Blog

Tag: data-centric

Which industries have the highest potential for remote work? Finance and insurance, says McKinsey & Company. There’s a catch, however. How can organizations realize this potential without compromising data security and privacy? 

*

The consultancy found that three-quarters of activities in these sectors can be done remotely without a loss of productivity. Information security wasn’t part of the study. So what are the implications from a data protection perspective?

That’s where things get dicey. The forced rush into hybrid and remote work arrangements and the sorry state of remote work security have bank CISOs and compliance officers on edge. Some – mostly larger – financial institutions have mastered the transformation more effectively than others. What’s their secret? 

Before we answer that question, let’s first take a quick step back in time. In 2015, a Morgan Stanley insider downloaded confidential information on 730,000 of the investment bank’s wealth management clients to his personal laptop and posted a sample for sale online. Back then, it could have served as a wake-up call.

Today, it almost seems like quaint history, because not many heeded that call. The shift to Work-from-Home (WFH) due to COVID-19 has taken the insider threat to unstructured data to a whole new level.

Battlezone home office: Data protection reset required?

As a result, insiders – often working remotely – now account for more than 50 % of data breaches in the financial sector, according to security research. Several terabytes of sensitive data have been ransacked or leaked from more banks and financial services or law firms since that 2015 data breach. Think Pandora Papers, the confidential documents including supposedly secure PDF files, images, emails, and spreadsheets from 14 financial service companies offshore. 

Bank CISOs and compliance officers we talk to are more worried than ever about the lack of visibility and loss of control over sensitive proprietary data when employees are working from home. 

Or take Jeremy Baumruk, who heads up Professional Services at Xamin. His company manages IT security for more than 50 U.S. banks. In early 2020, he told the American Bankers Association’s Banking Journal: “When an employee is using their own computer, IT has almost no control.”

18 months later, research shows: that warning about remote work security still stands. Industry experts point to misconfigured VPNs, insufficiently secured home WiFi networks, unmanaged personal devices, personal cloud storage services, and unmonitored home office printers.

Remote Work Security - infographic excerpt

Source: Tessian (Infographic)

Remote work hasn’t only exacerbated the insider risks posed by negligence or disgruntled employees. Cybercriminals on the outside have taken notice, too. They wage automated campaigns that increase the pressure on banks to take decisive countermeasures. 

Many recognize that the traditional, device-centric emphasis on IT perimeter defenses – Data Loss Prevention tools (DLP), firewalls, endpoint protection – cannot ensure adequate protection. Recent threat reports confirm: attackers are busy exploiting the remote work blindspots and endpoint vulnerabilities to the fullest.

 

Document theft-as-a-service: Search. Scoop up. Siphon off.

As a result, credit unions, investment banks, and mortgage lenders, and their remote workers, are bearing the brunt of automated ransomware campaigns right now. In the first half of this year alone, banks experienced a 1,318% year-over-year increase in ransomware attacks, reports cybersecurity firm TrendMicro in its 2021 Midyear Security Roundup.

What does this have to do with document protection? There’s a direct and significant connection. New ransomware variants don’t merely encrypt the victim’s business-critical data and demand a ransom for unlocking it. The latest exploit kits are also optimized for data exfiltration.

In other words, they are designed to search for, scoop up, and siphon off sensitive information, which is then used for more elaborate extortion schemes. Only last week, the FBI sent out this Private Industry Notification [PDF]. It describes how perpetrators specifically target confidential documents about planned mergers and acquisitions, to release them on the internet if the victim doesn’t pay up.

So why have some financial institutions been less impacted than others by data leaks and theft during their shift to remote work? 

Identify, protect, control  – with Enterprise DRM

One answer is that they didn’t bide their time until the next data breach. Instead, more banks launched a “digital transformation” that some say is long overdue for the industry as a whole. One pillar of their strategy is shifting to a data-centric security model, enabling them to protect their data at rest, in use, and in transit.

Bank CISOs recognize that the traditional, device-centric emphasis on IT perimeter defenses – Data Loss Prevention (DLP), firewalls, endpoint protection – cannot ensure adequate protection anymore.

