Remote Work Security and Document Protection in Banking: What’s Next?

Which industries have the highest potential for remote work? Finance and insurance, says McKinsey & Company. There’s a catch, however. How can organizations realize this potential without compromising data security and privacy?

The consultancy found that three-quarters of activities in these sectors can be done remotely without a loss of productivity. Information security wasn’t part of the study. So what are the implications from a data protection perspective?

That’s where things get dicey. The forced rush into hybrid and remote work arrangements and the sorry state of remote work security have bank CISOs and compliance officers on edge. Some – mostly larger – financial institutions have mastered the transformation more effectively than others. What’s their secret?

Before we answer that question, let’s first take a quick step back in time. In 2015, a Morgan Stanley insider downloaded confidential information on 730,000 of the investment bank’s wealth management clients to his personal laptop and posted a sample for sale online. Back then, it could have served as a wake-up call.

Today, it almost seems like quaint history, because not many heeded that call. The shift to Work-from-Home (WFH) due to COVID-19 has taken the insider threat to unstructured data to a whole new level.

Battlezone home office: Data protection reset required?

As a result, insiders – often working remotely – now account for more than 50 % of data breaches in the financial sector, according to security research. Several terabytes of sensitive data have been ransacked or leaked from more banks and financial services or law firms since that 2015 data breach. Think Pandora Papers, the confidential documents including supposedly secure PDF files, images, emails, and spreadsheets from 14 financial service companies offshore.

Bank CISOs and compliance officers we talk to are more worried than ever about the lack of visibility and loss of control over sensitive proprietary data when employees are working from home.

Or take Jeremy Baumruk, who heads up Professional Services at Xamin. His company manages IT security for more than 50 U.S. banks. In early 2020, he told the American Bankers Association’s Banking Journal: “When an employee is using their own computer, IT has almost no control.”

18 months later, research shows: that warning about remote work security still stands. Industry experts point to misconfigured VPNs, insufficiently secured home WiFi networks, unmanaged personal devices, personal cloud storage services, and unmonitored home office printers.

Source: Tessian (Infographic)

Remote work hasn’t only exacerbated the insider risks posed by negligence or disgruntled employees. Cybercriminals on the outside have taken notice, too. They wage automated campaigns that increase the pressure on banks to take decisive countermeasures.

Many recognize that the traditional, device-centric emphasis on IT perimeter defenses – Data Loss Prevention tools (DLP), firewalls, endpoint protection – cannot ensure adequate protection. Recent threat reports confirm: attackers are busy exploiting the remote work blindspots and endpoint vulnerabilities to the fullest.

Document theft-as-a-service: Search. Scoop up. Siphon off.

As a result, credit unions, investment banks, and mortgage lenders, and their remote workers, are bearing the brunt of automated ransomware campaigns right now. In the first half of this year alone, banks experienced a 1,318% year-over-year increase in ransomware attacks, reports cybersecurity firm TrendMicro in its 2021 Midyear Security Roundup.

What does this have to do with document protection? There’s a direct and significant connection. New ransomware variants don’t merely encrypt the victim’s business-critical data and demand a ransom for unlocking it. The latest exploit kits are also optimized for data exfiltration.

In other words, they are designed to search for, scoop up, and siphon off sensitive information, which is then used for more elaborate extortion schemes. Only last week, the FBI sent out this Private Industry Notification [PDF]. It describes how perpetrators specifically target confidential documents about planned mergers and acquisitions, to release them on the internet if the victim doesn’t pay up.

So why have some financial institutions been less impacted than others by data leaks and theft during their shift to remote work?

Identify, protect, control – with Enterprise DRM

One answer is that they didn’t bide their time until the next data breach. Instead, more banks launched a “digital transformation” that some say is long overdue for the industry as a whole. One pillar of their strategy is shifting to a data-centric security model, enabling them to protect their data at rest, in use, and in transit.

Bank CISOs recognize that the traditional, device-centric emphasis on IT perimeter defenses – Data Loss Prevention (DLP), firewalls, endpoint protection – cannot ensure adequate protection anymore.

Instead, they leverage Enterprise Digital Rights Management solutions such as Fasoo to identify, encrypt, and oversee the access to unstructured data at the file level. This way, sensitive documents remain protected against unauthorized access if leaked or exfiltrated, no matter how that happens.

The Fasoo Enterprise DRM framework follows a three-way approach to ensure gapless document protection and remote work security:

- Identify: Fasoo automatically identifies data worth protecting, from legacy repositories to newly created documents, which are secured at the point of creation. Unlike DLP, which is limited to tagging such information for protection within the organization’s IT perimeter, Fasoo sets the foundation for protecting and controlling confidential data anywhere, on any device.

