Securing Information While Sharing

In a recent article entitled “Securing Information for a Shared Services Infrastructure”, Richard Freeman from Ricoh Canada talked about the need to secure information as companies share it internally and externally. The focus of the article is how an organization must look at balancing the need to efficiently share information without compromising privacy, protection of intellectual property and other sensitive data, or financial and legal risk.

As is evident from all the news about data breaches and cyber threats, the challenge today is to thwart the bad guys from stealing your sensitive data. While many organizations still focus on protecting servers, networks and end-point devices, you have to secure and control the information itself. Since most of the data created today is unstructured content stored in documents, protecting the documents from inadvertent or malicious access should be the primary goal to ensure that authorized users can collaborate efficiently and securely.

The answer lies in the infrastructure design using two foundational layers – data and people.

Information can be protected at the data layer by securing and controlling it regardless of where it is stored, how it is transported or the way it is consumed. This data-centric approach emphasizes the security of the data itself rather than the security of networks, servers, or applications. Using a data security framework allows organizations to protect, control and track their data regardless of its location and assign policies and granular permission control to accommodate secure sharing in a dynamic business environment.

A data security policy should maintain a balance between security and productivity to allow different users to perform business operations on multiple devices without interruption. This is why security policies on data should be people-centric. The policy should be flexible and dynamically enforced based on rich context including content, user, device, time, and location. Even though a flexible policy is in place, organizations need to allow exceptions to minimize productivity issues. Data security policies are constantly challenged by the unpredictable nature of data usage in a business environment. The data security framework has to support dynamic changes that permit exceptions to allow people to do their jobs.

Properly applied, this framework allows secure collaboration in the office or while mobile, protects against insider threats and allows the flexibility to meet the requirements of a constantly changing business.

Photo credit WOCinTech Chat

How to Protect IP Mappings from Falling into the Wrong Hands

In my recent article for IP Watchdog, Taking a Data-Centric Approach to Today’s Security Landscape, I highlighted the importance of organizations taking a data-centric approach to security to safeguard against today’s sophisticated, and even amateur, cybercriminals. IP Watchdog particularly focuses on the security of all things IP (intellectual property) which brings us to another sector of high valued information—IP mappings.

IP mappings can be critical to the security of an organization’s database because of its link to client accounts and the location of those accounts within the database. Malicious attacks scanning the system for information on client accounts, such as financial data or trade secrets, would need to spend time and effort to locate the data. If hackers were able to expose the organization’s IP mappings, it would enable them to easily navigate the system and access the information before the organization knew it was under attack.

The recent Ponemon study, Risky Business: How Company Insiders Put High Value Information at Risk, found that almost three quarters of the IT security practitioners surveyed said their organization lost confidential information in the past year. I expect the standard approach to addressing this problem is to employ stronger perimeter security methods to ensure that only authorized users could access databases and the sensitive, high-value information inside.

But what about protecting it from internal users who decide to expose this information for their own gains? The only real way to protect IP mappings is by using encryption. Encryption protects all sensitive documents and files wherever they are accessed, inside or outside of the system.

While encryption is an important factor in protecting the integrity of IP mappings and where they lead, organizations should still implement employee training and a data-security framework to further boost the security of their high valued information.

Proactive thinking will keep organizations ahead of cybercriminals looking to do damage to their company, reputation, and customers. One form of security software is not enough.

Photo credit Blogtrepreneur

Think of a Layered Data Security Framework

The barrage of data breach news on the front page should come as little surprise to any of us. The more data stored and sent digitally, the more we expose ourselves and more breaches occur. With all the resources and money spent on preventing a breach, we might think it is reasonable to expect that the number of reported incidents decline. But yet, on the contrary, this is not what we see.

According to the Identity Theft Resource Center (ITRC), just this year to date, there have been 725 reported breaches. The traditional security model to guard the perimeter is not adequate. Today’s challenges require a layered Data Security Framework. So, what should this framework contain to take the right preventative or restorative actions?

