Blog

Tag: data security

Enterprise DRM and DLP: Comparison Made Simple

 

DLP (the traffic cop) vs. DRM (the armored truck)Like digital rights management (DRM) for the enterprise, data loss prevention (DLP) solutions have recently seen a resurgence. Both aim to protect sensitive documents against leakage and exfiltration. Those looking to deploy or expand one or the other frequently weigh DRM vs. DLP. But how helpful is this “either/or” perspective really?

For starters, it risks missing one crucial difference between these two approaches to document protection. Other than DRM, DLP isn’t designed to protect information once it makes it outside an organization’s IT perimeter.

By definition, that’s precisely the scenario DLP purports to prevent in the first place. So this wouldn’t be a problem if DLP worked reliably 100 % of the time. But it doesn’t. Why? 

One answer is that DLP still requires a high degree of human intervention or supervision. This fact doesn’t take away from the advantages of document security automation. I’ll get into the details below. But first, let’s back up a moment and look at the definition of DRM vs. DLP.  

 

What’s the main difference between DRM and DLP?

DRM (a.k.a. IRM, for Information Rights Management) automatically encrypts files and controls file access privileges dynamically at rest, in use, and in motion. 

DLP analyzes document content and user behavior patterns and can restrict movement of information based on preset criteria.

I’ve written about DRM vs. DLP on this blog before, in 2014. While little has changed about the definitions, cloud services and remote work have become ubiquitous since – and IT perimeters more blurred.

Add to that the dramatic rise of (AWS) data leaks, insider threats (such as IP theft), and double-extortion ransomware attacks. Taken together, these trends explain why the main difference between DRM and DLP has become more pronounced recently.

In a nutshell, it’s the difference between a traffic cop and an armored truck. As for the cop part, I’m not the first to draw this analogy; DLP has been compared to an officer posted at an exit ramp before.

In this analogy, only traffic identified as legitimate is waved through and allowed to leave the main drag (i.e., your network) and race off into uncontrolled territory. A police officer may check a car’s license plates, ask for ID, and scan the vehicle’s interior before giving someone permission to pass through.

Image for DRM / DLP comparison: DLP works like a police checkpoint

Traditional DLP works in a similar way. It scans files, detects data patterns, and automatically enforces appropriate actions using contextual awareness to avoid data loss. However, the similarities don’t end here.

 

DLP’s biggest weakness

DLP also faces three significant challenges similar to those of a roadblock cop:

 

    • How can you accurately establish which traffic to allow through and handle the task effectively and expediently, before the exit point becomes a bottleneck?
       
    • What about all the exits not covered? With DLP, those would be USB drives, SaaS file sharing applications, such as Google Drive or Dropbox, or enterprise messaging apps, such as Slack or Microsoft Teams.  Think of them as equivalents of the service road turnoff some locals (i.e., insiders) know and use to avoid a roadblock.  
    • And, last but not least, what happens with the traffic that should never have made it past the checkpoint, but somehow did so anyway? Most companies need to share sensitive data with external contacts, like vendors or customers. A common occurrence is that a confidential document is mistakenly sent to the “wrong” person in a company whose email domain is safelisted as a recipient.

     

    “Not my problem anymore,” says the (DLP) cop. What’s gone is gone, even if it ends up in the wrong hands.  With the first two issues on this shortlist, data loss prevention products have been struggling from the beginning. As for the third item, it exposes DLP’s biggest weakness.

    Here’s what I mean: By promoting a solipsistic focus on internal file downloads and sharing, DLP creates a false sense of security. In reality, once sensitive information moves beyond the point of egress, an organization loses all visibility and control over what happens with its sensitive data.

     

    Has DLP been a failure? 

    I wouldn’t go that far. If that were the case, why did Gartner analysts expect about 90 % of organizations to have “at least one form of integrated DLP” in place by this year? That’s an increase from 50% in 2017. 