- Protect: Enterprise DRM provides an additional layer of security by combining FIPS 140-2 validated encryption and access control. This approach helps organizations minimize and mitigate risks such as data leaks, insider threats, and advanced persistent threats (APT).

- Control: Fasoo enables banks to assert control over their confidential data through the entire document lifecycle, based on flexible and people-friendly central policy management.

Boost for remote work security and productivity in banking

This control transcends the digital domain. Fasoo’s printer-agnostic secure print capabilities (Fasoo Smart Print), for example, enable organizations to apply print protection and watermarks for plain and DRM-secured documents alike. Its screen security component (Fasoo Smart Screen) applies screen watermarks to applications and URLs to block screen capture attempts of sensitive data and monitors all screen capture attempts.

“Enterprise DRM is working great for us,” says the CISO of an S&P Top 100 global bank, a Fasoo customer. “It gives us a quick at-a-glance look at all our sensitive data and enables us to assert control wherever it goes.”

Would you like to learn more about how organizations in the financial sector, from community banks to global financial institutions, leverage Enterprise DRM to secure their digital transformation?

Connect with our industry experts here.

###

Still Not Encrypting Your Data?

Are we still not encrypting our data in a time when cyber-attacks have been happening to so many big names in the healthcare, retail and government? Recently, UCLA Health System’s computer network was broken into by hackers and may have accessed sensitive information on as many as 4.5 million patients. The information included names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information such as patient diagnoses and procedures.

The intrusion is raising fresh questions about the ability of hospitals, health insurers and other medical providers to safeguard the vast troves of electronic medical records and other sensitive data they are stockpiling.

The reason why this is making even more news is that UCLA did not take the basic steps even after all the major breaches on the federal government as well as health insurance giant Anthem Inc., to encrypt patients’ data. This has drawn swift criticism from security experts and patient advocates. It is not a secret that the healthcare industry has been the target of many data breaches. However, the continuation of these breaches seems to continue, and the vulnerability of these systems has made it a field day for hackers to steal sensitive data.

Nowadays, it is not only business and patients not going to their hospital that they have to worry about, but now the government will investigate breaches of patient privacy and can levy significant fines for violations under the Health Insurance Portability and Accountability Act, also known as HIPAA.

However, compliance aside, the most important aspect is to ensure that this information is really protected. In a recent article, in HIT Leaders and News, the article mentions how “while compliance is still a major driver in healthcare, compliance does not equal security. Organizations that drive data security efforts based on compliance put their data at risk. Healthcare organizations need to take a more holistic and proactive approach in their data security strategy.”

Also mentioned in this article is the fact the recent legislation in New Jersey has taken the step of mandating the use of encryption for PHI or Protected Health Information that “renders personal information unreadable, undecipherable or unusable by unauthorized persons.” Now this definitely means more than just having a password to your data, but it is pushing for you to have a more robust method to ensure that all aspects of the data are secure, no matter where it is.

Let us hope that such data breaches as this one have hopefully provided a lesson to other healthcare organizations and other organizations from different industries that they must implement security and encryption to “completely block the path to your most valuable assets.”

Photo credit by: jfcherry

Data Breaches on Record Pace for 2015?

Earlier this month, an article recorded that data breaches in 2015 are on pace to break records both in the number of breaches and records exposed. In 2014, the numbers of US data breaches tracked by the Identity Theft Resource Center hit a record high of 783, with about 86 million confirmed records exposed. So far this year, as of June 30, the number of breaches reached 400 and additionally, about 118 million records had been confirmed to be at risk.

We all have heard about the government data breaches that have reached the headlines but in addition to those, some other major data breaches which have exposed more than 92,000 people’s personal information are three separate organizations in very different industries. Florida’s Orlando Health, California’s Cuesta College and Michigan’s Firekeepers Casino recently acknowledged data breaches.

Orlando’s Health announced on July 2, 2015 that approximately 3,200 patients’ personal records were exposed by a former employee. The data included names, birthdates, addresses, medications, medical tests, test results and other clinical data. This wasn’t the first time as back in January 2014 a flash drive was misplaced that contained and exposed 586 children’s data, and also the theft of patient records by a former medical assistant in February 2013.

Cuesta College announced on May 31, that a college human resources analyst on medical leave allegedly downloaded reports containing approximately 4,000 current and previous employees’ personal information, then emailed the reports to a personal email address.

Lastly, Michigan’s Firekeepers Casino, announced on July 3, 2015 that approximately 85,000 credit and debit cards used between September 7, 2014 and April 25, 2015. They also discovered that there may have been unauthorized access to a file storage server, which holds customers’ social security numbers and/or driver license numbers, as well as current and former employees’ social security numbers, health benefit selection and medical billing information.

