Blog

Tag: data

Data protection in Human ResourcesI recently wrote an article about protecting confidential data that flows through the HR department.  This is an area that many people forget when thinking about the most sensitive information in an organization.

Everyone thinks about the obvious, like maintaining information about current employees.  But there are many other pieces of sensitive data flowing through HR.

Resumes and personal information about potential employees come into the HR department as managers post job requisitions.  In today’s world, candidates require criminal background checks and drug tests that need to be kept confidential.  As a company hires people, references, existing health information, 401K data and salary details are maintained by Human Resources personnel and inside information systems they access.

The information on potential employees is just as sensitive as information on existing and former employees.  My company keeps my social security number so it can pay me.  It has my name, address, telephone number and bank account information.  It may have pension and retirement plan information.  It knows about my healthcare coverage and my health status.  It also has this information on those people that have left the company through retirement, layoffs or changing jobs.

That’s a lot of personally identifiable information (PII).  If my company was hacked or someone on the inside decided to steal some of that information, I and my colleagues could be the victims of privacy violations and fraud.  Given the sensitivity of this information, how can an organization restrict access to only those people that need to have it?

HR must categorize or classify the data by its sensitivity.  PII is of the highest value and should be limited to HR management and those in HR who need to use it for their jobs.  Once classified, that information should be encrypted and assigned a security policy that limits its access to those people, regardless of where the information exists.  If this information accidentally or deliberately got into the wrong hands, it would be inaccessible and useless.

Federal and state laws require that PII be retained for a certain amount of time once an employee leaves the company.  After that, the information should be destroyed automatically.  If it’s stored in an information repository, retention rules can delete it.  If it’s stored in files on file shares or locally, access can be revoked after an expiration date is hit,

In a role that requires protecting and sharing sensitive and valuable information, the human resources department has arguably one of the more challenging data-handling responsibilities. Encryption and permission control policies can help streamline these tasks after the data is classified.  This is the best way to restrict access to employee PII and ensure that the organization’s important data is secure.

Fasoo Had a Busy Month in October Showing Data Security SolutionsThe month of October was very busy for Fasoo as we were all over the US talking to people about data-centric security and how it is the best solution to protect your sensitive information from insider threats and external hackers (APTs).

We started the month by attending the Rochester Security Summit in Rochester, NY.  This two-day event brought together executives and technical staff from numerous organizations in the Rochester area to share intelligence on how to protect their businesses from cyber attacks.  Fasoo was part of a vendor pavilion with our partner Brite Computers showing attendees how to protect data localized from databases, files downloaded from content management systems and those shared through the cloud and on mobile devices.  Ron Arden, Vice President – North America, presented to a packed room on “Closing the Threat Gap: A 21st Century Approach to Minimizing Risk” as part of the Threat Landscape track at the event.

The following week saw Fasoo sponsoring an executive luncheon on The Internet of Things (IoT) at the Nasdaq Ron Arden and Bill Blake at the National Cyber Security Awareness month eventMarketsite in New York City.  The event was put on by the National Cyber Security Alliance (NCSA) as part of National Cyber Security Awareness Month (NCSAM).  Bill Blake, President – North America, and Ron Arden got to participate in the luncheon and spoke to the numerous executives and government officials.  We were even part of the closing bell ceremony; look for us around 1:00 into the video.  With all the interest in IoT devices and the tremendous data that each will generate, Fasoo was educating people on how to protect the information collected and ensure that PII, PHI and other personal data is protected.

We finished the month in Las Vegas at the IBM Insight 2015 conference.  Fasoo was a Silver Plus Sponsor, so we had a booth right in the middle of all the action.  Security and analytics were big focuses of the conference this Dayhuff and Fasoo show charging station at IBM Insight 2015year as many organizations are trying to understand where they have sensitive information (the crown jewels) and how best to protect it from internal and external threats.

Bill Blake, Ron Arden and National Account Manager Alper Kizar were all in Vegas talking to customers, IBM staff and generally enjoying the warm weather.  Bill presented “Closing the Threat Gap: A 21st Century Approach to Minimizing Risk” to an enthusiastic audience at the Expo Theater.  Our partners Dayhuff and Neocol joined us in the booth and throughout the conference as many attendees were talking about securing the mountains of unstructured data in their companies.  Of course Vegas would not be complete without some fun, so Dayhuff held its annual get together at the Ri Ra Irish Pub.  The Irish definitely make some great beer and it was great to unwind with everyone after a long day at the conference.