    While DLP wasn’t the panacea that marketers made it out to be, it still has its place. In the enterprise, DLP has helped establish a baseline for document protection. One example is tagging documents that contain personally identifiable information (PII) to ensure compliance with GDPR [PDF], the General Data Protection Regulation of the European Union.

    DLP deployments require IT and other stakeholders (compliance teams, data owners) to take stock of sensitive information across the board and categorize it. The downside is that it also demands constant tweaking and fine-tuning of filters and policies. 

    If your business deploys DLP, you learned the hard way that most of this burden falls on IT. DLP filters are notorious for generating “false positives”. They are known to cause workflow breakdowns because of mistakenly flagged files. The DLP filter may, for example, identify a 16-digit internal reference number in a document as a credit card number and prevent the file from getting shared. 

    In 2021, DLP describes more a mindset than a unified approach or one specific method to stop data leakage or exfiltration. But DLP modules and add-ons have become part of the point solutions mix. They complement particular applications or tools, such as cloud security services or Microsoft AIP

    And like with many point solutions, blindspots and coverage gaps remain* that you can drive a truck through. Which brings us back to the armored truck. 

     

    Armored truck for confidential data

    If we understand DLP as the cop who creates a bottleneck sorting out which traffic can pass, we can think of enterprise DRM as the equivalent of an armored truck.  Tethered to a C3 (command, control, and communication) center, it can only be unlocked by dispatchers at a remote location.

    In other words, whatever neighborhood the vehicle ends up in once it’s past the exit point, the load remains secure. The owner maintains control over the cargo and who can access it. 

    With Fasoo Enterprise DRM, the C3 center would be the Fasoo server. The cargo is your sensitive data locked down with Fasoo encryption. And the dispatcher would be Enterprise DRM’s centrally managed policy settings.

    So what happens to DLP in this picture? My main point here is that you don’t have to bother with interrogating file content once it is encrypted by Enterprise DRM. That doesn’t mean your existing DLP deployment becomes irrelevant. 

     

    DRM + DLP for the win

    Case in point: sensitive emails. DRM doesn’t automatically encrypt any outgoing email, for example. DLP, on the other hand, can flag content inside of emails for extra protection, or to prevent a message from leaving the organization altogether. 

    Another advantage of DLP is that it helps IT teams gain and maintain a baseline understanding of how sensitive data moves through their network. With adequate calibration, it serves as a low-investment, yet efficient tool for data risk discovery.

    From a pure document security perspective, DRM fills in the remaining blanks. It gives us peace of mind that confidentiality and compliance remain ensured for any file that finds its way past the egress point. Or, to put it differently – if you ran a bank, would you feel comfortable having a bicycle courier handle the money transports?

    Nope, you’d leave it to the pros with proper equipment.

    So, the armored van it is. In summary, deploying an enterprise-scale DRM solution enables your organization to protect its existing DLP investments. It helps you tie up loose ends in a global, multi-cloud, work-from-anywhere IT environment.  

    By combining both methods, you can play to DLP’s actual strengths. Examples include spotting suspicious activities and patterns that indicate possible insider threats, or flagging files – including emails – for DRM protection before they can leave the organization. 

    That way, you don’t have to rely exclusively on the overwhelmed cop at the exit ramp anymore. 

    Would you like to learn more about how Fasoo Enterprise DRM and DLP work together for maximum protection of unstructured data? Connect with our experts!  

    ###

    *For a comprehensive overview, I recommend the post Insider Threat Management: Part 1 – 7 Reasons Not to Settle for DLP on the blog of cybersecurity company Proofpoint.

     

Read More

Collecting Laptops From Terminated Employees? Protect Unstructured Data

Protect data on laptops from terminated employees I read a Tweet recently from “Accidental CISO” about collecting laptops from terminated employees during the pandemic that I deemed retweetable (if that is a word).  Some comments focused more on the hardware – how to get it back – but this got me thinking more about what is actually on the hardware. What sensitive information, like intellectual property, might reside on them?  It also made me think, in a situation like this, how the potential for insider theft is far greater.