For businesses, getting insight and control of their critical files is essential. This includes any new file that is created and saved and any existing files containing sensitive information. Many businesses are significantly challenged with gaining visibility across their environment to understand the location of their sensitive files. They don’t know how many copies or derivatives of a file are floating around on desktops, laptops, file servers, mobile devices, etc. and are not in a position to take appropriate action to secure and control them. Discovery is the first layer to add to a company’s security posture. This helps you find things.

Once the discovery process is completed, now you are ready to protect your sensitive information using encryption. When the topic of encryption comes up most associate it with protecting information when it is stored or when it’s transmitted over insecure channels, such as the internet. Many often miss the need to secure sensitive files when they are in use. This is the time when these files are at the most risk, since a user can do anything with sensitive data when they have a file open. The best method to achieve security today is through data-centric security for persistent protection of information.

Another layer for an effective data security framework is monitoring activity related to sensitive files. The ability to tie in data from various security technologies, including firewalls, DLP, databases, and even physical security (e.g., entry/exit data from keycard or biometric systems) and employee attendance records can help a business review risky activities and after suitable investigation, help decide whether or not to take action to address them.

A complete framework is required for companies to continuously adjust their security position dynamically to prevent damaging data breaches. Current challenges dictate a good data security framework to take into consideration both human and technological aspects. At a minimum this framework should include regular updating of traditional security measures already in place; educating and training employees; a current data breach response plan and most importantly data-centric persistent security technology measures.

STOP, Collaborate and Listen: Where Employee Vulnerabilities Put Data at Risk

Ron Arden, Executive Vice President and COO of Fasoo, Inc., recently drafted a byline for InfoSec Island that highlights the risks employees pose in their most natural environment – the office – through collaboration with their co-workers. Email, instant messages, file transfers, and digital downloads can all expose vulnerabilities to an organization’s high-value data yet in an office environment these tasks are constantly happening. These behaviors can put sensitive data at risk.

Some organizations may become distracted, always trying to defend themselves against the “bad guys,” and forget to keep an eye on their own flock. Executive leadership should ask themselves: do our employees access files containing high-value information? If so, how often and what are they doing with these files? Should they even be allowed to access the files in the first place?

Our recent Ponemon study, “Risky Business: How Company Insiders Put High Value Information at Risk,” found that careless employees are the primary cause of data breaches (56%). That being said, there are steps every organization can take to minimize risk.

Employees that are educated about access levels, the importance of the data they use, and protocols on how to handle the data are less likely to inadvertently send a file that is unsecured or sent it to a contact who should not have access. Consistent reminders of these protocols is also key to maintain a high level of security. Where education may fall short, data security frameworks close the gap. These frameworks can show organizations where their data is held, control access permissions and monitor the authorized users.

The Fasoo Data Security Framework helps address the need to find sensitive, high-value data and manage it so that only authorized people can access it. Controlling this information at all times is a critical business requirement, since companies of all sizes and in all industries create and are care takers of intellectual property and sensitive customer information. You should think of treating this high-value data the way a bank teats currency. You need to know where it is at all times and who has access to it.

A combination of employee education, with the confidence of the data security framework safety net, will ensure that trade secrets, customer data, product designs and any confidential information remains that way.

Keep Your High-Value Information Close, and Your Employees Closer

I recently wrote an article for Corporate Compliance Insights that focused on the importance of organizations taking proactive steps to safeguard high-value corporate data from internal and external vulnerabilities. High value information such as trade secrets, product designs, financial data and customer data can change hands often within an organization, including among people who may not need access to this confidential material. It is the sole responsibility of that organization to protect the data from employee error in the greater effort to protect the data from external malicious actors.

As our Ponemon study, “Risky Business: How Company Insiders Put High Value Information at Risk,” taught us, employees, particularly those in the sales department, C-level executives, and finance and human resources, pose the biggest security risk to their companies. The IT security practitioners at these companies admittedly do not have the resources to prevent data leaking by employees. Not a calming thought for those who trust their information to be safe.

