise.
Both target sensitive data, since more ransomware attacks begin with stealing confidential documents for extortion or sale on the dark web before encrypting the victim’s data.
Both increasingly exploit work-from-home data security weaknesses.
Examples of the latter include unsecured WiFi networks, unmanaged devices, and endpoint vulnerabilities. At the same time, IT lacks visibility into the online activities of remote employees and contractors.
In a nutshell, this example shows how remote work has become the primary source of risk to digital assets in the enterprise. Now the Omicron variant is pushing even more organizations (back) into remote or hybrid work arrangements.
Additional factors exacerbate the crisis going into 2022. The automotive industry and its supply chains feel the impact. Key employees leverage the “Great Reset” in the industry and leave to join competitors, sometimes taking trade secrets with them. IT teams struggle with staff shortages and often only learn about what happened when it’s too late.
Does this sound familiar?
10 tips to boost your remote work document protection
Get ready for 2022 with our ten tips on how to protect unstructured data in remote work settings:
Identify the threat.
Beware intellectual property theft by insiders. In more than 50 % of documented IP theft cases, the perpetrators were current or former employees or contractors. In addition, when external attackers exfiltrate sensitive information, employee negligence often plays a role.
Identify what’s most at risk.
In most innovation-driven companies, trade secrets are stored in the form of unstructured data. Think confidential Microsoft Office documents, CAD/CAE files, digital images, or PDFs. They come in various (legacy) formats and are often scattered across the organization and along its supply chain. Securing them will be an uphill battle, especially in remote work environments, without the right strategy.
Identify your data protection strategy.
The push into remote and hybrid work environments requires a comprehensive approach to data protection, rather than merely a mix of device-centric endpoint and data loss prevention (DLP) solutions. Recognizing this, more technology companies are adopting a data-centric security model.
With sensitive documents, this means they remain protected regardless of where a file resides or with whom it is shared. The data-centric model ensures document protection independently of networks, servers, locations, and devices, such as unmanaged home office printers.
Protect data throughout its lifecycle.
Digital Right Management (DRM, sometimes also referred to as Information Rights Management, IRM) is based on the data-centric security model at the core of any Zero Trust strategy. Fasoo Enterprise DRM (EDRM) enables organizations to persistently protect, control and track sensitive documents at rest, in transit, and in use. Encryption, flexible policies, and granular controls govern how and by whom a file can be viewed, edited, printed, and shared within the organization’s IT perimeter and outside – like in the home office.
Protect sensitive files without exceptions.
Does the Enterprise DRM solution you’re evaluating support all industry-relevant CAD and CAE applications? In the automotive industry, support for tools such as AutoCAD, CATIA, or PTC Creo (and many more) and a broad range of PDF file formats is considered essential to ensure future-proof document protection.
Protect workflows and productivity.
Some information protection solutions lack centralized policy management. This shortcoming is known to slow down workflows to a trickle, especially when remote contributors are involved. Fasoo combines central control options with flexible exception management. Exception approval for accessing particular documents from the home office, for example, can be delegated to managers or coworkers instead of waiting for IT.
Control confidential data wherever it goes.
A supplier’s design engineer working from home is requesting remote access to sensitive documents? With Enterprise DRM, it’s just another day in the office. Gartner analysts describe DRM as “one of the only mechanisms for retaining control of unstructured data transferred to business partners in secure collaboration scenarios.”
Control print.
Fasoo takes a printer-agnostic approach to secure printing. This approach eliminates most challenges that commonly arise in remote work environments with home printers or print drivers. It enables data owners to centrally set and manage print rules for printing on-premises or remotely and watermark unauthorized printouts. Fasoo Smart Print also lets you set print protection policies for plain documents not secured by EDRM.
Control the screen.
