Blog

Tag: CCPA

Complying with CCPA - What are some of the landminesThe potential landmines for compliance with CCPA is pretty high.

One of the first things is that a lot of companies don’t know how to interpret the law. We saw that with GDPR for the year prior to it going into effect. CCPA is a lot like it, but there are likely still questions.

Secondly, is the DSRs (Data Subject Requests) or the right to be forgotten. People are very in tune with their privacy these days and will want to act on it, not only for the reduction of spam, but for the identity theft potential. The requests will likely come too fast and companies with a lot of data containing personally identifiable information (PII) – the very thing those DSs will be after them for – will find themselves in a position where they don’t know where to start.

Thirdly, most have also not started tackling unstructured data that may contain that PII. Most companies are working on dated data governance policies to begin with and haven’t updated systems, process, procedures, included unstructured data, and don’t have the tools in place to properly protect data. So they will need to first, find what data they have (whether it is dark or otherwise), and get rid of it based on its age and usefulness.

On a separate, yet related note, as with most research organizations, a recent webinar by AITE Group,  touched on the privacy regulation subject.  Since California has set their privacy regulations wheels in motion, and there are 11 other states that are making changes for the stricter, the U.S. is seemingly having problems with standardizing privacy laws across the nation.  Arguments around who will enforce (which, by the way, was  a common question with respect to GDPR), and how can’t be decided on.  And this makes sense.  For Europe, there are 27 member states, so they will enforce their own vs. the U.S. – we are one country.  So while there does need to be a national data privacy law, let’s not hold our breath.

The best way to comply with CCPA and similar privacy regulations is to classify sensitive data as confidential and immediately encrypt it.  This protects the data, controls user access and tracks the file wherever it travels.  Rather than relying on complex classification processes to control what users can or cannot do, this approach optimizes classification and streamlines a path to protect and control your most sensitive data.  You also don’t have to worry about location anymore, since the file is always encrypted and access controlled.

Photo credit R. Miller

 

Define a Practical Data Governance Plan for Unstructured DataThe phrase “It takes a Village to raise a child” is true.  But it is also true that it takes a team to develop a data governance and policy management strategy!

Teamwork is important when developing a data security strategy. As part of that process, data governance and policy management needs to be part of the equation. It’s becoming more and more clear that organizations struggle with policy management – particularly with unstructured data. The very nature of unstructured data leaves it vulnerable to exposure and loss. Insider threat is of particular concern because while hackers typically attack structured databases, your employees and other valued insiders are accessing those databases on a regular basis. The insiders can download sensitive information into spreadsheets and reports. They are accessing your intellectual property, such as product designs and roadmaps. It’s the insiders that will walk off with those designs and sell them to your competition or bring it to a competitor to jumpstart the next phase of their career. The loss of this information will not only cost you revenue, but can also result in a regulatory fine. Who can afford that?

It’s really important to work as a team to:

  • Define a Practical Data Governance Plan for Unstructured Data
  • Identify Use Cases & Conduct Workflow Reviews
  • Turn Use Cases Into Unified and Centralized Policies
  • Develop a Change Management Plan

In Fasoo’s next webinar, Why Leadership and Data Governance is Critical to Policy Management, Ron Arden and Deborah Kish will call out these steps and provide insights to what the best practices around the teamwork that will help you get to a better data governance and policy management strategy.  The last of our 3 part webinar will be September 18th at 2 pm.  You won’t want to miss it.

Photo credit Anna Samoylova

Work as a team for unstructured data securityLast week, Fasoo sponsored and participated in the ISMG Cybersecurity Summit in New York City.   It was a great event, well attended and in the Theater District and the ISMG folks were awesome to work with!

As part of our sponsorship, Fasoo had a 10 minute Tech Spotlight where, rather than providing a “death by powerpoint” tech dump, we thought it would be good to get everyone thinking about working together as a team with respect to their data security initiatives by following the example of geese. Below is the recap for the greater audience.

When geese fly south for the winter or are moving from one pond or lake to another, they do so in a V formation.  There is a bunch of science around this, but to make a long story short they:

  • Flap their wings to ensure better lift and a more efficient flight
  • They take turns leading the way to ensure each have had a break
  • They stick with each other in times of trouble

Geese are sensible in that they share the responsibility of working together as a “team” to help them get to their destination efficiently and meet the goal of the journey!  For the purposes of this post, we equate the journey to better data security across all businesses.