I offered four steps that make a significant impact in securing this information:

Encryption – documents and files that have sensitive data should always be encrypted, since it is the best line of defense. If an employee were to share one of these files, opening it up to external vulnerabilities, and it landed in the wrong hands, it would be rendered useless to that individual because of the encryption.
Employee access control – implementing rules, regulations, protocols and enforcing all of the above is key to minimizing human error. Employees should be fully aware of their access rights and what they are allowed to do with any high valued information they access. Regular training held by the organization can further support this effort.
Data-centric approach – while traditional security software can protect information inside an organization’s network, it cannot help if the information has been extracted from this environment. Placing a focus on protecting the data itself, and not just the network or systems that contain the data, will offer better security.
Data security framework – implementing a data security framework enables organizations to be the “big brother” of sensitive information. The framework can identify where the information is stored, control permissions for those accessing it, and monitor how they use the data.

Implementing these tactics will ensure better protection for all that an organization holds dear while boosting their employees’ ability to act as a stronger line of defense in the face of an attempted security breach.

Photo credit Kirsty Pitkin

Stop The Leading Cause of Healthcare Data Breaches

The Pain Treatment Centers of America (PTCOA) recently released a HIPAA Security Notification that a 2015 data breach may have exposed the personal information of as many as 19,000 patients. This healthcare data breach involved hackers accessing EHR system files through data servers owned and operated by a third-party.

The breached files included patient medical records, along with health visit information, name, address, health insurance information, driver’s license number or other ID and, in some cases, a Social Security number. As is standard in data breach situations, PTCOA offered affected patients credit alert protection for one year.

The healthcare industry is no stranger to healthcare data breaches. A new report published by IBM called 2015 “the year of the healthcare breach” with more than 100 million healthcare records being compromised. Whether the breach is caused by a malicious attack, stolen or lost assets such as laptops, insider and privilege misuse, miscellaneous errors, such as improper device disposal or mishandling PHI, once this sensitive data is out, it is out there indefinitely. Most – if not all – of the healthcare files currently cannot be rendered useless once they are stolen. Current compliance and legal systems seem to look after the businesses but not the patients. While patients whose records have been compromised are given a year or two of credit alert or identity protection, they have the burden of these breaches the rest of their lives.

There are all kinds of recommendations from so-called experts to encrypt files in storage (at rest), when they are emailed or shared via file shares (in motion), employee training, monitoring and use of technologies like end-point protection or data loss prevention systems. With all of these measures, there is still weekly if not daily news on healthcare data breaches. So, what is missing you might ask?

Most if not all healthcare environments simply pursue “compliance” rather than “security”. Convenience is preferred over locking patient information down properly and as a result patients suffer.

Health records typically contain credit card data, email addresses, social security numbers, employment information and medical history – much of which remain valid for years, if not a lifetime. While businesses get off with simply a scratch after a PHI breach, patients are left to deal with it for a lifetime.

The healthcare industry’s approach to cybersecurity is behind the times. Encryption needs to be used on health data and files, and owners of this data need to control who has access to it and what they are allowed to do with it regardless of location and device. There also needs to be some way that PHI can be rendered useless as needed.

What is missing within the healthcare industry is a data-centric approach. Even if a healthcare organization has perimeter security tools and encryption to protect information at rest and in motion, most – if not all – lack protection for when PHI is in use. EHR/EMR systems may protect information within the system but when an authorized user is given access, PHI can be localized, copied, printed or users can snap a picture with a phone. There is a huge threat gap being ignored.

The recent Verizon 2016 Breach Investigations Report stated that Healthcare data breaches in 2015 were more likely to be caused by human error than anything. Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors. It is time for healthcare to close the threat gap and keep up with the times. The industry can benefit from implementing a Data Security Framework to identify where sensitive PHI is, control access through policies and monitor usage.

Big Data and Data Analytics Need Data-Centric Security

Big Data and Data Analytics are changing the way the world uses business information. The amount of data that’s created and stored daily on a global level is almost inconceivable as with each passing hour, the data grows at an amazing pace. Everything from the most trivial details of our personal lives to highly sensitive information at work is now stored and catalogued. While businesses look for ways to leverage, manage and derive insight from this vast amount of information, they also need to think hard about satisfying privacy, security and compliance all at once. This is not a trivial job, and many businesses struggle when attempting to roll Big Data and Data Analytics into a production enterprise scenario.

