Blog

Tag: encrypt

Say NO to Stealing Sensitive Information by PhishingJust a few days after the IRS released it’s warning about W-2 phishing, it appears the College of Southern Idaho (CSI) reported that 3,000 employees’ personal information may have been compromised by a phishing scam.

The attackers are now expanding their sights into higher education according to a recent article by Paul Greene, an attorney at Harter Secrest & Emery.  Given the large number of employees, including seasonal employees, community education instructors and people who work for auxiliary agencies, these institutions are great sources of sensitive information and money.  In this case, someone impersonating a CSI administrator sent an email to an employee requesting W-2 information for all school employees over the past two years.

This type of data breach can be very expensive, cause disruption in the organization, harm the school’s reputation, and is a strong indicator that the school will be the target of future attacks.  It also sets up other higher education institutions as potential targets for other phishing scams.

Unfortunately phishing can even hit organizations sensitized to these scams.  A case in point is something that happened to me this week.  I got an email from someone in my company asking for my help.  I responded asking what I could do and through a series of emails the person asked me to help them send some money using Western Union.  At that point I got suspicious and wanted to see how far this went.  I asked them where they wanted to send it and if we could speak.  At that point the spammer said they couldn’t speak but asked me to send $750.  Needless to say I didn’t respond, but had noticed the return emails changed each time I replied.  And the email addresses were not from anyone in my company.

The best defense against these scams and the data breaches they may cause is to make employees aware of them and to implement technology that makes it difficult to steal the information.  All PII and other sensitive information should be encrypted and protected with persistent security policies so that only authorized users can access them.  If W-2 or other PII were to leak through this scam, the recipients would have useless files with random data in them.  No accessible data, no data breach.

If your employees are unaware of good data security practices, teach them.  No executive should ever ask for W-2 information or other PII by email.  They have a responsibility as does any employee to protect this sensitive information from unauthorized access.  Checks and balances are necessary to verify requests are legitimate and that you can trust the party on the other end.  Technology can help ensure that sensitive data can’t get out, but employees must be taught good data stewardship practices before they become victims.

 

Photo credit Jim Pennucci

Data Security’s Impact on Internet of Things

According to Gartner, Inc. by 2020, 25 billion Internet connected “things” will be in use. The Internet of Things “IoT” has rapidly become one of the most used expression across business and technology. IoT, is defined as “a scenario in which objects, animals or people are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.”

Now, how does data security play into this? Well, there are very clear data collection guidelines that companies and public organizations must abide by in the EU, however, there is yet to be a single data protection law comparable to that of the EU. Yet the US has a patchwork system of federal and state laws and regulation that can sometimes overlap. Either way, when it comes to ‘things’ collecting data, there has yet to be a standard guidelines, laws or regulations on securing this data. With a recent study estimating 13 billion ‘things’ collecting data – and that number will nearly double within five years, everyone should be concerned. If this data is not secure, hackers and insider theft could cause catastrophic damage.

It is vital that this data is secured and even more so encrypted in order to avoid not just theft of data but also to avoid data from being deliberately miscommunicated to cause harm by terrorists. This may seem extreme for some, but with recent cyber attacks reported were from state governments and terrorists groups, is it even worth taking our chances not to secure this data?

Although there are some benefits such as smart cities, better healthcare through remote sensors and better ways of targeting consumers for businesses, government and consumers, we are handing over a lot of data without perhaps realizing it.

When we encrypt the data and apply persistent security policies to them automatically, sensitive data is protected regardless of where it is or how it is transmitted. If those that are collecting the data regardless if they are inside or outside of the organization, tried to use it for any other means and tried to open it without the proper authorization, they would be denied access to the data.

The future and promise of the IoT is huge, but so is the potential for security breaches and threat gaps. Every organization that deals with data collected from these IoTs must rethink how to protect these massive amounts of data. By protecting it with data-centric security, this will ensure that data will be secure and consumers will continue to use these ‘things’ for the convenience it was intended to be used for plus the assurance that their data is secure.

Photo credit by: Playing Futures: Applied Nomadology

Still Not Encrypting Your Data?

Are we still not encrypting our data in a time when cyber-attacks have been happening to so many big names in the healthcare, retail and government? Recently, UCLA Health System’s computer network was broken into by hackers and may have accessed sensitive information on as many as 4.5 million patients. The information included names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information such as patient diagnoses and procedures.

The intrusion is raising fresh questions about the ability of hospitals, health insurers and other medical providers to safeguard the vast troves of electronic medical records and other sensitive data they are stockpiling.

The reason why this is making even more news is that UCLA did not take the basic steps even after all the major breaches on the federal government as well as health insurance giant Anthem Inc., to encrypt patients’ data. This has drawn swift criticism from security experts and patient advocates. It is not a secret that the healthcare industry has been the target of many data breaches. However, the continuation of these breaches seems to continue, and the vulnerability of these systems has made it a field day for hackers to steal sensitive data.

Nowadays, it is not only business and patients not going to their hospital that they have to worry about, but now the government will investigate breaches of patient privacy and can levy significant fines for violations under the Health Insurance Portability and Accountability Act, also known as HIPAA.

However, compliance aside, the most important aspect is to ensure that this information is really protected. In a recent article, in HIT Leaders and News, the article mentions how “while compliance is still a major driver in healthcare, compliance does not equal security. Organizations that drive data security efforts based on compliance put their data at risk. Healthcare organizations need to take a more holistic and proactive approach in their data security strategy.”

Also mentioned in this article is the fact the recent legislation in New Jersey has taken the step of mandating the use of encryption for PHI or Protected Health Information that “renders personal information unreadable, undecipherable or unusable by unauthorized persons.” Now this definitely means more than just having a password to your data, but it is pushing for you to have a more robust method to ensure that all aspects of the data are secure, no matter where it is.

Let us hope that such data breaches as this one have hopefully provided a lesson to other healthcare organizations and other organizations from different industries that they must implement security and encryption to “completely block the path to your most valuable assets.”

 

Photo credit by: jfcherry

Categories
Book a meeting