Files containing IP can be either printed on home printers, sent over email to personal accounts, saved on a USB stick, screen captured and so on.  These are not necessarily actions of malice, but obvious desperation to assist with the basic need for employment.

It reminded me of a webinar we did in 2019, Close the Gap on Insider Threat: Granular Access Controls and Behavior Analytics, where we focused on the best way to protect and control unstructured data without having to think about where it is located, who is accessing it or how it is being used.  It’s part of a 3-part series, so check out the other two.

In my last post, I talked about how many companies are not prepared to suddenly support a remote workforce and provided some thoughts on things you can do.  But this tweet brings to the surface the extent of how unpreparedness can lead to (and this is going to sound weird) intentional, non-malicious behavior.

I encourage you to think about it, watch, and at the very least, start putting a plan in place to protect and control your unstructured business critical information.  The time is now to do your best research so when you are ready to pull the trigger on your unstructured data security project, you will be able to hit the ground running.

Contact us if you want to talk about any of this and in the meantime, stay safe and healthy!

 

Photo credit Ian Sane

 

Read More

Stop Wealth Management Data Breaches

Encrypt and control sensitive wealth management data

The financial services industry is a frequent target of hackers, but a larger threat may be trusted insiders since they have access to a lot of sensitive customer data.  Advisers within wealth management practices regularly share data with other advisers, staff members, a counterparty or a trusted third-party service provider. They may inadvertently or deliberately share that data with unauthorized people and pose a risk to their firms and customers. Once shared, most firms have no control over that data. The Ponemon Institute illustrates this risk by reporting that 65% of cyber breaches originated with third parties.

Insiders regularly share customer or other sensitive information with colleagues and third-parties by generating and downloading reports from a database. Typically the reports are spreadsheets which make it easy to analyze the data. Access to the database may be restricted, but once in a spreadsheet, the sensitive data is easy to share with anyone.

Just recently, BlackRock inadvertently exposed names, email addresses and other information of 20,000 independent wealth management advisers. The data was in several spreadsheets from an internal customer relationship management system and was inadvertently posted on a website by an internal user. There was no hacking, just a mistake by a trusted insider.

In 2017, New York implemented comprehensive cybersecurity regulations to protect New York’s financial services industry and consumers from cyber attacks. Other jurisdictions are following suit. High-profile cases like the Morgan Stanley broker who stole data on more than 350,000 of the bank’s wealthiest clients in 2014 was clearly on the minds of regulators when they created these regulations. Even with these rules in place, BlackRock still experienced a data breach.

Typical approaches to stop data breaches focus on protecting devices and locations from unauthorized access, rather than the data stored on them. These solutions force you to create complex business rules that monitor data movement and alert you to abnormal activities. In the BlackRock and Morgan Stanley cases, authorized users had legitimate access to sensitive data, so these tools may not have flagged anything as abnormal.

The only effective way to restrict access of sensitive data to authorized users is to encrypt it and apply security policies that govern its access. This ensures that only authorized users can access the data, regardless of the file’s location or format. This includes sending data to a counterparty or other third-party service provider. Once encrypted, the organization can trace user activities and even revoke access whether stored on a local system, mobile device, website or cloud-based repository. If someone accesses the file, they cannot read its contents unless explicitly granted access to it.

Morgan Stanley could have prevented its employee from accessing customer information on his home computer by encrypting it and setting appropriate policies. Once he left the company, his access to company data could be immediately revoked. The BlackRock spreadsheets would have been useless to any unauthorized person, since no one could read their contents unless explicitly granted access. If hackers stole the data in either case, it would be useless to them, since it was encrypted and the hackers had no authorization to access it.

Investors trust wealth management firms to protect their sensitive data. Encrypting files and controlling user access maintains that trust and complies with privacy regulations.