These days, all types of data are routinely collected whether we are at work or when we shop, use public transportation, visit our healthcare provider or access government services in person or online. Data is collected when you access highly sensitive company information, when you localize this data to your laptop or send it home to work on it remotely. Data is collected when you obtain a Medicare refund, book a flight or shop online. Data is collected when you do anything electronically.

While the proliferation and maturation of Big Data, Data Analytics and information technology is aiding businesses, if not properly implemented, it can also hurt them. All of these data collected and stored can also reveal highly sensitive information.

Below are some ethical, security, privacy and compliance guidelines that require additional consideration when businesses are looking to use Big Data and Data Analytics:

1. Disclosure – businesses must disclose what is collected and how the data is used.

2. Privacy & Confidentiality – individuals have a right to control who can access their personal information and businesses must carry the burden of confidentiality to ensure that only authorized persons have access to this information.

3. Ownership – individuals have the right to control their personal/private data. Businesses that collect user data have the responsibility for the data as long as it is within their possession.

4. Data sharing – businesses must carry the burden of the security and governance of data keeping in mind that data shared with another entity may need to be revoked or rendered useless at a later time.

5. Governance and custodianship – businesses must secure the data and control access utilizing usage policies and tracking.

The rapid technological advances in our society are creating more and more ways for businesses and customers to benefit from them. However, the same advances are putting sensitive data at risk. Businesses can benefit from implementing a comprehensive data security framework along with Big Data and Data Analytics to better understand what sensitive data they possess, maintain complete control and custody of that data and to monitor and analyze their risk in owning and using the data.

A Data-Centric Security Framework for a Perimeter-less World

The internet, its commercialization and all its technological advances have changed the way of the modern world. Unlimited information is available at the touch of a button; tasks that used to take time and effort are now much simpler. All this technology created the opportunity for companies to find new and creative ways to grow revenues and data collection has become an essential component of many business operations.

As data is moving and multiplying at a rapid pace across boundaries, platforms and applications, users have the ability to access data in a variety of ways and data very rarely stays within the secure perimeter of an enterprise anymore.

With more and more sensitive data residing outside of the corporate perimeter, locating, securing and controlling this data presents a significant challenge. The traditional security strategies that businesses have been relying on are no longer the viable option they once were.

Businesses need to understand the risks to their data, keeping up to date with the constantly evolving threat landscape. You shouldn’t be protecting the crown jewels of your business using only perimeter security technologies, since it’s obvious that they are no match for today’s criminals.

In our current perimeter-less world, many CISOs realize that data centric security is the best method to secure sensitive data. They realize that data is vulnerable to security breaches and theft and that encryption should go down to the document level to ensure that any document is safe where it is stored, while it is in transit, and when it is being viewed by any authorized users. Security is now becoming part of every stage of a document’s lifecycle — from creation to transmission, storage, editing and retrieval.

Three building blocks are key to building a data-centric security framework:

1. Data Discovery – The ability to implement a data security and governance strategy begins by identifying sensitive data at the source, wherever that may be. Security has to travel with the data, no matter where the data goes. By identifying and analyzing sensitive data, enterprises can focus on managing and securing it. Data discovery allows you to understand relationships between users and data that is created. It helps you see how information multiplies and proliferates within the perimeter and how it’s used by different groups, line of business and mobile applications.

2. Policy-based encryption and usage governance – This enables you to secure and define the types of data an authorized user can access based on their roles. Organizations need a baseline level of security that meets the overall company policy, but also higher security levels and controls for specific business units or users that need it. A customer service representative may only need to see a customer’s order history, but not financial information. Limiting what data authorized users can access and what actions they can take on this can greatly reduce the ability for a current or former employee to expose or steal sensitive data. This approach can further demonstrate that an enterprise is enforcing security and privacy regulatory policies.

3. Risk Management – It is essential to visualize and manage risks by correlating logs of authorized data usage with other user activity. Having a comprehensive view of how sensitive data exits a perimeter or as sensitive data appears where it is not supposed to be, can provide business managers a level of intervention for risk management.

Clearly data is imperative to conduct business today and this brings the need for security and protection of sensitive data; all the time, anywhere. A data-centric security framework does this and even goes further to provide enterprises with the ability to revoke all access to data as needed.