Instead, they leverage Enterprise Digital Rights Management solutions such as Fasoo to identify, encrypt, and oversee the access to unstructured data at the file level. This way, sensitive documents remain protected against unauthorized access if leaked or exfiltrated, no matter how that happens.

The Fasoo Enterprise DRM framework follows a three-way approach to ensure gapless document protection and remote work security:

    • Identify: Fasoo automatically identifies data worth protecting, from legacy repositories to newly created documents, which are secured at the point of creation. Unlike DLP, which is limited to tagging such information for protection within the organization’s IT perimeter, Fasoo sets the foundation for protecting and controlling confidential data anywhere, on any device.

 

    • Protect: Enterprise DRM provides an additional layer of security by combining FIPS 140-2 validated encryption and access control. This approach helps organizations minimize and mitigate risks such as data leaks, insider threats, and advanced persistent threats (APT).

 

    • Control: Fasoo enables banks to assert control over their confidential data through the entire document lifecycle, based on flexible and people-friendly central policy management.

 

Boost for remote work security and productivity in banking

This control transcends the digital domain. Fasoo’s printer-agnostic secure print capabilities (Fasoo Smart Print), for example, enable organizations to apply print protection and watermarks for plain and DRM-secured documents alike. Its screen security component (Fasoo Smart Screen) applies screen watermarks to applications and URLs to block screen capture attempts of sensitive data and monitors all screen capture attempts.

“Enterprise DRM is working great for us,” says the CISO of an S&P Top 100 global bank, a Fasoo customer. “It gives us a quick at-a-glance look at all our sensitive data and enables us to assert control wherever it goes.”

Would you like to learn more about how organizations in the financial sector, from community banks to global financial institutions, leverage Enterprise DRM to secure their digital transformation?

Connect with our industry experts here. 

###

FDIC adding DRM to it information securityOn Thursday May 12, 2016, the Congressional Subcommittee on Science, Space and Technology held a special hearing in Room 2318 of the Rayburn House Office Building.  The hearing addressed if Americans can trust their private banking information is secure by relying on the Federal Deposit Insurance Corporation (FDIC).

During the session, lawmakers stated that the FDIC has a long history of cyber-security incidents and that it is failing to safeguard private banking information of millions of Americans who rely on the FDIC.

In the last seven months alone, seven departing employees at the FDIC have left with personal banking information on thumb drives and other removable media.

While Lawrence Gross Jr., the FDIC’s CIO told lawmakers that the FDIC considered the data breaches as “inadvertent” copying of personal banking information that happened when departing employees were copying personal information to removable media, some of lawmakers called taking something that does not belong to employees as “theft”.

One of the sticking points during the hearing was that the FDIC didn’t immediately report the incidents as major breaches to Congress until prompted by its Inspector General’s Office. Gross stated that he didn’t originally classify the incidents as major breaches because they seemed to be accidental copying of files during “non-adversarial” departures of employees. Furthermore, Gross pointed out that employees involved had signed affidavits saying they didn’t share the data with others.

Are the American people buying this explanation? Since when has it been acceptable to have people accidentally or knowingly copying information that does not belong to them to removable devices?

The FDIC now commented about having controls around usage of information so sensitive data cannot be copied onto removable devices. Gross went further by stating the Agency is adding digital rights management software to their environment. This is a significant comment by the head of a significant Agency. The FDIC is now going about adding DRM on top of traditional perimeter solutions to control sensitive information while it is in use.

It is of utmost importance that organizations adopt technologies like Digital Rights Management as part of a data-centric security approach to protect sensitive information to maintain stability and public confidence. Fasoo provides a Data Security Framework to public and private entities alike to enhance their information security program to keep up with the threat gaps. Please contact us or visit us during the Gartner Security and Risk Management Summit in National Harbor, Maryland between June 13-16 at Booth #200 .

Big Data and Data Analytics Need Data-Centric SecurityBig Data and Data Analytics are changing the way the world uses business information. The amount of data that’s created and stored daily on a global level is almost inconceivable as with each passing hour, the data grows at an amazing pace. Everything from the most trivial details of our personal lives to highly sensitive information at work is now stored and catalogued. While businesses look for ways to leverage, manage and derive insight from this vast amount of information, they also need to think hard about satisfying privacy, security and compliance all at once. This is not a trivial job, and many businesses struggle when attempting to roll Big Data and Data Analytics into a production enterprise scenario.

