Blog

Tag: data breach

As more operations move to the cloud, employees, contractors, and partners access sensitive data through a browser or remote desktop.  Frequently users run reports to localize the data for further analysis.

Protecting this sensitive data when viewed on your computer or mobile screen is critical to protect the data from unauthorized use and ensure you aren’t subject to litigation and fines for violating privacy legislation.

Here are four use cases for using Screen Security to protect your sensitive data.
 

Protect PII and PHI on the screen

Allow employees and contractors to work with sensitive data while minimizing the risk of a data breach by sharing pictures of sensitive data with unauthorized users.

ERP, CRM, EMR, financial, and other business systems provide users with easy access to detailed personal and company information.  This information is not adequately protected against malicious or inadvertent screen capturing, especially with so many remote workers and people working from home.

Users can access sensitive data on web-based applications and share it with anyone.  They can capture the screen content with an image capture tool or by taking a picture with a phone.  This can lead to a data breach that violates privacy legislation and can lead to litigation, fines, and reputational damage.

Fasoo Smart Screen can block screen capture attempts from specific applications and websites by blocking access to sensitive content with a secure image warning users they are trying to copy sensitive data.  By allowing specific users to access applications while preventing them from capturing sensitive data, you minimize potential data breaches.  You can even forcibly minimize target applications when known capture tools are launched to deter further sharing of sensitive data.
 

Prevent pre-release of information in files and on internal websites

Stop data leaks by blocking screen capture attempts of product designs, media, and other sensitive information in files and on internal websites.

Internal websites showcase new products and other strategic information that employees and contractors need for planning marketing and sales activities.  Sometimes, these users take pictures of this information and use it for personal gain, send them to competitors, or share them on social media.

These actions may cause competitive pressures that can lead to loss of sales or market share if your competitors get ahold of them.  Since anyone with a phone can take a picture and share it, you need to deter this from creating a loss of competitive advantage.

Fasoo Smart Screen can block screen capture attempts of sensitive data on websites and apply visible watermarks to trace potential data leaks to the source.  Dynamic watermarks appear in certain applications and specific URLs showing the user’s name, IP address, and timestamp to deter screen capture.  By blocking screen capture tools on specific URLs, administrators can control sharing of sensitive data and even see image logs of attempted screen captures.
 

Protect sensitive data in call and contact centers

Minimize the risk of data leaks by applying a visible watermark to trace sensitive data back to call or contact center employees.

Customer service and contact centers use virtualized or remote desktops to control access to highly confidential information.  Workers could take a screen capture of PII or take a picture with their phone and share that information with unauthorized people outside the company.  This is especially risky with outsourced vendors who may have a high turnover of employees and contractors, and who allow many people to work from home.

Anyone with sensitive data on the screen can easily use a screen capture tool or take a picture of the screen with a phone and share it with colleagues and friends.  If this information becomes public, your company may be subject to fines and litigation.

Fasoo Smart Screen discourages screen capture attempts by applying visible watermarks with user and company information to trace potential data leaks to the source.  A customizable, visible screen watermark appears on websites, specific applications, and sensitive documents showing the user’s name, company name or logo, IP address, and timestamp.  Administrators can see image logs of attempted screen captures.  The visible watermarks deter leaking sensitive data since the user’s name is on the captured image.
 

Safeguard sensitive financial information in documents

Reduce the possibility of customer and supply chain loss by blocking screen capture attempts of sensitive financial information in files.

Employees and contractors share documents containing sensitive financial information as they work with customers and suppliers.  Someone may create a document and share it or run a report from a financial system.  The users could take a screenshot of the content and share it with anyone, either inside or outside the organization.

If a public company shares this data prematurely, it may disrupt markets and run afoul of SEC rules.  If competitors have this data, they may undermine your supply chain or make a run at your customers with discounts and other strategies to steal them.  Since anyone with a phone can take a picture and share it, you need to stop this from causing problems.

Fasoo Smart Screen can block screen capture attempts of sensitive data in documents and apply visible watermarks to trace potential data leaks to the source.  Dynamic watermarks appear in sensitive documents and deter users from sharing images of them since the user’s name, timestamp and other identifying information are visible.  If a user tries to take a screenshot of the document, an image appears over the content preventing the attempt.  Administrators can see image logs of attempted screen captures to help address potential leaks with users.

 

Learn more about how Fasoo Smart Screen can help you protect sensitive data shared on screens.