The stories are the same and what we have continued to see is that none of the information/data had been encrypted. Even with all the articles and advice that not only security companies are saying but reporters in this area have also continued to say data needs to be protected. Now the government especially state governments are taking the stance to make sure that your organizations that hold/store customers’ personally identifiable information are required to secure them by “encrypting them or by any other method or technology that renders the personal information unreadable or unusable.”

By encrypting this data and applying granular permissions to them automatically, personally identifiable information, intellectual property and other sensitive information can remain protected. With data-centric security, whether it is a malicious or unintentional insider such as a current or former employee or an outside hacker who has gained access to your file storage server, you data is protected no matter where it goes.

Photo credit by: Jbosarl

Data Encryption is Now Mandatory, Are You Prepared?

On July 1, Connecticut’s Governor Dannel Malloy signed legislation that expands the current definition of personal information and now requires new data breach security terms and conditions in every state contract dealing with confidential information. From this article, the bill also states, “Not later than October 1, 2017, each company shall implement and maintain a comprehensive information security program to safeguard the personal information of insureds and enrollees that is compiled or maintained by such company,” the bill states, adding that the security program will need to be in writing and contain appropriate administrative, technical and physical safeguards.

This bill also addresses the issue of data encryption, and explains that all personal information that is being transmitted wirelessly or on a public internet connection must be encrypted. Sensitive personal data must also be encrypted on laptops and other portable devices.

With all the recent major data breaches, that have also affected a lot of people and organizations from Connecticut, it can be seen that they are taking the stance to demand encryption of customer data.

Encryption technology can be used to protect confidential information. If information is encrypted in sufficient strength it can remain safe even when stolen or lost in any media. It also protects information during transition but it does not prevent the leak after decryption by authorized recipients. Considering most of data leaks are originated from insiders who have or had access to documents, organizations must complement and empower existing security infrastructure with the solution which can protect data in use persistently.

Enterprise Digital Rights Management (DRM) is the only systematic solution to protect your information persistently from insiders as well as outside threats. Enterprise DRM controls the usage of DRM-enabled documents depending on the permissions given to the user. The DRM-enabled documents can be protected at rest in storage, in transit and also in use persistently.

Enterprise DRM enables the circulation of confidential information without the fear of leaks, handling customer information for better support without a slight risk of PII (Personally Identifiable Information) exposure and sharing trade secrets or technical details with your trusted partners.

In the time of all of these data breaches, it is important to determine which encryption will protect your data against these hacks. From malicious and careless insiders to external threats, Enterprise DRM will provide the protection your data needs throughout its entire lifecycle.

Photo credit by: EFF Photos

How Worried Should We Be about the Hacks on the Government?

Every time we look to the news we find at least one data breach incident, some more minor than others. However, at that time it was businesses in retail, finance or in healthcare. Now we look to the news and we discover that more and more data breaches are focused on the government. From third party contractors that deal with government to household names such as the Internal Revenue Service, The White House, and most recently the Office of Personnel Management (OPM).

Initially, last year the OPM reported that about 4 million government employees had their personal data compromised. However, now records reveal that a possible 18 million people, possibly more have had their information compromised. This is now one of the largest data breaches in US history.

We’ve come to realize that much like other businesses the data in these government data breaches are not encrypted. The hackers are having a no problem going after the information and selling it out on the black market. The continuing focus on protecting the perimeter is no hopeless against those who are already inside or if somehow the hackers get in.

What have we always preached from day one?

Protect the data itself.

Is it time to move on from a perimeter-centric approach and start to use a data-centric security model such as digital rights management to encrypt their data? In this case, it is clearly a necessary shift for the government. There should be no more talk about we need better security, it is now time to act upon this talk, pass the reforms that are needed for cyber security and require data to be encrypted. As some states are already taking these steps, the federal government needs to do the same to close the gap against these threats.

Every organization including the government needs to refocus on what they will do to protect their most valuable data and what is already out there to protect their data. From start to finish, a complete data security framework needs to be implemented to not only protect your data but be able to have structured data and also be able to determine the risks that you have after you have protected your data against insiders.

Photo Credit: NCinDC

Are these Proposed Privacy Laws Enough?

President Obama announced that he would propose laws aimed at protecting data after a horrendous year in cyber securitycybersecurity and data protection. Although all the facts are not all there yet, three new laws are being proposed. These laws will be addressed later this month at the president’s State of the Union. Already so far, information security experts are praising the attention President Obama is bringing to security issues with these proposals.

Among the proposals, the Personal Data Notification and Protection Act would require companies to notify customers within 30 days from the discovery of a data breach that their information had been compromised. Also, another proposal is the bringing back an upgraded version of the “Consumer Privacy Bill of Rights”, which gives internet users the right to control what data is collected and how their data is shared. The last proposed law, is the Student Data Privacy Act, which will prohibit tech companies from profiting from data collected on students in schools.