Photo credit: Pavel Rybin

Read More

Fasoo Presents Incident Response Solution

Bill Blake shows how Wrapsody helps manage an incident response plan Fasoo sponsored and presented at an event in Columbus, OH on November 13, 2018 entitled “Incident Detection, Response and Recovery” highlighting how to prepare and manage an incident response plan for cybersecurity and data protection.  Presented and cosponsored by Catalyst Solutions, IBM and Huntington Insurance, the event brought together experts in legal, insurance, law enforcement, government, accounting and security disciplines to discuss the legal, technical and business issues of preparing for and responding to a data breach.

Bill Blake, Senior Vice President and CCO of Fasoo, presented Incident Response & Recovery: Secure Collaboration for Critical Information which highlighted the Wrapsody platform as a solution to help manage the development, access and control of an incident response plan (IRP).  Bill showed an example of a CISO, Legal Counsel and an external Advisory firm securely collaborating on an IRP and how to control who could access the plan and any supporting documents involved in a response.  The example showed how easy it is to securely collaborate on developing and managing the plan, but also on limiting access prior to, during and after a breach occurs.  Since Wrapsody encrypts documents and controls their access, it guarantees only authorized users can access them.  This is critical because if an incident response plan got into the wrong hands, malicious insiders or external parties could compromise an organization’s data security.

Ed Rice, an attorney at Sherrard, German & Kelly, P.C., talked about the importance of having a data security program in place.  “Not only does it make good business sense, but under the regulatory landscape, for instance in NY, MA and CA, having such a program is a requirement when a company deals in data containing personal information.  Ohio’s new data protection act actually provides a “safe harbor” from liability for a data breach if the company has in place a good data security program”.

One key to a data breach response is maintaining attorney – client privilege between internal or outside counsel and the organizations involved in the breach.  A cybersecurity incident is not considered a data breach until an attorney says it is.  An attorney should be involved in developing the plan so the plan and any supporting documents are considered attorney work product and come under attorney – client privilege.  Since Wrapsody limits access to authorized users, if a malicious insider tried to share documents with external parties, they would not be accessible.  If a court tried to subpoena the documents, attorney-client privilege would protect them legally, but Wrapsody’s encryption and access control would prevent access to the files themselves.  Another key is having a detailed audit log of document access to prove to auditors, regulators and law enforcement who accessed the IRP during its preparation and execution, thus also helping establish what is subject to attorney – client privilege.

Once an event occurs and the organization executes the IRP, access is controlled and audited.  If internal systems are compromised, Wrapsody enables mobile access to the IRP through a phone and tablet.  Since each version of the IRP and any supporting documents are automatically synced to the Wrapsody server, those involved in the response will have access to the latest information, even if the IRP itself was hit with ransomware.

Protecting company and customer information is the main goal of cybersecurity.  Preventing a data breach is a key tactic, but you need to have a viable incident response plan so you can act quickly and decisively if or when a breach occurs.  Using Wrapsody to prepare and manage the plan along with sensitive documents should be a key tactic in your cybersecurity program.

Read More

Fasoo Highlights Unstructured Data Security at RSA 2018

Fasoo protects unstructured data

Fasoo’s message of finding, protecting and controlling unstructured data definitely made an impact on attendees at the 2018 RSA Conference in San Francisco.  With new regulations like the General Data Protection Regulation (GDPR) coming on quickly and the general feeling that businesses need to do more than just track file access, companies are looking for a more comprehensive and practical approach to providing secure ways to conduct business.

Over 45,000 senior executives and IT security professionals attended this year’s conference with about 2,000 visiting Fasoo’s booth.  Visitors saw hourly presentations and demonstrations on how to manage and control their unstructured data which is by far the largest problem of data security.  While someone hacking a database and stealing credit cards seems to make the headlines, the reality is that the majority of an organization’s intellectual property and sensitive information is stored in documents.  Fasoo staff showed how Fasoo Data Radar, Fasoo Enterprise DRM, Fasoo RiskView and Wrapsody helps manage and protect the critical business information inside documents.