M&A Leaks: Image shows a leaking bucketMergers and acquisition (M&A) activities pose major document protection challenges for all parties involved. Leaked or stolen data has caused bidding wars, broken deals, cost millions of dollars in damages, and ruined reputations. How can M&A teams ensure maximum document security without impeding productivity?

*

Merger and acquisition teams typically range in size from a handful of members in smaller or medium-sized organizations to several hundred internal contributors at enterprise scale. That’s on the buyer’s side as well as on the seller’s teams and includes investment banks or Private Equity (PE) firms. 

This headcount, however, doesn’t yet include external contributors. Think research analysts, M&A advisories, outside legal counsel, data protection and privacy compliance consultants, and IT integration specialists. Most of them are involved at one stage or another of the M&A process.

Since the beginning of the COVID-19 pandemic, many internal and external M&A team members have accessed sensitive documents from their home offices. On tight deadlines, they collect, create, review, edit, and share sensitive data that can make or break a deal – or kill it, if that data falls into the wrong hands.

 

M&A activities at an all-time high – and deal leaks, too

The shift to remote and hybrid work is a powerful driver behind banks and their corporate clients leveraging enterprise-level Digital Rights Management (DRM) to secure M&A-relevant unstructured data. The reasons quickly become clear when we look at a real-life example. 

A global automotive component manufacturer is planning with its investment bank the acquisition of a publicly traded semiconductor design and manufacturing company.

Table Overview: Deal Leaks by Sector

Source: SS&C Intralinks 2020 M&A Leaks Report[PDF]

 

It’s high season for M&As, and the planned deal seems like a match made in heaven. Yet from an M&A security perspective, the timing couldn’t be worse. M&A leaks have been spiking recently, according to the SS&C Intralinks 2020 M&A Leaks Report [PDF]. This development means all new M&As face an unprecedented challenge. 

 

The challenge: Remote work amplifies M&A security risks

We’ve highlighted document security risks for banks and financial firms resulting from remote work before. The threat level is even more elevated for members of the extended M&A team who work from home. Preparation and execution of most mergers and acquisitions involve a wide variety of confidential documents – in some cases, thousands of them. 

Niche vendors of M&A tool platforms tout the cloud-based Virtual Data Room (VDR) as the solution. Such “deal rooms” have become a fixture in the M&A space. At the same time, data protection experts say that VDRs instill a false sense of security – comparable, perhaps, to standard M&A non-disclosure agreements.

These critics point to the weak – often password-based – security of VDRs and specialized M&A document management systems that can too easily be circumvented. Deal administrators and IT lament interoperability issues with other cloud storage services, as well as manageability and scalability problems.

 

The solution: data-centric M&A security

Enterprise DRM enables IT to strengthen M&A security instead. Fasoo Enterprise DRM, for example, enables data owners to protect confidential content through all stages of a merger or acquisition.

Bar chart: M&A cost distribution, by phase (IBM)

Source: IBM Benchmark Insights: Assessing Cyber Risk in M&A

 

In our example, we focus on negotiations, due diligence, transaction execution, and implementation. These are the M&A stages where data breaches and deal leaks can be most damaging and costly. 

Let’s take a closer look at how the acquirer, its bank, and the acquisition target leverage EDRM to maximize document protection. Enterprise DRM’s data-centric security enables IT and deal administrators to protect, control, and track sensitive data on a per-document basis, on any device, at any time.

 

M&A and beyond: document lifecycle protection

Fasoo encrypts confidential files at the point of creation or before they get uploaded to a VDR, for example. This protection applies throughout the entire document lifecycle, regardless of which M&A platform any contributing organization may be using.

 

  • Negotiations: Centralized policy management enables M&A data owners and deal administrators to remain in control. Fasoo Enterprise DRM lets them flexibly adjust who can access, edit, print, or share sensitive content – including remote workers.

    This phase usually involves a high amount of various
    Microsoft Office document formats and Adobe PDF files. Dynamic permission control enables deal administrators to assign and revoke file access permissions for reviewers on a temporary basis, for example, to facilitate more than one bidding round.