Concerned about a remote team member capturing sensitive data on a screen during an internal Zoom or Skype call presentation? Enterprise DRM provides a screen security component, Fasoo Smart Screen, enabling IT to block and monitor screen capture attempts. For deterrence, it can also imprint documents with a watermark that contains tell-tale user-specific information.
Control data without alienating workers.
Fasoo’s centralized policy management enables flexible, people-centric document protection across organizational boundaries. Everyone who needs to can keep tabs on documents’ whereabouts and protection status, without risking privacy complaints and lawsuits from home office workers. Fasoo Enterprise DRM integrates with all leading federated authentication services, enabling IT to automatically revoke access to EDRM-protected documents once an employee leaves.
Contact the Fasoo team and find out how others in your industry deploy Enterprise DRM in remote and hybrid work environments.
Mergers and acquisition (M&A) activities pose major document protection challenges for all parties involved. Leaked or stolen data has caused bidding wars, broken deals, cost millions of dollars in damages, and ruined reputations. How can M&A teams ensure maximum document security without impeding productivity?
*
Merger and acquisition teams typically range in size from a handful of members in smaller or medium-sized organizations to several hundred internal contributors at enterprise scale. That’s on the buyer’s side as well as on the seller’s teams and includes investment banks or Private Equity (PE) firms.
This headcount, however, doesn’t yet include external contributors. Think research analysts, M&A advisories, outside legal counsel, data protection and privacy compliance consultants, and IT integration specialists. Most of them are involved at one stage or another of the M&A process.
Since the beginning of the COVID-19 pandemic, many internal and external M&A team members have accessed sensitive documents from their home offices. On tight deadlines, they collect, create, review, edit, and share sensitive data that can make or break a deal – or kill it, if that data falls into the wrong hands.
M&A activities at an all-time high – and deal leaks, too
The shift to remote and hybrid work is a powerful driver behind banks and their corporate clients leveraging enterprise-level Digital Rights Management (DRM) to secure M&A-relevant unstructured data. The reasons quickly become clear when we look at a real-life example.
A global automotive component manufacturer is planning with its investment bank the acquisition of a publicly traded semiconductor design and manufacturing company.
It’s high season for M&As, and the planned deal seems like a match made in heaven. Yet from an M&A security perspective, the timing couldn’t be worse. M&A leaks have been spiking recently, according to the SS&C Intralinks 2020 M&A Leaks Report [PDF]. This development means all new M&As face an unprecedented challenge.
The challenge: Remote work amplifies M&A security risks
We’ve highlighted document security risks for banks and financial firms resulting from remote work before. The threat level is even more elevated for members of the extended M&A team who work from home. Preparation and execution of most mergers and acquisitions involve a wide variety of confidential documents – in some cases, thousands of them.
Niche vendors of M&A tool platforms tout the cloud-based Virtual Data Room (VDR) as the solution. Such “deal rooms” have become a fixture in the M&A space. At the same time, data protection experts say that VDRs instill a false sense of security – comparable, perhaps, to standard M&A non-disclosure agreements.
These critics point to the weak – often password-based – security of VDRs and specialized M&A document management systems that can too easily be circumvented. Deal administrators and IT lament interoperability issues with other cloud storage services, as well as manageability and scalability problems.
The solution: data-centric M&A security
Enterprise DRM enables IT to strengthen M&A security instead. Fasoo Enterprise DRM, for example, enables data owners to protect confidential content through all stages of a merger or acquisition.
In our example, we focus on negotiations, due diligence, transaction execution, and implementation. These are the M&A stages where data breaches and deal leaks can be most damaging and costly.
Let’s take a closer look at how the acquirer, its bank, and the acquisition target leverage EDRM to maximize document protection. Enterprise DRM’s data-centric security enables IT and deal administrators to protect, control, and track sensitive data on a per-document basis, on any device, at any time.
M&A and beyond: document lifecycle protection
Fasoo encrypts confidential files at the point of creation or before they get uploaded to a VDR, for example. This protection applies throughout the entire document lifecycle, regardless of which M&A platform any contributing organization may be using.
