The Top 5 Document Protection Blog Posts of 2021

Which blog posts about document security and protection attracted the most visitors to the Fasoo website in 2021?

Let’s face it: the ins and outs of Digital Rights Management (DRM) in the enterprise don’t exactly make for blog topics that get most people’s juices flowing.

The good news is that content that draws on the insights shared by Fasoo’s longtime, recent, and not-yet customers can overcome this hurdle. Readers interested in Enterprise DRM clearly prefer blog posts that answer relevant questions and provide hands-on advice for IT decision-makers and their teams.

Which Fasoo blog posts hit a nerve in 2021? These were the Top 5:

# 5: Your questions about Fasoo Enterprise DRM vs. Microsoft AIP, answered

“How does Fasoo Enterprise DRM (Fasoo EDRM) compare to Microsoft Azure Information Protection (AIP)?” In one version or another, this was one of the most frequently asked questions the Fasoo team had to answer in 2021.

It’s a tricky one. After all, Microsoft AIP was developed primarily with the document ecosystem of Microsoft Office plus a few third-party file formats in mind. Fasoo DRM, on the other hand, provides document protection at scale and for more than 200 file formats in large organizations and along their supply chain.

Image shows a Minivan vs. Ford Super Duty Pickup Truck Tableau

Photo sources: Dreamstime / Ford

So can you compare the two at all? We tried. Let’s just say minivans keep us moving, but for serious business, you may want to consider a super-duty truck.

It seems like many readers have been looking for answers to EDRM-vs.-AIP-related questions. Did you miss the post?

Check it out here:

FAQ: 5 Top Questions About Fasoo Enterprise DRM vs. Microsoft AIP

# 4: IP theft prevention: a step-by-step guide for the automotive industry

In vehicle and component manufacturing companies, most sensitive information is stored and managed digitally. Examples are:

CAD drawings,
digital image files,
sales documents in Microsoft Office,
Adobe PDF files in various formats.

How can you protect digital assets against intellectual property (IP) theft? Without adequate – data-centric – protection, trade secrets can end up with a competitor or a foreign government in a matter of minutes, even seconds: on a USB device, say, or uploaded to a personal cloud storage account from an unmanaged remote work laptop.

And they do. 2021 was marked by the “Great Reset” in the automotive industry. Employees working from home or leaving for a competitor (or both) posed the biggest threat to their company’s proprietary information. How to prevent intellectual property theft in the automotive sector? Many blog visitors turned to our 10-step guide here:

IP Theft in the Automotive Industry: 10 Tips to Counter the Insider Threat

# 3: Important enterprise DRM terms, explained

Enterprise-level DRM can be confusing. The – often niche-specific – solutions of the past were expensive, complex to deploy, and difficult to scale. As a result, IT teams weren’t exactly gung-ho about exploring today’s DRM-based information protection.

This has changed. Enterprise DRM solutions have come a long way, which has caused a resurgence of the category and considerable change in perceptions. In 2021, this trend had more IT professionals asking about specifics.

So we dedicated 2021 to cutting through the fog of related terms and acronyms for this growing audience. A timely decision, judging by our blog traffic numbers. The Enterprise DRM Glossary became the 3rd-most frequented post of 2021:

Enterprise DRM Glossary

# 2: PDF security – an oxymoron?

You would think that 28 years after Adobe first introduced its platform-independent “secure” PDF file format, all related document protection questions should be settled. Far from it, as you may know.

Yet PDF files are making up a large share of unstructured business data. Do you know how well all your sensitive PDFs are protected? If the answer is no, consider yourself in good company.

According to a 2021 report, researchers who analyzed publicly accessible PDF files of 75 government security agencies identified only seven that had removed sensitive information before publishing. Ouch.

This data point doesn’t make you feel better? In that case, the # 2 on our Top-5 list of document protection blog posts provides relief. It gives a hands-on introduction to various approaches to securing PDF documents against unauthorized access, including editing, printing, copying, or screenshots:

Document Protection: How to Secure a PDF

# 1: DRM vs. DLP – a false dichotomy?

And the winner is… Boasting not one, but two industry acronyms in the headline, the chart-topper on this Top 5 list defied headline writing best practices and search engine odds in 2021.