A lot of attendees were very interested in discovery and classification of files because many realized they don’t know what they have and where it’s located.  One executive I talked to had a good handle on her databases, but when it came to downloading reports from those databases and the documents employees create every day, she acknowledged it’s a lot more challenging.  She mentioned there’s a lot of redundant, obsolete and trivial (ROT) data in file shares, cloud repositories and on people’s desktops which makes controlling the important information a lot more difficult.  She wanted to focus on data critical to her business and get rid of everything else.  I suggested automatically securing files as users create or edit them.  This protects current information and lets her quickly understand what is used and what is not.

Of course what would RSA be without some fun?  Our hourly presentations were very lively and attendees got Starbucks cards, Fasoo hippos, headphones and an Amazon Echo.  You had to really listen to the presentation to get some of the prizes, but the real fun started when Star Wars trivia came up.  One gentleman had to perform for his prize making a convincing Chewbacca sound.  There was even a little horse trading as the winner of one prize decided to swap it with the winner of another prize.

Visitors to Fasoo’s booth commented that the security solutions looked easy to use but still allowed them maximum protection of their unstructured data.  This is always a critical issue as organizations try to balance security with productivity.  Automating the processes of identifying, classifying and encrypting sensitive files allows employees and business partners to focus on their jobs rather than worrying about how to protect business critical information.

Read More

Think of a Layered Data Security Framework

Discover, Protect and Monitor access to your sensitive dataThe barrage of data breach news on the front page should come as little surprise to any of us. The more data stored and sent digitally, the more we expose ourselves and more breaches occur.  With all the resources and money spent on preventing a breach, we might think it is reasonable to expect that the number of reported incidents decline. But yet, on the contrary, this is not what we see.

According to the Identity Theft Resource Center (ITRC), just this year to date, there have been 725 reported breaches. The traditional security model to guard the perimeter is not adequate. Today’s challenges require a layered Data Security Framework.  So, what should this framework contain to take the right preventative or restorative actions?

For businesses, getting insight and control of their critical files is essential.  This includes any new file that is created and saved and any existing files containing sensitive information.  Many businesses are significantly challenged with gaining visibility across their environment to understand the location of their sensitive files. They don’t know how many copies or derivatives of a file are floating around on desktops, laptops, file servers, mobile devices, etc. and are not in a position to take appropriate action to secure and control them. Discovery is the first layer to add to a company’s security posture.  This helps you find things.

Once the discovery process is completed, now you are ready to protect your sensitive informData Centric Security protects your most sensitive dataation using encryption. When the topic of encryption comes up most associate it with protecting information when it is stored or when it’s transmitted over insecure channels, such as the internet. Many often miss the need to secure sensitive files when they are in use. This is the time when these files are at the most risk, since a user can do anything with sensitive data when they have a file open. The best method to achieve security today is through data-centric security for persistent protection of information.

Another layer for an effective data security framework is monitoring activity related to sensitive files. The ability to tie in data from various security technologies, including firewalls, DLP, databases, and even physical security (e.g., entry/exit data from keycard or biometric systems) and employee attendance records can help a business review risky activities and after suitable investigation, help decide whether or not to take action to address them.

A complete framework is required for companies to continuously adjust their security position dynamically to prevent damaging data breaches. Current challenges dictate a good data security framework to take into consideration both human and technological aspects. At a minimum this framework should include regular updating of traditional security measures already in place; educating and training employees; a current data breach response plan and most importantly data-centric persistent security technology measures.

Read More

Ofcom: Stopping Another Insider Threat

Ofcom Victim of Insider ThreatReports emerged yesterday that UK media regulator Ofcom suffered a massive data breach when a former employee stole sensitive information on television companies and gave it to a major broadcaster, which incidentally is his or her new employer.  The person who stole the information was not identified in reports.  The former employee downloaded as much as six years worth of data before leaving the company.  The intent of the action was to gain a competitive advantage in the market.

Even though Ofcom says it takes data security very seriously, it is most likely missing some of the blind spots that companies ignore.  Most organizations focus their security on the perimeter, trying to protect networks and systems from outside hackers.  They rarely look inward, assuming that an employee is a trusted person who will always have the company’s best interests in mind.