 

  • Due diligence: In our example, the due diligence document list includes (among others)  intellectual property (IP) files, tax records, financial planning P&L documents, electronic design automation (EDA) diagrams, facility blueprints, tax filings, HR records, and all sorts of legal PDFs.Throughout the document review process and beyond, data owners and deal administrators centrally manage who has access to sensitive content. Context-aware and hardware-agnostic secure print and pull print capabilities prevent the unauthorized printing of Personal Identifiable Information (PII) at a home office printer or in a shared workspace, for example. Secure screen and watermarking features (“Fasoo Smart Screen”) block or deter screen capture attempts across all applications, including in Virtual Desktop Infrastructure (VDI) environments and browsers.

 

  • Post-transaction / implementation: M&A security professionals warn that the post-merger integration of the acquired company with the buy-side is fraught with data protection and compliance risks that can cost the acquirer millions or even billions of dollars. Data breaches are one main reason for the high M&A failure rate.In our example, the acquirer already has Enterprise DRM in place across its global organization, not unlike this Fasoo customer in the same industry. This means trade secrets, personnel PII, even sensitive records exported from databases are automatically detected, classified, prioritized and encrypted when they enter the buyer company’s environment from the acquired company.

During each M&A stage and long thereafter, Enterprise DRM provides persistent protection and consistent tracking. A document usage audit trail keeps IT, compliance managers, and financial regulators in the loop. 

After all, “digital M&A became the new norm” during the pandemic, according to the consultants at Bain & Company. This year, more dealmakers discovered the power of Enterprise DRM. They use it to prevent M&A leaks and data breaches from becoming a new norm, too.

 

Encrypt and control sensitive wealth management data

The financial services industry is a frequent target of hackers, but a larger threat may be trusted insiders since they have access to a lot of sensitive customer data.  Advisers within wealth management practices regularly share data with other advisers, staff members, a counterparty or a trusted third-party service provider. They may inadvertently or deliberately share that data with unauthorized people and pose a risk to their firms and customers. Once shared, most firms have no control over that data. The Ponemon Institute illustrates this risk by reporting that 65% of cyber breaches originated with third parties.

Insiders regularly share customer or other sensitive information with colleagues and third-parties by generating and downloading reports from a database. Typically the reports are spreadsheets which make it easy to analyze the data. Access to the database may be restricted, but once in a spreadsheet, the sensitive data is easy to share with anyone.

Just recently, BlackRock inadvertently exposed names, email addresses and other information of 20,000 independent wealth management advisers. The data was in several spreadsheets from an internal customer relationship management system and was inadvertently posted on a website by an internal user. There was no hacking, just a mistake by a trusted insider.

In 2017, New York implemented comprehensive cybersecurity regulations to protect New York’s financial services industry and consumers from cyber attacks. Other jurisdictions are following suit. High-profile cases like the Morgan Stanley broker who stole data on more than 350,000 of the bank’s wealthiest clients in 2014 was clearly on the minds of regulators when they created these regulations. Even with these rules in place, BlackRock still experienced a data breach.

Typical approaches to stop data breaches focus on protecting devices and locations from unauthorized access, rather than the data stored on them. These solutions force you to create complex business rules that monitor data movement and alert you to abnormal activities. In the BlackRock and Morgan Stanley cases, authorized users had legitimate access to sensitive data, so these tools may not have flagged anything as abnormal.

The only effective way to restrict access of sensitive data to authorized users is to encrypt it and apply security policies that govern its access. This ensures that only authorized users can access the data, regardless of the file’s location or format. This includes sending data to a counterparty or other third-party service provider. Once encrypted, the organization can trace user activities and even revoke access whether stored on a local system, mobile device, website or cloud-based repository. If someone accesses the file, they cannot read its contents unless explicitly granted access to it.

Morgan Stanley could have prevented its employee from accessing customer information on his home computer by encrypting it and setting appropriate policies. Once he left the company, his access to company data could be immediately revoked. The BlackRock spreadsheets would have been useless to any unauthorized person, since no one could read their contents unless explicitly granted access. If hackers stole the data in either case, it would be useless to them, since it was encrypted and the hackers had no authorization to access it.

Investors trust wealth management firms to protect their sensitive data. Encrypting files and controlling user access maintains that trust and complies with privacy regulations.

Photo credit: Pavel Rybin

Bill Blake shows how Wrapsody helps manage an incident response plan Fasoo sponsored and presented at an event in Columbus, OH on November 13, 2018 entitled “Incident Detection, Response and Recovery” highlighting how to prepare and manage an incident response plan for cybersecurity and data protection.  Presented and cosponsored by Catalyst Solutions, IBM and Huntington Insurance, the event brought together experts in legal, insurance, law enforcement, government, accounting and security disciplines to discuss the legal, technical and business issues of preparing for and responding to a data breach.