DRM and DLP – Data Loss Protection – both aim to protect sensitive documents against leakage and exfiltration. They are frequently weighed against each other, but that doesn’t explain why this blog post piqued that much curiosity.

Maybe it’s because it fundamentally questioned the traditional “either/or” perspective? If you haven’t read it yet, you can find it here:

Enterprise DRM and DLP: Comparison Made Simple

The IP Protection Capability More Manufacturing IT Leaders Wish They Had

Global manufacturers in innovation-driven industries are ramping up their document protection against intellectual property theft.

Can you guess what tops their priority list when selecting or expanding enterprise-wide digital rights management (DRM)? Here’s a hint.

But first, a quick look at the court dockets. Did you hear about that lawsuit filed by Intel in February against a former employee who joined Microsoft?

Talk about an IP theft textbook case. Intel accuses [PDF] a former product marketing engineer of exfiltrating “highly confidential, proprietary, and trade secret information” on his way out the door – to Microsoft.

So far, so common. That’s true even in the most security-conscious companies, as this most recent example shows. It highlights how a combination of three factors poses mounting risks to the IP of many tech and manufacturing companies:

blurred IT and security perimeters with a plethora of unmanaged (storage) devices,
increasing competition, coopetition, and fluctuation of engineers and other key personnel with access to trade secrets between competitors,
the inability to centrally monitor, control, and police how employees access sensitive documents, especially when they leave the company.

It’s at that point where the IP protection capability mentioned in the title of this post can make all the difference; we’ll get to that in a minute. But first, let’s look at what allegedly happened when the Intel engineer left the company after ten years in January 2020.

What did he allegedly do, and how? The company alleges that on his last day on the job, the employee downloaded roughly 3,900 files from a company computer “to a personal Seagate FreeAgent GoFlex USB drive.”

Bar chart image with IT Security Alert Fatigue research results — Insider threats: How can almost 4,000 sensitive files get downloaded from a company-issued computer to an unmanaged device without anyone noticing? One possible – and common – explanation is alert fatigue. *Data Source: Cloud Security Alliance*

3,900 confidential files walk out the door at Intel

Hm, what? And he walked out the door with it where, and why? Fast forward to February 2021:

In the federal court filing [PDF], the plaintiff claims that the defendant – now Principal of Strategic Planning in Microsoft’s Cloud and Artificial Intelligence department – “used the confidential information and trade secrets he misappropriated […] in head-to-head negotiations with Intel concerning customized product design and pricing for significant volumes of Xeon processors.”

Ouch. Yes, these are only allegations so far. They yet have to be proven in court.

But however the jury finds in the end, the court filing is remarkable for what it reveals between the lines. Intel’s lawyers credit Microsoft and its forensic investigators for helping to unearth the “full breadth” of the alleged deeds.

Which gets us to the main point of this post:

Was this IP protection failure preventable?

Granted, hindsight is 20/20. Yet from an IP protection perspective, one could argue that all of this would have been entirely preventable.

How do we know, you ask? Coming right up, it’s all laid out right there in the court filing. Intel, if we believe the lawyers, had insufficient visibility into and no control over an (ex-) employee’s access and use of sensitive proprietary files. And indirectly, the company admits as much.

For example, the lawsuit alleges that once at Microsoft, the former Intel employee “accessed, viewed, opened or otherwise interacted with more than one-hundred documents taken from Intel […] at least 114 times” from his company-issued Microsoft Surface laptop.

Mind you, Microsoft’s helpful forensic investigators unearthed these (incomplete) insights only after the fact, according to Intel’s grateful lawyers.

Had the individual files been encrypted and their use governed by centralized policy management from the get-go, the engineer’s access would have ended with his tenure at Intel.

The case for DRM with centralized policy management

Cases like this should not come as a surprise. We’ve seen a rising wave of similar insider-related incidents over the past three years. The tech and mobility industries are bearing the brunt of the attacks.