These days, all types of data are routinely collected whether we are at work or when we shop, use public transportation, visit our healthcare provider or access government services in person or online. Data is collected when you access highly sensitive company information, when you localize this data to your laptop or send it home to work on it remotely. Data is collected when you obtain a Medicare refund, book a flight or shop online. Data is collected when you do anything electronically.

While the proliferation and maturation of Big Data, Data Analytics and information technology is aiding businesses, if not properly implemented, it can also hurt them. All of these data collected and stored can also reveal highly sensitive information.

Below are some ethical, security, privacy and compliance guidelines that require additional consideration when businesses are looking to use Big Data and Data Analytics:

1.  Disclosure – businesses must disclose what is collected and how the data is used.

2.  Privacy & Confidentiality – individuals have a right to control who can access their personal information and businesses must carry the burden of confidentiality to ensure that only authorized persons have access to this information.

3.  Ownership – individuals have the right to control their personal/private data. Businesses that collect user data have the responsibility for the data as long as it is within their possession.

4.  Data sharing – businesses must carry the burden of the security and governance of data keeping in mind that data shared with another entity may need to be revoked or rendered useless at a later time.

5.  Governance and custodianship – businesses must secure the data and control access utilizing usage policies and tracking.

The rapid technological advances in our society are creating more and more ways for businesses and customers to benefit from them. However, the same advances are putting sensitive data at risk. Businesses can benefit from implementing a comprehensive data security framework along with Big Data and Data Analytics to better understand what sensitive data they possess, maintain complete control and custody of that data and to monitor and analyze their risk in owning and using the data.

Encrypt PHI and apply persistent security policies to stop healthcare data breachesToday, nobody argues that the healthcare industry is a gold mine for the bad guys and theft of protected health information is becoming a regular event. The “Verizon 2015 Protected Health Information Data Breach Report,” indicated that 90 percent of industries in the medical and health care arena have experienced a PHI breach and with all the reports in the media, it is clear to everyone that the situation has reached a critical point.

In 2015, we witnessed numerous health insurers and hospital systems fall victim to data breaches. While Anthem and Premera were just some of the bigger names making regular headlines last year, attacks were seen to reach even physicians’ offices.  Just recently Centene Corporation and IU Health Arnett lost hard drives that compromised almost 1,000,000 people.

Every direction we look, there is significant use of electronic medical records, electronic prescribing, and digital imaging by health care providers. Whether it is the physician’s office, hospitals, insurers, medical associations, laboratories, disease registries, or government agencies, everyone is gathering digital pieces of information on the health status, care details, and health care costs of Americans. Along with personally identifiable information (PII) like names, mailing addresses, email aliases and dates of birth, healthcare entities also hold extremely personal and protected health data, such as lab results, reports, prescribed medications and medical conditions.  In the event of a breach, unlike a credit card number, none of this information can be easily changed and the lifecycle of such information is very long – in some cases forever.

The Affordable Care Act has created significant incentives for doctors’ offices to embrace EHR systems as a replacement for paper-based medical records systems. So, now data has been integrated in an effort to do away with siloed approaches within provider groups, health plans, or government offices.

While the industry and governance bodies talk compliance, and claim protected health information is safe and secure, this is far from the truth as evidenced by the constant data breaches that are disclosed. With all the time, effort and money spent on traditional security tools used to achieve compliance, thieves bent on theft are still able to gain access to PHI for monetary gain.

The healthcare industry should consider the following steps to remain secure and stop healthcare data breaches:

  • Realize and accept your risk – Take note that the protected health data you possess is a target of criminals. Simply complying with HIPAA does not equate to properly securing and locking away PHI data from unauthorized use.
  • Identify where your PHI data is and who has access to it – Most often healthcare entities have false ideas on where sensitive data is stored and who has access to PHI. It often escapes people’s minds that their users copy sensitive data accessed from secure locations by localizing them or moving copies around. The result is security and control being lost and copies floating around on thumb drives, disks, email, laptops, home computers, and paper printouts.
  • Properly secure your data – Most, if not all, entities dealing with healthcare data secure PHI at rest and in motion while they completely miss a significant threat gap – “data in use”.
    • Label or classify data
    • Encrypt your data
    • Persistently protect data using policy-driven methods
    • Track and monitor usage
    • Dynamically adjust usage policies and access
  • Plan for breach response
    • Have means to render breached data useless
    • Have an Incident Response Plan

You can stop healthcare data breaches by putting in place data-centric, persistent security to avoid finding yourself scrambling around after the damage has been done to you and your patients.