Bill Blake, Senior Vice President and CCO of Fasoo, presented Incident Response & Recovery: Secure Collaboration for Critical Information which highlighted the Wrapsody platform as a solution to help manage the development, access and control of an incident response plan (IRP).  Bill showed an example of a CISO, Legal Counsel and an external Advisory firm securely collaborating on an IRP and how to control who could access the plan and any supporting documents involved in a response.  The example showed how easy it is to securely collaborate on developing and managing the plan, but also on limiting access prior to, during and after a breach occurs.  Since Wrapsody encrypts documents and controls their access, it guarantees only authorized users can access them.  This is critical because if an incident response plan got into the wrong hands, malicious insiders or external parties could compromise an organization’s data security.

Ed Rice, an attorney at Sherrard, German & Kelly, P.C., talked about the importance of having a data security program in place.  “Not only does it make good business sense, but under the regulatory landscape, for instance in NY, MA and CA, having such a program is a requirement when a company deals in data containing personal information.  Ohio’s new data protection act actually provides a “safe harbor” from liability for a data breach if the company has in place a good data security program”.

One key to a data breach response is maintaining attorney – client privilege between internal or outside counsel and the organizations involved in the breach.  A cybersecurity incident is not considered a data breach until an attorney says it is.  An attorney should be involved in developing the plan so the plan and any supporting documents are considered attorney work product and come under attorney – client privilege.  Since Wrapsody limits access to authorized users, if a malicious insider tried to share documents with external parties, they would not be accessible.  If a court tried to subpoena the documents, attorney-client privilege would protect them legally, but Wrapsody’s encryption and access control would prevent access to the files themselves.  Another key is having a detailed audit log of document access to prove to auditors, regulators and law enforcement who accessed the IRP during its preparation and execution, thus also helping establish what is subject to attorney – client privilege.

Once an event occurs and the organization executes the IRP, access is controlled and audited.  If internal systems are compromised, Wrapsody enables mobile access to the IRP through a phone and tablet.  Since each version of the IRP and any supporting documents are automatically synced to the Wrapsody server, those involved in the response will have access to the latest information, even if the IRP itself was hit with ransomware.

Protecting company and customer information is the main goal of cybersecurity.  Preventing a data breach is a key tactic, but you need to have a viable incident response plan so you can act quickly and decisively if or when a breach occurs.  Using Wrapsody to prepare and manage the plan along with sensitive documents should be a key tactic in your cybersecurity program.

Stop Insider Threats from Defeating your BusinessThe headlines today still focus on hackers and other malicious outsiders trying to steal your sensitive data or disrupting your business, but the reality is that insider threats are the biggest challenge to enterprise security.

People with knowledge of your network and systems have a decided advantage when it comes to deliberately or accidentally sharing information with unauthorized users.  Whether it’s a dissatisfied employee looking to make a buck, a retiring worker copying files to take home or a busy executive sending a file to the wrong person, preventing data breaches from privileged insiders can be challenging.

Insiders understand how your business operates and have access codes, user credentials, and the ability to exploit or bypass security controls; especially if they are in senior positions.  Most of the time actions are not intended to do harm, but to quickly get things done.  A good example is the retiring FDIC employee who inadvertently copied sensitive data from 44,000 customers onto a USB drive to take home.  Not malicious, but a data breach none the less.

According to the recent study “Risky Business: How Company Insiders Put High Value Information at Risk” by the Ponemon Institute, C-level executives and Sales departments are the most likely candidates to inadvertently share sensitive information.  While there may be malicious intent for some, according to the Ponemon study, carelessness is the main cause of putting high value information at risk.  These people have access to sensitive company and customer information and with busy schedules come mistakes.

Two statistics from the Ponemon study are telling.  56 percent of those surveyed say company insiders are the primary cause of data breaches and 72 percent say they are not confident they can manage and control employee access to confidential files.

While carelessness is a major cause of data breaches, the lack of good security practices clearly contributes to problems by insiders.  If you can’t determine what is sensitive, you should treat all documents and correspondence as confidential and manage exceptions to the rule.