The threat has caused more IT leaders to deploy enterprise DRM (also known as Information Rights Management, IRM). This file-centric, people-centric, and platform-agnostic approach enables organizations to protect unstructured data at rest, in transit, and in use.

Think MS Office documents, PDF files, images, or CAD designs, for instance. They are encrypted at the point of creation. The protection applies wherever a file is stored or moves to, inside or outside the organization’s perimeter.

File use can be monitored, access policies and permission levels centrally managed by IT, risk officers, and HR, and flexibly adjusted on a granular level by the data owner.

Let’s take a product design file protected by Fasoo Enterprise DRM, for example. It will check back in the background with a central Fasoo server when someone tries to access it. Does this user still have the proper authorization to open, copy, download, or print the document?

If not, it doesn’t matter if a former employee took it home on a portable hard drive or USB stick – IP protection is ensured. The document is worthless for whatever that person wants to do with it, locked with FIPS 140-2 level encryption that meets the requirements of the Cryptographic Module Validation Program (CMVP) of the US government.

Nothing to see here after HR and IT flip the switch

In summary, file-centric document protection makes IP “misappropriation,” as alleged in the case brought by Intel, impossible.

Centralized yet flexible and painless policy and exception management are among the top priorities for document protection program leaders when choosing an enterprise DRM solution, they tell us. Fasoo Enterprise DRM empowers IT, in coordination with HR, to set and change document use policies in sync with users’ employment lifecycle, from onboarding to the last day at work.

One global technology manufacturer that is leveraging enterprise DRM to protect its IP is Fasoo customer ZF Group. This automotive industry supplier with 240 locations in 41 countries now deploys Fasoo Enterprise DRM to secure critical IP, such as CAD drawings and process information, across its global tech centers.

“Before, we had a few incidents where engineers with years of insider knowledge and access to documents left and joined a competitor,” said Markus Fischer, VP Engineering at ZF Group’s Active Safety Systems division in Livonia, Michigan.

“As a company, you spend years training engineers in the ways you do things, and they get access to your most intimate know-how and process knowledge,” he explained. “You cannot just block them; they need it. But you also need to be able to quickly adjust access privileges on a granular level, without delay.”

“It’s a fine line to walk,” Markus told us. “You have to find the right balance between maximum IP protection on one side, and productivity on the other. Fasoo helps us maintain this balance.”

To learn more about how to prevent intellectual property theft and leakage in manufacturing and supply chain environments while maintaining a competitive edge, watch our Fireside Chat at Apex Assembly Tech Leaders Northeast Summit on March 30th, 2021 with GE Gas Power cybersecurity researchers Hillary Fehr and Christopher Babie.

Collecting Laptops From Terminated Employees? Protect Unstructured Data

I read a Tweet recently from “Accidental CISO” about collecting laptops from terminated employees during the pandemic that I deemed retweetable (if that is a word). Some comments focused more on the hardware – how to get it back – but this got me thinking more about what is actually on the hardware. What sensitive information, like intellectual property, might reside on them? It also made me think, in a situation like this, how the potential for insider theft is far greater.

Files containing IP can be either printed on home printers, sent over email to personal accounts, saved on a USB stick, screen captured and so on. These are not necessarily actions of malice, but obvious desperation to assist with the basic need for employment.

It reminded me of a webinar we did in 2019, Close the Gap on Insider Threat: Granular Access Controls and Behavior Analytics, where we focused on the best way to protect and control unstructured data without having to think about where it is located, who is accessing it or how it is being used. It’s part of a 3-part series, so check out the other two.

In my last post, I talked about how many companies are not prepared to suddenly support a remote workforce and provided some thoughts on things you can do. But this tweet brings to the surface the extent of how unpreparedness can lead to (and this is going to sound weird) intentional, non-malicious behavior.

I encourage you to think about it, watch, and at the very least, start putting a plan in place to protect and control your unstructured business critical information. The time is now to do your best research so when you are ready to pull the trigger on your unstructured data security project, you will be able to hit the ground running.