Negotiations: Centralized policy management enables M&A data owners and deal administrators to remain in control. Fasoo Enterprise DRM lets them flexibly adjust who can access, edit, print, or share sensitive content – including remote workers.
This phase usually involves a high amount of various Microsoft Office document formats and Adobe PDF files. Dynamic permission control enables deal administrators to assign and revoke file access permissions for reviewers on a temporary basis, for example, to facilitate more than one bidding round.
Due diligence: In our example, the due diligence document list includes (among others) intellectual property (IP) files, tax records, financial planning P&L documents, electronic design automation (EDA) diagrams, facility blueprints, tax filings, HR records, and all sorts of legal PDFs.Throughout the document review process and beyond, data owners and deal administrators centrally manage who has access to sensitive content. Context-aware and hardware-agnostic secure print and pull print capabilities prevent the unauthorized printing of Personal Identifiable Information (PII) at a home office printer or in a shared workspace, for example. Secure screen and watermarking features (“Fasoo Smart Screen”) block or deter screen capture attempts across all applications, including in Virtual Desktop Infrastructure (VDI) environments and browsers.
Post-transaction / implementation: M&A security professionals warn that the post-merger integration of the acquired company with the buy-side is fraught with data protection and compliance risks that can cost the acquirer millions or even billions of dollars. Data breaches are one main reason for the high M&A failure rate.In our example, the acquirer already has Enterprise DRM in place across its global organization, not unlike this Fasoo customer in the same industry. This means trade secrets, personnel PII, even sensitive records exported from databases are automatically detected, classified, prioritized and encrypted when they enter the buyer company’s environment from the acquired company.
During each M&A stage and long thereafter, Enterprise DRM provides persistent protection and consistent tracking. A document usage audit trail keeps IT, compliance managers, and financial regulators in the loop.
After all, “digital M&A became the new norm” during the pandemic, according to the consultants at Bain & Company. This year, more dealmakers discovered the power of Enterprise DRM. They use it to prevent M&A leaks and data breaches from becoming a new norm, too.
Which industries have the highest potential for remote work? Finance and insurance, says McKinsey & Company. There’s a catch, however. How can organizations realize this potential without compromising data security and privacy?
*
The consultancy found that three-quarters of activities in these sectors can be done remotely without a loss of productivity. Information security wasn’t part of the study. So what are the implications from a data protection perspective?
That’s where things get dicey. The forced rush into hybrid and remote work arrangements and the sorry state of remote work security have bank CISOs and compliance officers on edge. Some – mostly larger – financial institutions have mastered the transformation more effectively than others. What’s their secret?
Before we answer that question, let’s first take a quick step back in time. In 2015, a Morgan Stanley insider downloaded confidential information on 730,000 of the investment bank’s wealth management clients to his personal laptop and posted a sample for sale online. Back then, it could have served as a wake-up call.
Today, it almost seems like quaint history, because not many heeded that call. The shift to Work-from-Home (WFH) due to COVID-19 has taken the insider threat to unstructured data to a whole new level.
Battlezone home office: Data protection reset required?
As a result, insiders – often working remotely – now account for more than 50 % of data breaches in the financial sector, according to security research. Several terabytes of sensitive data have been ransacked or leaked from more banks and financial services or law firms since that 2015 data breach. Think Pandora Papers, the confidential documents including supposedly secure PDF files, images, emails, and spreadsheets from 14 financial service companies offshore.
Bank CISOs and compliance officers we talk to are more worried than ever about the lack of visibility and loss of control over sensitive proprietary data when employees are working from home.
Or take Jeremy Baumruk, who heads up Professional Services at Xamin. His company manages IT security for more than 50 U.S. banks. In early 2020, he told the American Bankers Association’s Banking Journal: “When an employee is using their own computer, IT has almost no control.”