Insider threats can take two forms: accidental and malicious.  This was a case of malicious intent because the person intended to steal sensitive information for personal gain.  Privileged users can pose a greater threat to your business than hackers, since they already have access to critical business data.  This person had legitimate access to this data presumably to do their job.  Apparently there was nothing in place to stop the person from taking the data and sharing it with anyone outside the company.

The other insider threat is someone who accidentally shares sensitive information.  This could be unintentionally sending a file to the wrong person, losing a laptop or thumb drive or being tricked into giving away login credentials to the wrong person.  There is no malicious intent here, but the consequences can be the same.

The only way to manage the situation is to understand what data is sensitive and lock it down to control its access at all times.  The best way is discover, classify and protect the data as you create and share it.  This should apply to files you create daily and information you download from databases or information systems.

A layered approach can apply dynamic permission controls to data that can change as business requirements change.  This allows you to automatically adjust security policy based on changed content within a file.  For example, if you have a file that is for all internal employees, but you add PII to it, you need to increase the security to limit access because of the sensitive nature of what’s inside.

It’s also important to understand usage patterns of your sensitive information to help you determine behavioral anomalies that could indicate an insider threat.  If normal behavior for the ex employee was to open a few files a day, but all of a sudden they are opening hundreds, they may be stealing sensitive information.  Monitoring this behavior could prevent a possible data breach.

If Ofcom had encrypted its data and applied strict permission controls that stay with it regardless of location, this wouldn’t even be a story.  The employee could have copied files to share, but they would be useless, since the person couldn’t read the information inside.

Combating insider threats can be challenging, but your best defense is to protect and control confidential data at the source so it is secured at rest, in motion and while in use regardless of device, storage technology, storage location, and application.

Read More

Mobility and Prevention of Employee Data Theft

Use persistent data security to prevent data theft in a mobile worldGone are the days when everyone came into the office everyday for work.  Changes in work habits have brought substantial growth in mobility adoption within the workforce and security challenges have followed.

Today’s employees increasingly work from outside the office and they use a number of mobile (often personal) devices to complete their daily business tasks.  Gallup’s Work and Education Poll from August 2015 points out that telecommuting for work has climbed up to 37 percent in the United States.

A June 2014 survey by Gartner points out that approximately 40 percent of U.S. consumers who work for large organizations said they use their personally owned smartphone, tablet, desktop or laptop daily for some form of work.  Mingling business and personal data can and does cause major security problems, since all of us may inadvertently share sensitive company information with the wrong person.

Employers need control and visibility to data security now, more than ever before, beyond what traditional solutions offer. In order to protect sensitive data, employers are looking to persistent data-centric security to tether their sensitive data all the time and anywhere.

Employers thinking about implementing a persistent data security approach to deal with today’s mobility challenges may want to consider the following key points:

  • Sensitive data must be protected at the point of origin and through its life-cycle
    Highly sensitive data critical to core business functions must be protected at the source and not at the perimeter. Companies must protect data while in use whether someone is creating it or accessing it from file shares or repositories  Controlling the life span of sensitive information, including disabling access dynamically is key to protecting it on mobile devices and cloud repositories.
  • Encryption alone is not sufficient
    Protection of confidential, private or highly sensitive information should combine encryption with persistent usage policies to ensure that businesses control under what conditions a user can have access and what an authorized user can do with this information once access is granted.
  • Sensitive data will be localized at places you don’t know, control or trust
    In the daily course of business, whether through user error, complacency or malicious activity, companies lose control of sensitive data. Because the places data goes may be untrusted, one cannot rely on the security of the network, device or application to protect that data. Data must be protected all the time regardless of location or devices.
  • You need visibility into who accesses the protected data, when, and how many times
    Detailed visibility ensures auditability and insight into usage patterns and potential issues, which in turn significantly improves control.