Photo credit Ian Sane

Stop Wealth Management Data Breaches

The financial services industry is a frequent target of hackers, but a larger threat may be trusted insiders since they have access to a lot of sensitive customer data. Advisers within wealth management practices regularly share data with other advisers, staff members, a counterparty or a trusted third-party service provider. They may inadvertently or deliberately share that data with unauthorized people and pose a risk to their firms and customers. Once shared, most firms have no control over that data. The Ponemon Institute illustrates this risk by reporting that 65% of cyber breaches originated with third parties.

Insiders regularly share customer or other sensitive information with colleagues and third-parties by generating and downloading reports from a database. Typically the reports are spreadsheets which make it easy to analyze the data. Access to the database may be restricted, but once in a spreadsheet, the sensitive data is easy to share with anyone.

Just recently, BlackRock inadvertently exposed names, email addresses and other information of 20,000 independent wealth management advisers. The data was in several spreadsheets from an internal customer relationship management system and was inadvertently posted on a website by an internal user. There was no hacking, just a mistake by a trusted insider.

In 2017, New York implemented comprehensive cybersecurity regulations to protect New York’s financial services industry and consumers from cyber attacks. Other jurisdictions are following suit. High-profile cases like the Morgan Stanley broker who stole data on more than 350,000 of the bank’s wealthiest clients in 2014 was clearly on the minds of regulators when they created these regulations. Even with these rules in place, BlackRock still experienced a data breach.

Typical approaches to stop data breaches focus on protecting devices and locations from unauthorized access, rather than the data stored on them. These solutions force you to create complex business rules that monitor data movement and alert you to abnormal activities. In the BlackRock and Morgan Stanley cases, authorized users had legitimate access to sensitive data, so these tools may not have flagged anything as abnormal.

The only effective way to restrict access of sensitive data to authorized users is to encrypt it and apply security policies that govern its access. This ensures that only authorized users can access the data, regardless of the file’s location or format. This includes sending data to a counterparty or other third-party service provider. Once encrypted, the organization can trace user activities and even revoke access whether stored on a local system, mobile device, website or cloud-based repository. If someone accesses the file, they cannot read its contents unless explicitly granted access to it.

Morgan Stanley could have prevented its employee from accessing customer information on his home computer by encrypting it and setting appropriate policies. Once he left the company, his access to company data could be immediately revoked. The BlackRock spreadsheets would have been useless to any unauthorized person, since no one could read their contents unless explicitly granted access. If hackers stole the data in either case, it would be useless to them, since it was encrypted and the hackers had no authorization to access it.

Investors trust wealth management firms to protect their sensitive data. Encrypting files and controlling user access maintains that trust and complies with privacy regulations.

Photo credit: Pavel Rybin

Fasoo Presents Incident Response Solution

Fasoo sponsored and presented at an event in Columbus, OH on November 13, 2018 entitled “Incident Detection, Response and Recovery” highlighting how to prepare and manage an incident response plan for cybersecurity and data protection. Presented and cosponsored by Catalyst Solutions, IBM and Huntington Insurance, the event brought together experts in legal, insurance, law enforcement, government, accounting and security disciplines to discuss the legal, technical and business issues of preparing for and responding to a data breach.

Bill Blake, Senior Vice President and CCO of Fasoo, presented Incident Response & Recovery: Secure Collaboration for Critical Information which highlighted the Wrapsody platform as a solution to help manage the development, access and control of an incident response plan (IRP). Bill showed an example of a CISO, Legal Counsel and an external Advisory firm securely collaborating on an IRP and how to control who could access the plan and any supporting documents involved in a response. The example showed how easy it is to securely collaborate on developing and managing the plan, but also on limiting access prior to, during and after a breach occurs. Since Wrapsody encrypts documents and controls their access, it guarantees only authorized users can access them. This is critical because if an incident response plan got into the wrong hands, malicious insiders or external parties could compromise an organization’s data security.

Ed Rice, an attorney at Sherrard, German & Kelly, P.C., talked about the importance of having a data security program in place. “Not only does it make good business sense, but under the regulatory landscape, for instance in NY, MA and CA, having such a program is a requirement when a company deals in data containing personal information. Ohio’s new data protection act actually provides a “safe harbor” from liability for a data breach if the company has in place a good data security program”.