Many organizations’ stakeholders (C-Level, business unit leaders etc.) don’t talk to one another with respect to how they need to handle data security. Each has their own agenda, process, budget, ideas and such, but much more can be accomplished when working together.  Understanding each others’ goals and coming up with a plan on which to execute.  And so, think about the flock of geese and their relocation journey (to the south, from body of water to body of water) the way you should think about your data security projects and initiatives.  Work as a team.  Talk to one another and get on the same page. Talk about your data and make a plan with the goal toward protecting it and creating a stronger data security strategy that, as a company, you can achieve.  Understand each other’s goals and ensure that you reach them.

Now, some geese –  you may or may not know – get what is called “angel wings” – they are little tufts of feathers sticking out of the side of the wings.  It is usually caused by a poor diet (i.e. bread – please don’t feed geese bread – it is no good for them) – so for the purpose of this blog, an incomplete or non existent data security strategy – but it leaves them unable to fly and vulnerable to attack from a predator (much like data to a hacker or thief without a good strategy), and ultimately –  left behind.

Like the geese, work together and make sure that your journey toward stronger data security is attained. And keep in mind, things don’t happen overnight. There will be disagreements and things might feel as if they are going nowhere.  But don’t give up!

The upside?  There are many, but great things can come of working together as a team because, you will find that by talking to one another, you’ll discover commonalities across the organization about how data is collected, handled, and used making the journey simpler than you think.   And if you feel that your organization is NOT talking?  Be the thought leader or pioneer for your company or business unit.  Start the conversation.  I’ll help you!

Bring your ideas to the table and don’t let your business be the goose that wound up with angel wings, left behind and vulnerable to attack.

Photo credit Vivek Kumar

Granular access controls are important to protect unstructured dataIn our last post, we said “Without granular access controls, you can’t prevent a user from copying data from a file and pasting it into an email, for example. If you only encrypt a file and do not prevent copy and paste or printing, a user can easily compromise security.” And we meant it.

Now,  you might be asking yourself “What does it mean… granular access controls?” And the answer is simple.

Granular permissions or access controls means you grant specific permissions or enable actions when a user opens a file.  This means you can either allow or prevent a person from doing things in a file when it is open – or “in use” – and since data in use is really difficult to protect, wouldn’t it make sense to add this layer of protection?  By applying granular access controls, you can prevent someone from copying and pasting, taking a screen shot, or printing based on the classification of the file and security policy applied to it.  Users can be either granted or denied specific actions when a document is open.

Intellectual property is extremely valuable to your business, but it is really vulnerable to theft.  Think about your product design plans or maybe your trade secrets or product roadmaps.  Anyone could copy and paste that information into an email and send it to anyone, take a screen shot and text it to a friend or print it and walk out the door with a piece of paper.  If you’ve followed our first webinar “Overcoming Unstructured Data Security and Privacy Choke Points“, you will hopefully be thinking about getting your first line of defense, or your foundation built.  In our next webinar,  “How Granular Access Controls and User Behavior Analytics Close the Gap on Insider Threat” on Wednesday, August 7, 2019 at 11:30 am EST, we “get granular” about granular access controls.

 

Photo credit Kelli McClintock

Protect against insider threatsPicture it.  Your employees access sensitive and confidential customer information every day so they can do their jobs. Once the data leaves the protected confines of an information repository, file share or cloud-based service, your authorized users can share it with anyone, do anything with it and compromise your customer’s confidential information or your intellectual property.  As a result, you may be subject to regulatory fines, not to mention losing customers because they can’t trust you to maintain their confidentiality. And as for IP?  It could get in the hands of your competition, threatening your business.

What do you need to do?  You need to persistently protect confidential data so that customer information and your IP is protected regardless of where it goes and who has it.  Through a file-centric approach, you need to close the security gap that allows you to share sensitive data with unauthorized users by applying granular access controls to sensitive data.  Without granular access controls, you can’t prevent a user from copying data from a file and pasting it into an email, for example.  If you only encrypt a file and do not prevent copy and paste or printing, a user can easily compromise security. 

Picture it.  When you hire an employee, you are trusting them to always have the best interest of the company at heart. The employee trusts that the company will help them reach their goals in terms of career and advancement. Trust should be a two way street.  But in the former, it isn’t always black and white, because we know two things:

  1.  No one is infallible
  2.  Malice exists

To elaborate further… not so much on “No one is infallible” because we all know, mistakes happen.  Information can be accidentally sent to the wrong person through email either internal or external to the organization.   But for the sake of statistics and surveys, IBM recently published a study and cites that “…inadvertent breaches from human error and system glitches were still the cause for nearly half  (49%) of the data breaches in the report, costing companies over $3 million. 