The Dangers of Smart Printer Devices

Printers are definitely not what they used to be a decade ago. They have evolved and are becoming more involved in organizations’ networks, as well as an increase in multifaceted functions that have made them vulnerable and threaten the stability of the entire network. Hackers and insiders have made their case by causing internal and external data breaches through these printers.

Nowadays although there has been a great push to secure mobile devices and their data, organizations neglect to additionally secure their network and internet-enabled printers. The reason this is such a concern now, is that from these mobile devices you are now able to print, scan to email, network drives and scan to web-hosted applications.

“Many hackers will be able to access the entire network through tracking the metadata of printed documents, or by hacking the passcode of the MFP. Whether these breaches are caused by an attack from an unauthorized outsider, or internal factors, such as human error, systems must be put in place to resist disruption to the network,” said Grant Howard, who is Professional Services Technical Manager at Annodata in a recent article regarding that “Smart print devices are an untapped opportunity for hackers…”

In another recent blog post, we proposed that taking a data-centric approach to your security can give you a more complete view on how sensitive data is used in your organization. Controlling and managing access to printers, secure mobile printing and tracking and auditing usage are three challenges that come to mind when it comes to securing printers. These three challenges must also be part of this solution.

Some of the key benefits of secure printing are as follows:

· Increased document security – avoids unauthorized use

· Increased user mobility and productivity – print anytime, anywhere securely

· Improved accountability – tracking printer usage for auditing purposes

With these protective measures, Fasoo ePrint provides an effective yet secure print management solution.  If Fasoo ePrint detects sensitive information in a document, a predefined policy can block printing. It controls and traces printed documents on your existing printers, so you can continue to use your current output devices.

When used with Fasoo Enterprise DRM solutions, it extends the security area and provides stronger protection for personal information maintained within organizations. This then provides a wider range of solutions to protect not only your printouts but also you data.

With this solution out there and ready to be implemented, it is time to mitigate and eliminate the risk of data breaches through printers as there are already too many making headlines that could have been avoided with this solution.

 

Photo credit by: Phil Campbell

 

When Will Your Data Breach Happen?

IT security is a growing threat for businesses of every industry and no organization can be seen as safe. Hackers are learning new methods to attack web sites and networks. Most of the time employees have easy access to company information and are often unaware of how to detect and prevent these breaches because of a lack of training or lack of security for this information. The question is not if, but when will a data breach happen?

It is very clear that data breaches can no longer be protected by perimeter security. The perimeter continues to fade as a result of increasing connectivity between 3rd party partners and vendors, along with

customers themselves.  Mobile devices and cloud computing makes this perimeter almost impossible to determine. A majority of the cost of security is spent on firewalls, intrusion detection systems and antivirus software, however, it is only effective to a minute scale. Ultimately, it is the data itself which needs to be protected and encrypted persistently, no matter where it is.

Data classification is also a key in making sure that data breaches can be prevented. Categorizing data so employees know how to handle various types of information can determine the most sensitive data rather than data that doesn’t necessarily need to be protected.

Without a doubt though, any security professional will tell you and with no disrespect, that employees are the weakest link in the security chain. Therefore, you must make sure that the data itself is secured, rather than relying on policies, or training.

DRM protected documents have the type of security that doesn’t rely on the perimeter to secure sensitive company information. With even more laws and regulations coming into play recently, encrypting your information with Fasoo’s Enterprise DRM (Digital Rights Management) can help you keep your data secure even when a data breach happens.

So when the data breach happens, will you be prepared? With the right data-centric security solution, you can certainly count on it.

Photo Credit: Jbosarl

Categories
fasoo_logo
Contact Us
Your data security journey starts from here!
See how Fasoo can help your data privacy and security.