A good approach is to encrypt all files when you create them and assign permission controls to them, so that no one outside of your organization can access them.  This immediately stops the accidental or malicious act.  If a company outsider can’t access the information, having possession of the file is useless.  Then manage the exceptions where you need to share sensitive information legitimately with outside people.  Couple this with data handling education and overall security awareness training to create a culture that sees security as a business benefit.

As insider threats concern the motives and mistakes of real people, it’s impossible to ignore the human side of things.  An effective strategy requires the endorsement and active participation of the board of directors and senior management.  And most importantly, the rules must apply to them, so there is no sense of privilege being able to skirt the rues.

Here are a few ideas to help to detect and stop insider threats.

  • Discover and encrypt sensitive information
  • Prohibit unauthorized sharing of sensitive data outside the company
  • Monitor access to sensitive information to determine proper work patterns
  • Adjust security policies over time to ensure employees can do their jobs without going around security
  • Implement the fewest privileges and access rights so employees can do their jobs effectively
  • Ensure access rights are terminated as soon as an employee leaves the company
  • Monitor contractors’ access to sensitive information and terminate it as soon as it’s no longer needed

Many companies have a handle on protecting high value information from outsiders, but protecting it from insider threats is no different. Giving insider threats the same level of importance protects your business and ensures success and profitability.

 

Fasoo and Ponemon Study Reveals Employees Highest Security Risk to OrganizationsFasoo just released the results of the security industry’s first look at how confident organizations are about protecting intellectual property and other high value information.  In the latest Ponemon Institute survey titled, “Risky Business: How Company Insiders Put High Value Information at Risk”, 72 percent of organizations are not confident they can manage and control employee access to confidential documents and files.  This study reveals that insiders are the highest security risk to an organization.

The Ponemon Institute surveyed 637 U.S. IT security practitioners familiar with their organization’s approach to protecting data, documents and files against cyberattacks. For the purpose of this research, high value information includes trade secrets, new product designs, merger and acquisition activity, intellectual property, financial data, and confidential business information.

Based on the findings of the research, employees and other insiders often lack the information, conscientiousness and guidance needed to make intelligent decisions about the information they access and share.  Companies are more confident they can stop external attackers from accessing confidential information than their own employees and contractors.  This study should make executives and security professionals think about how they control internal access to sensitive information.

Some of the key findings from the study include:

  • 56 percent of companies believe the primary cause of data breaches are careless employees
  • 70 percent can’t locate confidential information
  • 60 percent don’t have visibility into what confidential documents and files employees are sharing
  • 73 percent say their organization lost confidential information in the last 12 months
  • 59 percent are not confident in preventing data leakage by careless employees

Safeguarding high value information is a two-way street. Employees need to be responsible and follow data protection policies and safeguards. Companies need to have the tools, expertise and governance practices to protect sensitive and confidential information.

An interesting finding in the Ponemon survey is that sales departments, C-level executives, Finance and Human Resources pose the greatest risk to information assets.  This points to a greater risk of insider threats compromising sensitive data than external hackers and cyber criminals.

“There is a belief that data breaches are the work of malicious actors, internal and external, but it is more often the result of careless behavior by employees who don’t understand the impact of sharing files. The findings in this study should serve as a wake-up call for all organizations determined to protect high value information,” said Larry Ponemon, President, Ponemon Institute. “Better security hygiene, including education and consequences for risky behavior, should include every employee with access to information in addition to the organization locking down proprietary data, intellectual property and confidential information that shouldn’t be accessed by everyone.”

Click here to access the full report.

Pulaski County Special School District Data BreachThis week news broke about a data breach within the Pulaski County Special School District. The breach resulted in more than 3,000 employee’s personal information being compromised. It is reported that a PCSSD employee was responsible for the compromise of thousands of current and former employees’ personal information and she has resigned from her position as of February 2016. Notices to the individuals impacted by this insider data breach were sent out last week.

The former employee was emailing health insurance and benefits reports to her supervisor, and blind-copying the information to her personal email address. Names, social security numbers, addresses and the cost of the health insurance to the employee were some of the information included in the breached data. The culprit was also identifying who did not have insurance along with their social security numbers. The IT Director at PCSSD commented that this behavior had been going on well over a year before it was discovered .

It is striking that organizations still struggle to discover breaches, how long it takes them to realize that a breach has happened and to properly react to fix the issue. It is even more striking that with all the training and the investments made in technology that this is still a major problem.