During the different events, I heard a lot of recurring themes from attendees, vendors, speakers and security professionals.  I think they show the challenges CISOs, CIOs and other executives face as they try to move their businesses forward in an ever changing security landscape.  Here are a few of them.

clip_image001 Corporations do not have perimeters anymore

clip_image001 Security is everybody’s job

clip_image001 Monitoring data is hard, it’s like dust, it’s everywhere

clip_image001 Users are very naive about security and need to be educated

clip_image001 More than half of all data breaches are caused by human error

clip_image001 When you increase where the data is, it increases the risk

clip_image001 Being compliant doesn’t mean you are secure

Fasoo has the best approach to address each of these points through strong file encryption and persistent security policies that travel with the data.  Access to sensitive data is controlled through good identity management that ensures your sensitive data is protected and controlled regardless of location or device.  Working with existing applications and workflows makes it very easy for users to apply security to files, since they don’t have to think about it.  Automatic security policies apply the right level of access control as soon as someone creates a file.  This makes it easy to control unstructured data, whether it’s created locally or downloaded from an existing information system.

Check out some of the pictures from our busy October as the weather turns colder and the end of the year is in sight.  Hopefully we can help you create a secure work environment by protecting your most sensitive information from getting into the wrong hands.

Breaking the 2015 Data Breach Trends

In a recent article regarding the top six data breach trends of 2015, we should expect more breaches in the healthcare industry, legal and regulatory pressure will increase on CEOs and boards, despite headlines involving breaches by hackers and foreign countries disgruntled or negligent employees will be companies’ biggest security threats, hackers increasingly will target data stored in the cloud, credit card breaches will rise over the next few months and the Internet of Things will provide an easy entry point to all your devices and data.

How worried should we be about these trends? Well, let us be honest, this is not so much of a surprise judging by the events of this year. Already we are reaching a record pace for data breaches and what was once only limited to healthcare, retail and finance has strongly made a mark in the government sector as well.

However, to break this trend ultimately, is to protect the data itself. Laws and regulations are now putting a stop to those who do not, “render personal information unreadable, undecipherable or unusable by unauthorized persons.” Encryption is exactly this, and now lawmakers are looking for all organizations that deal with customers’ personal data to abide by these laws to make data secure.

Encryption technology can be used to protect sensitive data. If data is encrypted in sufficient strength it can remain safe even when stolen or lost in any media. It also protects data during transition but it does not prevent the leak after decryption by authorized recipients. Considering most of data leaks are originated from insiders who have or had access to this data, organizations must complement and authorize existing security infrastructures with the solution which can protect data in use persistently.

Every organization needs to rethink how to protect their most valuable data.  Protecting it with data-centric security ensures that it’s always safe no matter where it goes. By doing this, all the data breach trends of 2015 will not repeat themselves next year for sure.

 

Photo credit by: Elizabeth Hahn

Is Your Favorite Sports Team’s Data Secure?

It is no doubt that 2015 is on record pace for the number of data breaches compared to previous years. However, typically we would assume that these data breaches would happen in such industries as healthcare, finance, retail or the government. We would have never thought that this would enter the area of professional sports teams.

Now we know it is happening inside America’s favorite pastime, baseball, and it’s reaching national and worldwide headlines. Here is the story: the St. Louis Cardinals are being accused of hacking the Houston Astros to gain access to intellectual property – trade, proprietary statistics and player strategy information. Federal investigators are recommending charges against at least one St. Louis Cardinals employee for allegedly intruding on a rival baseball team’s database.

The potential breach came after former Cardinals employee Jeff Luhnow left to be Houston’s general manager. The investigation accuses the Cardinals of unfairly prying into the Astros’ database amid concerns Luhnow had taken the Cardinals’ proprietary information to his new employer. Luhnow has told investigators the Astros generated their own database system independently of his previous work in St. Louis. This report follows the Cardinals’ announcement earlier in the month that it had fired Chris Correa, the team’s director of scouting.

Although according to Major League Baseball there is no direct evidence that another baseball team has been the victim of a security breach, and that each team is responsible for its own cyber security. However, it is impossible to overstate the role of computer systems in the operation of a team — and not just on the business side, where executives can adjust ticket prices daily based on the latest sales data or modify orders for hot dogs or bobblehead dolls based on updated attendance projections.

What have we learned from this? Wherever there is data, it needs to be secured wherever it goes.

The more we understand the need and priority of security to protect such data within sports, such as player contracts, scouting reports, player strategy information, trade related data, etc., the more we will understand that this data needs to be secured with data-centric security.