Although those of us in the information security industry know this is going in the right direction, based on the information provided, this is not enough protection. From some believing that 30 days is too long, to not enough security being announced in these proposals, all feel that this falling short of where it needs to be. Many are hoping that Congress will hopefully create standards that companies will have to meet in order to collect personal information from consumers.

One state to really note is New Jersey, who announced that they will require by law that patient health data be encrypted. Therefore even if the data is stolen, it will be encrypted no matter where it is. The bill states, ““A health insurance carrier shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.”

Such solutions as digital rights management, provide file-based security to prevent the exposure of sensitive, confidential and personal information against internal and external threats, as the data itself is protected throughout its whole life. This level of where the security of this information should be, should also be set by the government, as this will play a big role in securing personal data regardless if it stolen.

All of us know that these laws will face very little to no opposition, because of the horrible year we just had in terms of data breaches. Isn’t it time to get prepared ahead of time and protect your data now?

Photo Credit: Alan Cleaver

Former Employees Stealing Corporate Data

We hear of a lot of insider threats these days with disgruntled employees who have been fired but earlier this month, a former COO of an on demand startup left the company due to tensions with the founders and landed a job with their competition to aid in the company’s international growth. The issue here is that before he left, the former executive has been accused of copying a treasure of confidential data to his cloud account to be able to be used to solicit employees from his former company. Even though his account was shut down following his departure, it has been perceived that there is no supportable evidence that the former COO still has those confidential documents.

It can be seen that this kind of insider threat was a planned malicious insider attack involving stealing sensitive company information. The insider saw opportunity to benefit from this and the former company had little they could do in order revoke his privileges from access those files. It has been said in many headlines in in the past, it is all about protecting the data, and that even means being able to revoke access to those sensitive files that contain confidential data. In this case, it was not possible and thus lead to a big legal case between the two parties.

With the FBI and Department of Homeland Security sending out warnings to all organizations in regards to insider threats, no single organization is safe from malicious and even more so accidental insider threats. So even with all the things they tell you to look for, or policies and rules that are assigned, will be of no use if your sensitive files are not encrypted with information rights management or digital rights management.

Even if files are lost or get into the wrong hands, unauthorized access is prevented and sensitive information is not exposed. Since files are automatically secured as they are saved, you can be assured that no one can access files leaked through any unauthorized disclosure to people inside or outside your organizations, especially in cases of insider threats. It is time that no more data breaches such as those caused by insider threats reach the headlines.

Don’t be caught in a situation where you can protect your own files from these kinds of risks. It is up to you to mitigate these situations by have the proper data-centric solution to prevent cases like these.

Photo Credit: Karri Huhtanen

The Dangers of Insider Threats in Critical Infrastructure

It is scary enough that intelligence officials say cyber security no trumps terrorism as the No. 1 threat to the U.S. With the most recent data breach attacks on the White House and Office of Personnel Management, this is just the tip of concern for the federal government. However, it gets even scarier when these breaches are insider threats on the nation’s critical infrastructure.

Based on research from a recent article, in April 2011, a lone water treatment employee allegedly shut down operating systems at a wastewater utility in Arizona in an attempt to cause sewage backup to damage equipment and create a buildup of methane gas. Luckily, automatic safety features prevented this from happening without an incident. Earlier that year, an employee recently fired from a US natural gas company also closed a valve, disrupting gas service to nearly 3,000 customers for an hour.

There is so much sensitive information that is vital to the country’s infrastructure, and with the concern of this information being in the hands of unauthorized users, retail data breaches such as Target and Home Depot are considered to be small compared to what can happen, without the proper security of this information.

These days, to reduce costs unqualified vendors, contractors and trusted business partners get privileged access to critical infrastructure facilities. The use of cloud services, remote work and Web technologies within critical infrastructure organization further increase the problem if the sensitive information is not secured. This is not only for outside hackers, but for trusted employees and contractors who can get their information stolen or provided to unauthorized users intentionally.

With the recent warnings provided by the Department of Homeland Security (DHS) it is important that the data is protected, as to stop using these outside vendors will be too costly to replace. Eliminate the risk with data-centric solutions such as information rights management or otherwise known as digital rights management.

In contrast with conventional security solutions, these solutions can protect the data persistently wherever they are. This is the only complete and effective solution that protects against unwanted data breaches, especially from insiders to the nation’s critical infrastructure.

Photo Credit: Jonathan Brodsky

Blog

Battlezone home office: Data protection reset required?

Document theft-as-a-service: Search. Scoop up. Siphon off.

Identify, protect, control – with Enterprise DRM

Boost for remote work security and productivity in banking