18 months later, research shows: that warning about remote work security still stands. Industry experts point to misconfigured VPNs, insufficiently secured home WiFi networks, unmanaged personal devices, personal cloud storage services, and unmonitored home office printers.
Remote work hasn’t only exacerbated the insider risks posed by negligence or disgruntled employees. Cybercriminals on the outside have taken notice, too. They wage automated campaigns that increase the pressure on banks to take decisive countermeasures.
Many recognize that the traditional, device-centric emphasis on IT perimeter defenses – Data Loss Prevention tools (DLP), firewalls, endpoint protection – cannot ensure adequate protection. Recent threat reports confirm: attackers are busy exploiting the remote work blindspots and endpoint vulnerabilities to the fullest.
As a result, credit unions, investment banks, and mortgage lenders, and their remote workers, are bearing the brunt of automated ransomware campaigns right now. In the first half of this year alone, banks experienced a 1,318% year-over-year increase in ransomware attacks, reports cybersecurity firm TrendMicro in its 2021 Midyear Security Roundup.
What does this have to do with document protection? There’s a direct and significant connection. New ransomware variants don’t merely encrypt the victim’s business-critical data and demand a ransom for unlocking it. The latest exploit kits are also optimized for data exfiltration.
In other words, they are designed to search for, scoop up, and siphon off sensitive information, which is then used for more elaborate extortion schemes. Only last week, the FBI sent out this Private Industry Notification [PDF]. It describes how perpetrators specifically target confidential documents about planned mergers and acquisitions, to release them on the internet if the victim doesn’t pay up.
So why have some financial institutions been less impacted than others by data leaks and theft during their shift to remote work?
Identify, protect, control – with Enterprise DRM
One answer is that they didn’t bide their time until the next data breach. Instead, more banks launched a “digital transformation” that some say is long overdue for the industry as a whole. One pillar of their strategy is shifting to a data-centric security model, enabling them to protect their data at rest, in use, and in transit.
Bank CISOs recognize that the traditional, device-centric emphasis on IT perimeter defenses – Data Loss Prevention (DLP), firewalls, endpoint protection – cannot ensure adequate protection anymore.
Instead, they leverage Enterprise Digital Rights Management solutions such as Fasoo to identify, encrypt, and oversee the access to unstructured data at the file level. This way, sensitive documents remain protected against unauthorized access if leaked or exfiltrated, no matter how that happens.
The Fasoo Enterprise DRM framework follows a three-way approach to ensure gapless document protection and remote work security:
Identify: Fasoo automatically identifies data worth protecting, from legacy repositories to newly created documents, which are secured at the point of creation. Unlike DLP, which is limited to tagging such information for protection within the organization’s IT perimeter, Fasoo sets the foundation for protecting and controlling confidential data anywhere, on any device.
Protect: Enterprise DRM provides an additional layer of security by combining FIPS 140-2 validated encryption and access control. This approach helps organizations minimize and mitigate risks such as data leaks, insider threats, and advanced persistent threats (APT).
Control: Fasoo enables banks to assert control over their confidential data through the entire document lifecycle, based on flexible and people-friendly central policy management.
Boost for remote work security and productivity in banking
This control transcends the digital domain. Fasoo’s printer-agnostic secure print capabilities (Fasoo Smart Print), for example, enable organizations to apply print protection and watermarks for plain and DRM-secured documents alike. Its screen security component (Fasoo Smart Screen) applies screen watermarks to applications and URLs to block screen capture attempts of sensitive data and monitors all screen capture attempts.
“Enterprise DRM is working great for us,” says the CISO of an S&P Top 100 global bank, a Fasoo customer. “It gives us a quick at-a-glance look at all our sensitive data and enables us to assert control wherever it goes.”
Would you like to learn more about how organizations in the financial sector, from community banks to global financial institutions, leverage Enterprise DRM to secure their digital transformation?
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
3rd Party Cookies (Analytics)
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!