No matter if the sport is baseball, football, hockey, basketball, soccer, etc., proprietary data exists and for any team to hold a competitive edge we should not underestimate what could happen, as that has been the case in this data breach. Each year we want our favorite sports teams to win that championship, and in order for them to do that, not only does it take them to have the right players, coaches, strategy, teamwork and mindset, but also the protection of their most valuable data.

 

Photo credit: Intel Free Press

IT Business Edge shows how Fasoo protects HR dataHR departments have a unique set of security challenges to maintain the confidentiality and integrity of internal staff and external clients.  While maintaining the confidentiality of personally identifiable information (PII), they also develop and share information that needs wide distribution.

Managing these somewhat contradictory requirements requires an approach that is flexible enough to protect against insider threats, while enabling secure sharing.

IT Business Edge has published the slideshow, “Data Protection: Five Challenges Facing the Enterprise HR Department”, that highlights five functions of an enterprise HR department and how Fasoo can help meet the specific access and permission requirements for different tiers of information.

Most companies think about employee PII and information that is generally under the control of HR, but how about when someone leaves the organization?  HR is one of the first to know and can inform the organization of a pending departure.  This helps ensure the organization can immediately disable access to sensitive materials, if there is a concern of theft.

View the slideshow and see some of the ways you can protect your most sensitive information.

Mandating Encryption for Organizations

Connecticut is taking the next step in guaranteeing that customer data is secure. Therefore, if companies want to do business in this state, they will have to make sure that all personal data that is stored and transmitted is encrypted. In addition this soon to be law would require business to enable stronger password protections and control how much personal identifying information can be downloaded at one time, to help mitigate damage in the event any data is stolen.

For Connecticut residents, nearly one-third of them, were affected by the Anthem breach. It is no wonder that states like Connecticut, Maryland and New Jersey have made headlines pushing for all organizations to encrypt any sensitive data they have that pertains especially to customers. Connecticut Senate Majority Leader Bob Duff, D-Norwalk explains that, “In the long run, I think that companies will find it cheaper to implement these protocols than to have to clean up the mess of a data breach.”

How should we feel about these new laws? Well for one thing as a customer, we are glad that steps are being taken to protect our data. As an organization, not only does this help them build confidence in the customers, but also among other things is protecting an organization own sensitive data as well.

With the lack of encryption, there is no way that companies can protect their data against the hackers even if it is stolen from their organization. To trust security policies, programs, training, strategies, etc. is useless against insider threats.

However, there is a solution and all organizations who have not known about it before sure have heard about it now. Fasoo Enterprise DRM (Digital Rights Management) to protect organizations and also build confidence for customers about having their data secured. If data is DRM protected then, this is one less concern organizations now in Connecticut, Maryland, New Jersey, Massachusetts, and more states have to have.

 

Photo Credit: Dug Song

Bigger Problem than Compliance? The answer? Data Protection! Although compliance has always topped data breach protection, this year, preventing data breaches and protecting intellectual property are all considered more important in driving data protection. However, it is both of these together that makes a data breach protection solution so robust.

Meeting and demonstrating compliance is the start to a more secure organization. Last year in particular with the spike in data breaches caused by the theft or loss of sensitive information pushed the government to push for numerous legislative requirements and standards-based protocols from NIST (National Institute of Standards and Technology).

Federal government agencies are required to follow endpoint security obligations and protocols and even more so with national security agencies who communicate classified information.

The security challenge for organizations can be seen in two ways: Threats can come externally or internally from within the organization. Data leaks and network instability can have disastrous consequences, regardless of their source. As a result, security can be implemented to block entry of unauthorized users and prohibit the exit of confidential data, among other things. However, the more important and sure way of protecting your data is to protect the data itself.

Whether we are dealing with insider threats or external hackers, even if they steal the files that contain data, it must be a standard and mandate to have the data itself encrypted to avoid use of the data from unauthorized users.

Fasoo Enterprise DRM (Digital Rights Management) is a file-based security solution that prevents the exposure of sensitive and confidential files by trusted insiders, business partners, customers and unauthorized people. This solution also protects, controls, and traces sensitive files containing intellectual property, trade secrets, PII, and more. It maintains file protection and prevents unintended information disclosure no matter where it is.

Remember, although compliance is the start to having a secure organization, data protection is needed to provide robust protection against data from being exposed.

Photo Credit: Tom Woodward

Categories
Book a meeting