 

Since we live in a mobile and digital work environment, organizations must secure business documents that are portable, easy to copy and more prone to data breaches. Although many organizations have made large investments in perimeter based security, they are still getting breached. Insider threats and employee data theft are a top concern to every business as this type of breach, which often are the most damaging, can mean the end of business.

You can continue putting all of your resources into perimeter based security or you can look to persistent data-centric security for your data protection – all the time and anywhere.

Read More

Bill Blake Presents to Institute of Internal Auditors on Fraud Prevention

Bill Blake presents to Institute of Internal Auditors on fraud preventionBill Blake, President of Fasoo, Inc., presented “Closing the Threat Gap: A 21st Century Approach to Minimizing Risk” at the Rochester Institute of Internal Auditors 2015 Fraud Event at Mario’s Restaurant in Rochester, NY on November 20, 2015.

The conference focused on how to detect and prevent fraudulent activities in companies regardless of size.  In today’s high-risk environment members of finance departments need to be vigilant to detect suspicious activities from both inside the company and external sources. Bill highlighted how Fasoo’s data-centric security can offer the best level of protection for confidential information from insider threats and hackers.

Bill was joined during the event by Peter L’ Abbate and Joe Henneky.  Peter is a retired law enforcement officer and expert on fraud, and spoke on payroll fraud.  Joe is a professor of Computer Forensics at CCFL and presented a case study on digital forensics and ethics.

Bill helped the group understand the gaps in current security technologies that can enable hackers and motivated insiders to steal confidential data and perpetuate fraud.  Exploiting perimeter-based security weaknesses is like a cat-and-mouse game, since the hackers are always finding a new weakness to exploit.  Bill discussed how confidential data could be protected and tracked throughout its entire lifecycle by using Fasoo’s data centric security.  The attendees were particularly interested in the ability to audit how files are accessed and used by authorized employees, since it provides a complete understanding of the movement of sensitive data.

Read More

Stop Unauthorized Use of Confidential Data

Former Morgan Stanley Financial Adviser Guilty In Connection with Data Breach

Stop Unauthorized Use of Confidential DataA former employee of Morgan Stanley pleaded guilty to stealing confidential data from about 730,000 customer accounts. He copied names, addresses, account numbers, investment information and other data to his home computer so he could work on it.

While improperly accessing the information, he was interviewing for a new job with two Morgan Stanley competitors.

Challenge

Your employees access sensitive and confidential customer information so they can do their jobs. Once the data leaves the protected confines of an information repository, file share or cloud-based service, your authorized users can share it with anyone, do anything with it and compromise your customer’s confidential information. You may be subject to fines, not to mention losing customers because they can’t trust you to maintain their confidentiality.

You need to persistently protect confidential data so that customer information is protected regardless of where it goes and who has it.

Fasoo Solution

Fasoo Enterprise DRM protects customer information by encrypting the files and applying persistent security policies to protect them regardless of where they are or their format. Once the data is protected, you can safely share sensitive files through email, USB drive, external portal or any file sharing site. File access is tracked in real time for precise auditing and you can revoke access instantly.

Fasoo Enterprise DRM not only ensures that you meet financial regulations and safeguards customer confidentiality, but truly protects and controls sensitive information while at rest, in motion and in use.

Advantages

  • Encrypt customer information to meet consumer and data protection legislation
  • Securely share files internally or externally
  • Control who can View, Edit, Print and take a Screen Capture
  • Limit access time and number of devices
  • Revoke access to shared files immediately regardless of location
  • Trace and control user and file activities in real-time
Read More

Data Breach Lawsuits Are on the Rise

Data Breach Lawsuits Are on the Rise

With the data breaches increasing and hackers breaking into major companies and stealing customer data at an alarming rate, lawsuits relating to these breaches have been a hot topic. For companies, although facing a catastrophe in terms of brand image, legally they have been shielded from damages. That is until now.

According to a recent article, a recent ruling by the 7th Circuit Court of Appeals reinstated a lawsuit against Neiman Marcus over a 2013 data breach in which hackers stole credit card information from as many as 350,000 customers. The three judges ruling has created a stir in the legal environment because this now lowers the bar for consumers who want to sue over such breaches.