One key to a data breach response is maintaining attorney – client privilege between internal or outside counsel and the organizations involved in the breach. A cybersecurity incident is not considered a data breach until an attorney says it is. An attorney should be involved in developing the plan so the plan and any supporting documents are considered attorney work product and come under attorney – client privilege. Since Wrapsody limits access to authorized users, if a malicious insider tried to share documents with external parties, they would not be accessible. If a court tried to subpoena the documents, attorney-client privilege would protect them legally, but Wrapsody’s encryption and access control would prevent access to the files themselves. Another key is having a detailed audit log of document access to prove to auditors, regulators and law enforcement who accessed the IRP during its preparation and execution, thus also helping establish what is subject to attorney – client privilege.

Once an event occurs and the organization executes the IRP, access is controlled and audited. If internal systems are compromised, Wrapsody enables mobile access to the IRP through a phone and tablet. Since each version of the IRP and any supporting documents are automatically synced to the Wrapsody server, those involved in the response will have access to the latest information, even if the IRP itself was hit with ransomware.

Protecting company and customer information is the main goal of cybersecurity. Preventing a data breach is a key tactic, but you need to have a viable incident response plan so you can act quickly and decisively if or when a breach occurs. Using Wrapsody to prepare and manage the plan along with sensitive documents should be a key tactic in your cybersecurity program.

Fasoo Highlights Unstructured Data Security at RSA 2018

Fasoo’s message of finding, protecting and controlling unstructured data definitely made an impact on attendees at the 2018 RSA Conference in San Francisco. With new regulations like the General Data Protection Regulation (GDPR) coming on quickly and the general feeling that businesses need to do more than just track file access, companies are looking for a more comprehensive and practical approach to providing secure ways to conduct business.

Over 45,000 senior executives and IT security professionals attended this year’s conference with about 2,000 visiting Fasoo’s booth. Visitors saw hourly presentations and demonstrations on how to manage and control their unstructured data which is by far the largest problem of data security. While someone hacking a database and stealing credit cards seems to make the headlines, the reality is that the majority of an organization’s intellectual property and sensitive information is stored in documents. Fasoo staff showed how Fasoo Data Radar, Fasoo Enterprise DRM, Fasoo RiskView and Wrapsody helps manage and protect the critical business information inside documents.

A lot of attendees were very interested in discovery and classification of files because many realized they don’t know what they have and where it’s located. One executive I talked to had a good handle on her databases, but when it came to downloading reports from those databases and the documents employees create every day, she acknowledged it’s a lot more challenging. She mentioned there’s a lot of redundant, obsolete and trivial (ROT) data in file shares, cloud repositories and on people’s desktops which makes controlling the important information a lot more difficult. She wanted to focus on data critical to her business and get rid of everything else. I suggested automatically securing files as users create or edit them. This protects current information and lets her quickly understand what is used and what is not.

Of course what would RSA be without some fun? Our hourly presentations were very lively and attendees got Starbucks cards, Fasoo hippos, headphones and an Amazon Echo. You had to really listen to the presentation to get some of the prizes, but the real fun started when Star Wars trivia came up. One gentleman had to perform for his prize making a convincing Chewbacca sound. There was even a little horse trading as the winner of one prize decided to swap it with the winner of another prize.

Visitors to Fasoo’s booth commented that the security solutions looked easy to use but still allowed them maximum protection of their unstructured data. This is always a critical issue as organizations try to balance security with productivity. Automating the processes of identifying, classifying and encrypting sensitive files allows employees and business partners to focus on their jobs rather than worrying about how to protect business critical information.

Practical Advice At Buffalo NYDFS 23 NYCRR 500 Pathways to Compliance Event

Following our successful event in Rochester, the second of the NYDFS 23 NYCRR 500 roadshow events at Phillips Lytle LLP in Buffalo, NY on May 17, 2017 brought together executives, insurance, legal, and security professionals in a great forum to discuss challenges for financial services organizations to meet the new cybersecurity regulations that went into effect on March 1, 2017. A full house heard some practical advice designed to assist entities regulated by the New York Division of Financial Services (NYDFS) comply with the new regulations.