But maliciousness, unfortunately is a reality.  Clear examples of why data may fall victim to exposure include:

  • The employee who gets let go   
  • The employee who leaves the organization because they feel they are being treated unfairly
  • The employee who decides they can advance their career by taking intellectual property or trade secrets to the competition 

As an organization, you can mitigate these risks by applying granular access controls and utilizing user behavior analytics.  This is the topic of my next webinar, “How Granular Access Controls and User Behavior Analytics Close the Gap on Insider Threat” on Wednesday, August 7, 2019 at 11:30 am EST.   If you have an interest in protecting your sensitive and private data, you should.

Photo credit Arlington Research 

PrivacyTo think about stronger data security and privacy protection! But first, I want you to think about the millions of heroes who have served our country.

As we approach the 4th of July, I wanted to take a moment to recognize the heroes in the many branches of the U.S. Military.  From myself, and on behalf of the entire team at Fasoo, THANK YOU for your service!

And while thinking about those who have put themselves at the first line of defense, defending our country and fighting for our freedom, we are still fighting for privacy and stronger data security.  As individuals, we are required to provide tons of personally identifiable information to our doctors, lawyers, employers and financial institutions – trusting that they will safeguard our information.  But data leaks still happen!  So we know we need to take data security and privacy seriously.

Now, I don’t want this discussion to turn political, but it was brought to my attention (thanks, Rick), in an article published by ZDNet that “The US State Department will now require new visitors to the United States to hand over their social media account names as well as email addresses and phone numbers used over the past five years.”

I remember when I was a kid, the USA was referred to as “The Great American Melting Pot” where people were welcomed from all over the world to come here and live their dream!  Freedom.  In fact, my own family migrated from Hungary and settled in Pennsylvania in the early 1900s.  Of course, this was long before the digital age.  Back then, the information collected, while personally identifiable in nature, was not nearly as much in terms of “volume”.  So while people are still coming to this country to live their dreams, the data requirement to do so is a magnitude far above what it used to be, exacerbating the amount of data that needs to be protected.   So what I am saying here is that these visitors’ dreams should NOT include the fear of identity theft and/or exposure of personal data.

In the digital age, our thirst for knowledge and expression has us willing to give information in exchange for merchandise, a whitepaper, maybe even recognition.   And we should be able, with trust and the freedom to do so, without fear.  So at the risk of misquoting one of our Founding Fathers, those who would give up personal data for essential freedom, deserve both privacy and security.

So fire up the grill, add another hot dog or hamburger, tofu for my vegan friends, crack open a beer or have some wine.  Enjoy your friends, family and freedom and by all means, please have a safe holiday!

By Deborah Kish – EVP Research & Marketing

GartnerI have to say, being on the other side of the Gartner Security and Risk Management Summit was a combination of exciting, fun, and educational. The cool thing is that I still got to get up on stage and the bonus was to see all the hard work that goes into exhibiting. I think the Fasoo team did a fantastic job setting up and manning the booth.

At our booth at the Summit, we highlighted new features of our Data Radar and Wrapsody eCo products that deliver a unique life-cycle approach to enterprise content challenges plaguing organizations globally.

Overall our booth attracted hundreds of visitors seeking products that can help them regain control over their unstructured data with particular interests in discovery, encryption and access control.

Privacy regulations such as GDPR and CCPA is the driving factor as visitors clearly indicated the need to adapt quickly to the changing environments. Also, new data security related projects have been planned or launched based on recognizing the impact from IT changes within the organization including the adoption of cloud infrastructure and applications.

Our visitors at the Gartner Security and Risk Management Summit ranged from CISOs, business unit owners, and cyber security professionals to Chief Data Officers and Chief Privacy Officers across multiple verticals. I hope I got a chance to meet you!

I was super excited to moderate our solution provider session at the Summit featuring 3 of our customers which included the regional CISO from a global financial institution, a business unit leader in the automotive industry and a consultant who is leading global digital transformation projects in the public sector globally. Each have projects that involve the challenges of unstructured data security and privacy with distinct use cases. They shared with the audience how they successfully “fast tracked” their way through the challenges often associated with these projects and accelerated their organizations’ paths to data centric security and privacy.

They shared how Fasoo helped them in their plight to gain control of and secure their unstructured data, their intellectual property and meet privacy regulations.