The solution to this type of problem is to add data-centric security to the traditional perimeter security deployed in most environments. This additional layer of security includes techniques that protect data as it travels through both the organizational perimeter and beyond, by limiting access to sensitive data according to policies that cover both users and activities.  It can also determine where sensitive data exists within an organization, monitoring the data, and analyzing the ways in which users access, copy, and move it over time. This is done by incorporating identity management systems to correlate specific users with activity on sensitive data.

By using these techniques, PCSSD would have not only prevented the unauthorized activity when the employee sent copies to her personal email address, but would have detected the suspicious behavior to take immediate action.

In the past, it was sufficient to protect an organization’s IT perimeter with tools such as firewalls, VPNs, intrusion detection, end-point security, and data loss prevention (DLP). These techniques no longer are effective by themselves against today’s threats such as APTs, other sophisticated attacks or insider threats – clearly evidenced by breaches making the headlines on a regular basis. Such was the case with the PCSSD breach.

Healthcare Data Breaches and Flash Drives, Still?

Healthcare data breach due to misplaced flash drives seem to be a rising trend as recently another case was reported on August 7, 2015. Lawrence General Hospital in Massachusetts reported that a flash drive was missing. Even though it had very limited patient information, it did include lab testing information such as patient names, lab testing codes and slide identification numbers. Letters to about 2,000 patients were sent out, and have yet to locate the flash drive. According to their website, the misplaced flash drive was “unencrypted”.

How many times have we heard this type of data breach occur and appear on our news feed?

In July, OhioHealth had reported a similar data breach, after discovering that a flash drive had gone missing. Approximately 1,000 patients’ data became vulnerable, and about 30 or so Social Security numbers were compromised. As in the previous mentioned data breach this flash drive was “unencrypted” well. In addition, in South Carolina, a safe containing two flash drives and two hard drives containing EMS patients’ Social Security numbers, patient names and addresses and clinical information were stolen, and you guessed it, the flash drives were unencrypted.

It is not enough just to reinforce staff training and education on the “importance” of handling patient information securely, the data itself must be protected persistently no matter where it goes. By the results of these three incidents, it should now be without a doubt considered that flash drives carrying sensitive information including PHI (Protected Health Information) and other limited patient information to be encrypted with data-centric security.

By adding context aware data protection to your security framework, you can guarantee that only authorized people can access sensitive PHI no matter where it is. By encrypting this data and applying persistent security policies to it, even if the data leaves your network in a flash drive such as in this case, it is still protected and always under the appropriate control.

As breaches of this nature continue to occur, it is important that healthcare providers continue to emphasize not only the importance of health data secure but also for the healthcare organizations themselves to make sure that they have the appropriate data security to protect against external and internal threats on all of their devices, especially on flash drives.

 

Photo credit by: Custom USB

Data Breach Lawsuits Are on the Rise

With the data breaches increasing and hackers breaking into major companies and stealing customer data at an alarming rate, lawsuits relating to these breaches have been a hot topic. For companies, although facing a catastrophe in terms of brand image, legally they have been shielded from damages. That is until now.

According to a recent article, a recent ruling by the 7th Circuit Court of Appeals reinstated a lawsuit against Neiman Marcus over a 2013 data breach in which hackers stole credit card information from as many as 350,000 customers. The three judges ruling has created a stir in the legal environment because this now lowers the bar for consumers who want to sue over such breaches.

Although the initial ruling was thrown out due to thinking that customers could have simply relied on their credit cards’ fraud protection program and also that these kinds of breaches although had shown that customers would fear for future fraud and identity theft did not cause any “imminent “ threat or “concrete” injury.

However, the 7th Circuit reinstated both types of claims, which were to those who had incurred expenses tied to the Neiman Marcus hack, and those who feared future identity theft. Basically the key point that Chief Judge Diane Wood had said was, ““Why else [other than to cause harm] would hackers break into a store’s database and steal consumers’ private information?”

Ultimately this ruling will most likely not help consumers cash in, however, it will build the pressure for companies to take a serious look into their data security solutions and see if they have what it takes to truly secure their data. Companies must show that they have acted reasonably and have taken reasonable yet realistic measures to prevent a data breach and not make themselves a target.

It is quite evident that having a data security framework that works, is necessary in taking the stance against data breaches. Organizing unstructured data, data encryption and comprehensive risk analyses prior to a breach happening, all needs to be in place to show not only the consumers but the courts that as an organization, we have done all that we could to avoid a data breach. Taking these proactive measures to have strong security policies will go a long way towards mitigating an organization liability in a class-action lawsuit, such as this one.