Jennifer Beckage of Phillips Lytle LLP started with her “Survival Guide to Navigating the NYDFS Cybersecurity Regulation”. Jennifer talked about the challenges covered entities face not only developing their own cybersecurity programs, but how those spill over to their service providers. Developing, implementing and monitoring vendor management programs will affect contracts, day-to-day operations and the technology used to secure and control information shared.

Dr. Larry Ponemon of the Ponemon Institute followed with a review of his latest survey, “Countdown to Compliance: Is the Financial Services Industry Ready for New York State’s Cybersecurity Regulations?”. Sponsored by Fasoo, this survey gave great insight into the readiness of financial services organizations to comply with the new regulations. One key statistic from the survey that picked up on Jennifer’s discussion on third party liability is that only about half the organizations think they can meet the two-year transitional period to implement a third-party services provider security policy. One member of the audience mentioned that they may have to switch some service providers who can’t meet the requirements. The discussion also talked about fourth-party service providers, since you as a covered entity can’t know who your service providers use for their business. This gets complicated very quickly.

Dr. Ponemon’s keynote was followed by a panel discussion moderated by Kevin Cox from Brite Computers on meeting governance and security aspects of the regulation. The panel included Dr. Ponemon, Jennifer Beckage, Dave Hansen from Freed Maxick, Reggie Dejean from Lawley Insurance, and Ron Arden from Fasoo. Based on a number of questions from the audience, the panel had a lively discussion on incident response. A key item is to engage your legal and insurance providers immediately if you suspect a negative cyber event. How you characterize an event and your response to it is not only a technical and process issue, but a legal one too. An event is not considered an incident until an attorney says so.

One key discussion was on data retention and protection. Since the regulation talks about encrypting and limiting access to all nonpublic data, one way to minimize risk is to delete information that is no longer needed by the business. If you don’t have it, you don’t need to protect it. This not only helps with general security hygiene, but also helps satisfy other regulations, since eliminating unneeded information reduces a company’s general liability. As in the earlier discussions, this lends itself to protection and revoking access to nonpublic information you share with your service providers.

Fasoo wants to thank all the Buffalo NYDFS 23 NYCRR 500 roadshow sponsors for all their support. It was a great event and everyone said that got a lot of great information that will help them as they strive toward meeting the first deadline of August 28, 2017.

Ponemon Institute
Brite Computers
Lawley Insurance
Phillips Lytle LLP
Freed Maxick

Fasoo Presents to Ponemon RIM Council

Bill Blake, President of Fasoo, Inc., joined Dr. Larry Ponemon in a presentation on July 20, 2016 to the Ponemon RIM Council of the findings from the recent Ponemon Institute survey “Risky Business: How Company Insiders Put High Value Information at Risk”. Bill and Larry discussed numerous points highlighted in the survey including how to deal with careless acts by employees and contractors that can ultimately result in a data breach.

The Ponemon RIM (Responsible Information Management) Council is a select group of privacy, security and information management leaders from multinational corporations who are champions within their various industries on issues involving privacy and data protection. Many of the members were very interested in the conversation about company insiders, since many security organizations focus more of their technology and human resource on fighting external threats to sensitive information.

Companies in this study said the primary cause of data breaches was the careless employee (56 percent of respondents) followed by lost or stolen devices (37 percent of respondents) or system glitches (28 percent of respondents). In contrast, only 22 percent of respondents say external attackers or malicious/criminal insiders (17 percent of respondents) caused the breach. It is interesting that organizations believe they are more effective in preventing external attacks by hackers and third parties than careless employees or malicious or criminal insiders, yet the survey points to insiders as being the greater threat. This is in contrast to what many organizations view as the primary threat to their intellectual property and other high value information.

While a lot of focus is on strengthening perimeter security to address external threats, clearly companies need to look internally to prevent accidental exposure of information through careless or malicious acts. Two key areas to remediate these issues are to create training programs that address the common and careless actions prevalent in most companies and take advantage of technologies that allow for self-securing data based on the value of the content rather than relying on employees to decide what is and what is not sensitive and high value information.

Click here to download the full presentation used during the RIM Council meeting.