Deborah’s Final Thought:
As trends toward cloud and content collaboration continue – as growth in unstructured data increases and the perimeter fades, it is clear now, more than ever, that the market must adopt a file-centric approach to data security. I believe that this approach will minimize the risks associated with sensitive data exposure and help meet regulatory requirements.

By Deborah Kish – EVP Research & Marketing

HIPAAThis has been on my mind. A lot. Every day, I open my email to find news about how a company needs to pay a fine or a fee to either an individual or a regulator because data was leaked or stolen. This one in particular caught my eye because it is a classic example of data being accessed by likely the wrong individual and shared with someone who should definitely not have been able to see it. This one seems to be an access control and encryption play.  If they were in place, this healthcare entity wouldn’t have to shell out $853K and violate HIPAA regulations in the process.

And this one! It dates back to 2015, but it is still one of the largest hack attacks to date, and the settlement (which was just reached) is nearly $1 million dollars!  All because a sophisticated attack allowed the hackers to steal user credentials and 3.5 million patient records.   As a result (besides the $900K) MIE has a laundry list of technologies they will be required to invest in as well as implementing “controls during the creation of accounts that allow access to ePHI”.

This tells me something.  It tells me that there are still so many companies that do not have strong sensitive data security and privacy controls in place.

And, it leads me to feel even more strongly about the “file centric” approach. A file centric approach means that you are focusing on the actual data, (in both of these cases, PII) rather than the location of the data. Encryption and access control in these cases could have made a significant impact and saved; the victims of the breaches from potential harm like ID theft AND the entities themselves a lot of money.  I’ll be talking more in detail about this in my upcoming webinar “Overcoming Unstructured Data Security and Privacy Choke Points” this Thursday, June 6th at 1:30 pm. I’ve embedded the link so you can go ahead and register.

See you then!

By Deborah Kish – EVP Research & Marketing

regulatory complianceI sure hope so!  Well, the one year anniversary of GDPR is upon us and the challenge of effective, easily managed data security and regulatory compliance is palpable.  So, what did Fasoo do? We developed Data Radar (well, it has been around for a long time now) to deliver a unified unstructured data security and privacy approach that addresses the challenge of the evolving, complex compliance regulations like GDPR and CCPA across verticals ranging from healthcare to finance to manufacturing.

Data Radar is worth investigating if you want a solution that can automate unstructured data discovery, classification, protection, tracking, and compliance reporting. It’s got some cool unique features like:

It’s file-centric, meaning it doesn’t matter where it is because it isn’t chasing locations!

It encrypts and can apply access control, meaning the data itself is secure and only those with a valid need can see what it is.  So if it gets lost, stolen, sent to someone who does not have access, it is both private and secure!

It “Tags” the file by embedding a unique identifier which provides visibility, tracking and audit reporting capability.  You can see who, what, when and where that file has been!

It gives you easy automated expiration power!  You set the date for expiring the data and it’s gone!  No need for manual tracking and destruction of data.  You decide when it is no longer part of your unstructured sensitive data footprint.   Now you can concentrate on other important things.

You’ll hear more about it in the first of 3 webinars on Thursday June 6th at 1:30 pm.  Register by clicking here !

unstructured data securityThanks to all of you who responded to my last blog post regarding unstructured data security and privacy topics you’d like to hear more about. Here’s a sampling:

Why do so many data loss prevention projects either stall or de-scope? Why with significant industry expenditures in the space do we continue to experience record-breaking instances of data breaches and exfiltration? What are the latest methodologies and technologies security and privacy executives should consider implementing to protect their sensitive data and comply with stricter and pervasive privacy regulations such as GDPR and CCPA?

Whew, that’s a lot of ground to cover – but, it confirms the complexities that surround unstructured data challenges and the uncertainties security and risk professionals face as they consider ways to attack the problem.

So, here’s what I am going to try and do over the next 90 days – between this blog, our upcoming webinars and my session (Tuesday the 18th @ 10:45 am, Potomac A, Ballroom level) at Gartner’s Security and Risk Management conference next month (oh, and come visit our booth #563)  – essentially, offer an insider’s playbook to implementing an unstructured data security program while enabling privacy controls.  Whether migrating from existing DLP point solutions or wondering where your unstructured data lives today, my goal is to provide a life-cycle perspective as to the best methodologies and how to avoid the pitfalls that have plagued enterprise projects.  Learn ways to streamline, simplify and fast-track your unstructured data project to protect it and comply with privacy regulations.

Fasten your seat belts and stay tuned!

Categories
Book a meeting