Although the initial ruling was thrown out due to thinking that customers could have simply relied on their credit cards’ fraud protection program and also that these kinds of breaches although had shown that customers would fear for future fraud and identity theft did not cause any “imminent “ threat or “concrete” injury.

However, the 7th Circuit reinstated both types of claims, which were to those who had incurred expenses tied to the Neiman Marcus hack, and those who feared future identity theft. Basically the key point that Chief Judge Diane Wood had said was, ““Why else [other than to cause harm] would hackers break into a store’s database and steal consumers’ private information?”

Ultimately this ruling will most likely not help consumers cash in, however, it will build the pressure for companies to take a serious look into their data security solutions and see if they have what it takes to truly secure their data. Companies must show that they have acted reasonably and have taken reasonable yet realistic measures to prevent a data breach and not make themselves a target.

It is quite evident that having a data security framework that works, is necessary in taking the stance against data breaches. Organizing unstructured data, data encryption and comprehensive risk analyses prior to a breach happening, all needs to be in place to show not only the consumers but the courts that as an organization, we have done all that we could to avoid a data breach. Taking these proactive measures to have strong security policies will go a long way towards mitigating an organization liability in a class-action lawsuit, such as this one.

Although legal action against organization after a data breach may be inevitable, positioning yourself with this kind of solution will put the organization in a better position to defend the lawsuit and also deflect some of the greatest damage to an organizations brand image and reputation.

Taking a hard look at what kind of data security now and being proactive about protecting your customers’ most valuable data is the first step in avoiding all the damages that will occur with a data breach. Being able to control your data no matter where it is, can be the best way to improve your information security.

 

Photo credit by: PRSA-NY

Read More

Still Not Encrypting Your Data?

Still Not Encrypting Your Data?

Are we still not encrypting our data in a time when cyber-attacks have been happening to so many big names in the healthcare, retail and government? Recently, UCLA Health System’s computer network was broken into by hackers and may have accessed sensitive information on as many as 4.5 million patients. The information included names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information such as patient diagnoses and procedures.

The intrusion is raising fresh questions about the ability of hospitals, health insurers and other medical providers to safeguard the vast troves of electronic medical records and other sensitive data they are stockpiling.

The reason why this is making even more news is that UCLA did not take the basic steps even after all the major breaches on the federal government as well as health insurance giant Anthem Inc., to encrypt patients’ data. This has drawn swift criticism from security experts and patient advocates. It is not a secret that the healthcare industry has been the target of many data breaches. However, the continuation of these breaches seems to continue, and the vulnerability of these systems has made it a field day for hackers to steal sensitive data.

Nowadays, it is not only business and patients not going to their hospital that they have to worry about, but now the government will investigate breaches of patient privacy and can levy significant fines for violations under the Health Insurance Portability and Accountability Act, also known as HIPAA.

However, compliance aside, the most important aspect is to ensure that this information is really protected. In a recent article, in HIT Leaders and News, the article mentions how “while compliance is still a major driver in healthcare, compliance does not equal security. Organizations that drive data security efforts based on compliance put their data at risk. Healthcare organizations need to take a more holistic and proactive approach in their data security strategy.”

Also mentioned in this article is the fact the recent legislation in New Jersey has taken the step of mandating the use of encryption for PHI or Protected Health Information that “renders personal information unreadable, undecipherable or unusable by unauthorized persons.” Now this definitely means more than just having a password to your data, but it is pushing for you to have a more robust method to ensure that all aspects of the data are secure, no matter where it is.

Let us hope that such data breaches as this one have hopefully provided a lesson to other healthcare organizations and other organizations from different industries that they must implement security and encryption to “completely block the path to your most valuable assets.”

 

Photo credit by: jfcherry

Read More
Categories

Find out what Fasoo can do for you

Contact Us
Contact  Us
Contact Us
Book a meeting