Stop the Data Breaches – Everyone Should Protect Consumer Data

There is a lot happening lately in the financial sector to help stem the tide of constant data breaches. This week a financial industry coalition in the US is promoting a campaign called “Stop The Data Breaches” to encourage people to get their members of congress to pass The Data Security Act of 2015 (H.R. 2205 and S. 961).

The effort is backed by seven trade groups, including the American Bankers Association, the Consumer Bankers Association, the Credit Union National Association and the National Association of Federal Credit Unions (NAFCU). By running online and print ads, they are trying to get Congress to enact this important legislation that would protect consumer data.

A few weeks ago, on May 12, 2016, the Federal Deposit Insurance Corporation (FDIC) was in front of a Congressional Subcommittee to answer if Americans can trust the FDIC to protect their private banking information. One of the interesting outcomes was the FDIC announcing a new cyber security initiative after 5 more breaches. Part of this initiative is the implementation of Digital Rights Management technology to locate, recall and/or render data useless when appropriate. This new development should have a major impact on the financial sector who will follow suit if they have not implemented this type of data-centric and people-centric security approach already.

According to a National Association of Federal Credit Unions (NAFCU) survey, the average cost of a merchant data breach in 2014 was near a quarter of a million dollars, while some breach costs reached tens of millions. Passing the pending federal legislation will help improve the security posture of financial institutions and any organization that handles personally identifiable and financial information. It requires any entity that handles sensitive personal and financial data to protect that data. It builds upon existing legislation and replaces the current patchwork of inconsistent state data security and breach notification laws with a clearly defined, uniform set of standards.

Consumer data remains vulnerable. Security should not be an afterthought. Rather than pointing fingers at who is responsible for consumer data security, everyone should protect consumer data. Below is a short list of 3 key steps you may want to use as your Security Blueprint for your data:

• Find your sensitive data and classify it.

• Implement usage policies to limit who can access it and what they can do with it.

• Monitor usage to detect unusual behavior.

This is a good start to help Stop the Data Breaches. Call, write, email or text your legislator today to get them to pass The Data Security Act of 2015.

FDIC is Adding Digital Rights Management to Arsenal for Data-Centric Security

On Thursday May 12, 2016, the Congressional Subcommittee on Science, Space and Technology held a special hearing in Room 2318 of the Rayburn House Office Building. The hearing addressed if Americans can trust their private banking information is secure by relying on the Federal Deposit Insurance Corporation (FDIC).

During the session, lawmakers stated that the FDIC has a long history of cyber-security incidents and that it is failing to safeguard private banking information of millions of Americans who rely on the FDIC.

In the last seven months alone, seven departing employees at the FDIC have left with personal banking information on thumb drives and other removable media.

While Lawrence Gross Jr., the FDIC’s CIO told lawmakers that the FDIC considered the data breaches as “inadvertent” copying of personal banking information that happened when departing employees were copying personal information to removable media, some of lawmakers called taking something that does not belong to employees as “theft”.

One of the sticking points during the hearing was that the FDIC didn’t immediately report the incidents as major breaches to Congress until prompted by its Inspector General’s Office. Gross stated that he didn’t originally classify the incidents as major breaches because they seemed to be accidental copying of files during “non-adversarial” departures of employees. Furthermore, Gross pointed out that employees involved had signed affidavits saying they didn’t share the data with others.

Are the American people buying this explanation? Since when has it been acceptable to have people accidentally or knowingly copying information that does not belong to them to removable devices?

The FDIC now commented about having controls around usage of information so sensitive data cannot be copied onto removable devices. Gross went further by stating the Agency is adding digital rights management software to their environment. This is a significant comment by the head of a significant Agency. The FDIC is now going about adding DRM on top of traditional perimeter solutions to control sensitive information while it is in use.

It is of utmost importance that organizations adopt technologies like Digital Rights Management as part of a data-centric security approach to protect sensitive information to maintain stability and public confidence. Fasoo provides a Data Security Framework to public and private entities alike to enhance their information security program to keep up with the threat gaps. Please contact us or visit us during the Gartner Security and Risk Management Summit in National Harbor, Maryland between June 13-16 at Booth #200 .