Although legal action against organization after a data breach may be inevitable, positioning yourself with this kind of solution will put the organization in a better position to defend the lawsuit and also deflect some of the greatest damage to an organizations brand image and reputation.

Taking a hard look at what kind of data security now and being proactive about protecting your customers’ most valuable data is the first step in avoiding all the damages that will occur with a data breach. Being able to control your data no matter where it is, can be the best way to improve your information security.

 

Photo credit by: PRSA-NY

Airlines and Schools, Data Breaches Are Going from Bad to Worse in 2015!

Will the bad news every stop making the headlines? Evidence now indicates that hackers with connections to China were responsible for the recent data breaches at United Airlines, Office of Personnel Management (OPM), and health insurer Anthem. In addition, on July 31, the University of Connecticut (UConn) announced that their engineering school servers were hit by a cyberattack originating from China.

United Airlines, the second-largest airline in the world detected a cyberattack into its computer systems in May of this year after being warned by the FBI and federal investigators. Some of the stolen information includes flight manifests which include names, birthday and travel information. United is one of the biggest contractors with the United States government among airlines and is a gold mine for data on the travel of government officials, military personnel and contractors.

As this was not enough already, on July 31 another headline about a cyberattack of an unclassified email system in the Pentagon. The attack, affected the unclassified email network of 4,000 military and civilian personnel working for the Joint Chiefs of Staff.

“This is a key moment in our Nation’s history,” said United States Chief Information Officer Tony Scott in his blog post. “As the number of threats continues to increase, affecting both the public and private sector, we must take aggressive and decisive steps to protect our networks and information. Our economy, and the credibility and viability of our most cherished and valuable institutions depend on a strong foundation of trust and the protection of critical assets and information.”

The question now is how do we defend against the threats? How do we close this “threat gap” that has been causing all of these data breaches?

A data centric approach is the only way to protect against these threats and provide persistent data security for these organizations. Without this kind of continuous control of your data, they are extremely vulnerable and could be in grave danger of providing hackers with the necessary information to sell, use or provide sensitive information to the wrong people. As legislation and regulations are being put forward, it is important to be ahead of the game. With data-centric security which includes, strong encryption and permission control, none of these recent data breaches would have hit the headlines in a negative way. Instead, these organizations would have been commended for their proactive thinking prior to these attacks.

 

Photo credit by: Lars Steffens

Data Security’s Impact on Internet of Things

According to Gartner, Inc. by 2020, 25 billion Internet connected “things” will be in use. The Internet of Things “IoT” has rapidly become one of the most used expression across business and technology. IoT, is defined as “a scenario in which objects, animals or people are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.”

Now, how does data security play into this? Well, there are very clear data collection guidelines that companies and public organizations must abide by in the EU, however, there is yet to be a single data protection law comparable to that of the EU. Yet the US has a patchwork system of federal and state laws and regulation that can sometimes overlap. Either way, when it comes to ‘things’ collecting data, there has yet to be a standard guidelines, laws or regulations on securing this data. With a recent study estimating 13 billion ‘things’ collecting data – and that number will nearly double within five years, everyone should be concerned. If this data is not secure, hackers and insider theft could cause catastrophic damage.

It is vital that this data is secured and even more so encrypted in order to avoid not just theft of data but also to avoid data from being deliberately miscommunicated to cause harm by terrorists. This may seem extreme for some, but with recent cyber attacks reported were from state governments and terrorists groups, is it even worth taking our chances not to secure this data?

Although there are some benefits such as smart cities, better healthcare through remote sensors and better ways of targeting consumers for businesses, government and consumers, we are handing over a lot of data without perhaps realizing it.

When we encrypt the data and apply persistent security policies to them automatically, sensitive data is protected regardless of where it is or how it is transmitted. If those that are collecting the data regardless if they are inside or outside of the organization, tried to use it for any other means and tried to open it without the proper authorization, they would be denied access to the data.

The future and promise of the IoT is huge, but so is the potential for security breaches and threat gaps. Every organization that deals with data collected from these IoTs must rethink how to protect these massive amounts of data. By protecting it with data-centric security, this will ensure that data will be secure and consumers will continue to use these ‘things’ for the convenience it was intended to be used for plus the assurance that their data is secure.

Photo credit by: Playing Futures: Applied Nomadology

Categories
Book a meeting