Blog

Tag: data protection

You Need Data-Aware Protection MechanismsData breaches pose one of the greatest threats to business and government.  With the recent data breach at Equifax magnifying the problem of data loss in businesses and the public sector, it’s time for organizations to think hard about using data-aware protection to safeguard sensitive information.

The ever-changing cybersecurity landscape requires organizations to evolve beyond merely protecting the network perimeter and end-points to implementing protections on the data.  When data breaches are successful, the costs can be staggering.  How much will it cost Equifax to offer credit monitoring to millions of people?  What makes these data breaches so disheartening is that many could be avoided or mitigated by modernizing legacy IT systems and protecting information at the data or document level.

While years of investment have helped strengthen network and end-point security, the data continues to leak.  Attacks continue to breach the perimeter and insiders have accidentally or intentionally distributed sensitive information to unauthorized recipients.  Phishing attacks and other social engineering are getting more sophisticated so that traditional perimeter security detection and prevention is becoming ineffective.

Situations like the Equifax data breach point to many organizations not even doing the basics around security.  Default passwords, running old software and not patching systems are some of the most common reasons for data breaches.  Equifax even had references on its website to the Netscape browser which has not been in use in almost 10 years.  Some of this may be that IT departments are overwhelmed with daily tasks or have outsourced portions of their IT and security activities to third parties.  Experian hired a third party to do a risk assessment of their infrastructure following the last breach. It seems the assessment and remediation efforts were not that effective.

Rather than solely focusing on the perimeter, protection mechanisms that are data-aware provide much stronger risk mitigation.  The encryption of digital files using enterprise digital rights management (DRM) is the best way to thwart hackers or insider threats.  Some organizations are also using attribute-based access control (ABAC) to limit access to specific data in databases or other information systems.  Combining audit information from the ABAC system with the DRM-protected document interactions provides insights into who accessed sensitive data, when and from where.  Since data protected by DRM can be dynamically controlled, incident response programs benefit from the ability to completely revoke access to sensitive information, even after it has left the organization.

We have reached a critical point in data security.  We can either take the necessary steps to protect the data or cross our fingers and hope there will not be another major breach.  That’s like hoping it doesn’t rain.  It sounds great, but the reality is the next storm is around the corner.

 

Photo credit Merrill College of Journalism

Healthcare Data Breaches and Flash Drives, Still?

Healthcare data breach due to misplaced flash drives seem to be a rising trend as recently another case was reported on August 7, 2015. Lawrence General Hospital in Massachusetts reported that a flash drive was missing. Even though it had very limited patient information, it did include lab testing information such as patient names, lab testing codes and slide identification numbers. Letters to about 2,000 patients were sent out, and have yet to locate the flash drive. According to their website, the misplaced flash drive was “unencrypted”.

How many times have we heard this type of data breach occur and appear on our news feed?

In July, OhioHealth had reported a similar data breach, after discovering that a flash drive had gone missing. Approximately 1,000 patients’ data became vulnerable, and about 30 or so Social Security numbers were compromised. As in the previous mentioned data breach this flash drive was “unencrypted” well. In addition, in South Carolina, a safe containing two flash drives and two hard drives containing EMS patients’ Social Security numbers, patient names and addresses and clinical information were stolen, and you guessed it, the flash drives were unencrypted.

It is not enough just to reinforce staff training and education on the “importance” of handling patient information securely, the data itself must be protected persistently no matter where it goes. By the results of these three incidents, it should now be without a doubt considered that flash drives carrying sensitive information including PHI (Protected Health Information) and other limited patient information to be encrypted with data-centric security.

By adding context aware data protection to your security framework, you can guarantee that only authorized people can access sensitive PHI no matter where it is. By encrypting this data and applying persistent security policies to it, even if the data leaves your network in a flash drive such as in this case, it is still protected and always under the appropriate control.

As breaches of this nature continue to occur, it is important that healthcare providers continue to emphasize not only the importance of health data secure but also for the healthcare organizations themselves to make sure that they have the appropriate data security to protect against external and internal threats on all of their devices, especially on flash drives.

 

Photo credit by: Custom USB

Bigger Problem than Compliance? The answer? Data Protection! Although compliance has always topped data breach protection, this year, preventing data breaches and protecting intellectual property are all considered more important in driving data protection. However, it is both of these together that makes a data breach protection solution so robust.

Meeting and demonstrating compliance is the start to a more secure organization. Last year in particular with the spike in data breaches caused by the theft or loss of sensitive information pushed the government to push for numerous legislative requirements and standards-based protocols from NIST (National Institute of Standards and Technology).

Federal government agencies are required to follow endpoint security obligations and protocols and even more so with national security agencies who communicate classified information.

The security challenge for organizations can be seen in two ways: Threats can come externally or internally from within the organization. Data leaks and network instability can have disastrous consequences, regardless of their source. As a result, security can be implemented to block entry of unauthorized users and prohibit the exit of confidential data, among other things. However, the more important and sure way of protecting your data is to protect the data itself.

Whether we are dealing with insider threats or external hackers, even if they steal the files that contain data, it must be a standard and mandate to have the data itself encrypted to avoid use of the data from unauthorized users.

Fasoo Enterprise DRM (Digital Rights Management) is a file-based security solution that prevents the exposure of sensitive and confidential files by trusted insiders, business partners, customers and unauthorized people. This solution also protects, controls, and traces sensitive files containing intellectual property, trade secrets, PII, and more. It maintains file protection and prevents unintended information disclosure no matter where it is.

Remember, although compliance is the start to having a secure organization, data protection is needed to provide robust protection against data from being exposed.

Photo Credit: Tom Woodward

Are these Proposded Privacy Laws Enough?

President Obama announced that he would propose laws aimed at protecting data after a horrendous year in cyber securitycybersecurity and data protection. Although all the facts are not all there yet, three new laws are being proposed. These laws will be addressed later this month at the president’s State of the Union. Already so far, information security experts are praising the attention President Obama is bringing to security issues with these proposals.

Among the proposals, the Personal Data Notification and Protection Act would require companies to notify customers within 30 days from the discovery of a data breach that their information had been compromised. Also, another proposal is the bringing back an upgraded version of the “Consumer Privacy Bill of Rights”, which gives internet users the right to control what data is collected and how their data is shared. The last proposed law, is the Student Data Privacy Act, which will prohibit tech companies from profiting from data collected on students in schools.

Although those of us in the information security industry know this is going in the right direction, based on the information provided, this is not enough protection. From some believing that 30 days is too long, to not enough security being announced in these proposals, all feel that this falling short of where it needs to be. Many are hoping that Congress will hopefully create standards that companies will have to meet in order to collect personal information from consumers.

One state to really note is New Jersey, who announced that they will require by law that patient health data be encrypted. Therefore even if the data is stolen, it will be encrypted no matter where it is. The bill states, ““A health insurance carrier shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.”

Such solutions as digital rights management, provide file-based security to prevent the exposure of sensitive, confidential and personal information against internal and external threats, as the data itself is protected throughout its whole life. This level of where the security of this information should be, should also be set by the government, as this will play a big role in securing personal data regardless if it stolen.

All of us know that these laws will face very little to no opposition, because of the horrible year we just had in terms of data breaches. Isn’t it time to get prepared ahead of time and protect your data now?

 

Photo Credit: Alan Cleaver

Categories
fasoo_logo
Contact Us
Your data security journey starts from here!
See how Fasoo can help your data privacy and security.