Is Your Favorite Sports Team’s Data Secure?

It is no doubt that 2015 is on record pace for the number of data breaches compared to previous years. However, typically we would assume that these data breaches would happen in such industries as healthcare, finance, retail or the government. We would have never thought that this would enter the area of professional sports teams.

Now we know it is happening inside America’s favorite pastime, baseball, and it’s reaching national and worldwide headlines. Here is the story: the St. Louis Cardinals are being accused of hacking the Houston Astros to gain access to intellectual property – trade, proprietary statistics and player strategy information. Federal investigators are recommending charges against at least one St. Louis Cardinals employee for allegedly intruding on a rival baseball team’s database.

The potential breach came after former Cardinals employee Jeff Luhnow left to be Houston’s general manager. The investigation accuses the Cardinals of unfairly prying into the Astros’ database amid concerns Luhnow had taken the Cardinals’ proprietary information to his new employer. Luhnow has told investigators the Astros generated their own database system independently of his previous work in St. Louis. This report follows the Cardinals’ announcement earlier in the month that it had fired Chris Correa, the team’s director of scouting.

Although according to Major League Baseball there is no direct evidence that another baseball team has been the victim of a security breach, and that each team is responsible for its own cyber security. However, it is impossible to overstate the role of computer systems in the operation of a team — and not just on the business side, where executives can adjust ticket prices daily based on the latest sales data or modify orders for hot dogs or bobblehead dolls based on updated attendance projections.

What have we learned from this? Wherever there is data, it needs to be secured wherever it goes.

The more we understand the need and priority of security to protect such data within sports, such as player contracts, scouting reports, player strategy information, trade related data, etc., the more we will understand that this data needs to be secured with data-centric security.

No matter if the sport is baseball, football, hockey, basketball, soccer, etc., proprietary data exists and for any team to hold a competitive edge we should not underestimate what could happen, as that has been the case in this data breach. Each year we want our favorite sports teams to win that championship, and in order for them to do that, not only does it take them to have the right players, coaches, strategy, teamwork and mindset, but also the protection of their most valuable data.

Photo credit: Intel Free Press

Data Encryption is Now Mandatory, Are You Prepared?

On July 1, Connecticut’s Governor Dannel Malloy signed legislation that expands the current definition of personal information and now requires new data breach security terms and conditions in every state contract dealing with confidential information. From this article, the bill also states, “Not later than October 1, 2017, each company shall implement and maintain a comprehensive information security program to safeguard the personal information of insureds and enrollees that is compiled or maintained by such company,” the bill states, adding that the security program will need to be in writing and contain appropriate administrative, technical and physical safeguards.

This bill also addresses the issue of data encryption, and explains that all personal information that is being transmitted wirelessly or on a public internet connection must be encrypted. Sensitive personal data must also be encrypted on laptops and other portable devices.

With all the recent major data breaches, that have also affected a lot of people and organizations from Connecticut, it can be seen that they are taking the stance to demand encryption of customer data.

Encryption technology can be used to protect confidential information. If information is encrypted in sufficient strength it can remain safe even when stolen or lost in any media. It also protects information during transition but it does not prevent the leak after decryption by authorized recipients. Considering most of data leaks are originated from insiders who have or had access to documents, organizations must complement and empower existing security infrastructure with the solution which can protect data in use persistently.

Enterprise Digital Rights Management (DRM) is the only systematic solution to protect your information persistently from insiders as well as outside threats. Enterprise DRM controls the usage of DRM-enabled documents depending on the permissions given to the user. The DRM-enabled documents can be protected at rest in storage, in transit and also in use persistently.

Enterprise DRM enables the circulation of confidential information without the fear of leaks, handling customer information for better support without a slight risk of PII (Personally Identifiable Information) exposure and sharing trade secrets or technical details with your trusted partners.

In the time of all of these data breaches, it is important to determine which encryption will protect your data against these hacks. From malicious and careless insiders to external threats, Enterprise DRM will provide the protection your data needs throughout its entire lifecycle.

Photo credit by: EFF Photos