I read a Tweet recently from “Accidental CISO” about collecting laptops from terminated employees during the pandemic that I deemed retweetable (if that is a word).  Some comments focused more on the hardware – how to get it back – but this got me thinking more about what is actually on the hardware. What sensitive information, like intellectual property, might reside on them?  It also made me think, in a situation like this, how the potential for insider theft is far greater.

Files containing IP can be either printed on home printers, sent over email to personal accounts, saved on a USB stick, screen captured and so on.  These are not necessarily actions of malice, but obvious desperation to assist with the basic need for employment.

Data discovery and classification is an important first step to protect your confidential data and comply with privacy regulations.  You need to identify the location of your data and its value to your organization before determining how to protect it.  Done right, this leads to a data-centric security and compliance program that is critical to your corporate brand and competitive advantage.

Unfortunately many discovery and classification projects stall or fail because solutions try to address all data needs, not just security and privacy.  Organizations get caught up in the process and lose focus of the goal, which is to protect and control sensitive information.

The financial services industry is a frequent target of hackers, but a larger threat may be trusted insiders since they have access to a lot of sensitive customer data.  Advisers within wealth management practices regularly share data with other advisers, staff members, a counterparty or a trusted third-party service provider. They may inadvertently or deliberately share that data with unauthorized people and pose a risk to their firms and customers. Once shared, most firms have no control over that data. The Ponemon Institute illustrates this risk by reporting that 65% of cyber breaches originated with third parties.

Insiders regularly share customer or other sensitive information with colleagues and third-parties by generating and downloading reports from a database. Typically the reports are spreadsheets which make it easy to analyze the data. Access to the database may be restricted, but once in a spreadsheet, the sensitive data is easy to share with anyone.

Fasoo sponsored and presented at an event in Columbus, OH on November 13, 2018 entitled “Incident Detection, Response and Recovery” highlighting how to prepare and manage an incident response plan for cybersecurity and data protection.  Presented and cosponsored by Catalyst Solutions, IBM and Huntington Insurance, the event brought together experts in legal, insurance, law enforcement, government, accounting and security disciplines to discuss the legal, technical and business issues of preparing for and responding to a data breach.

Bill Blake, Senior Vice President and CCO of Fasoo, presented Incident Response & Recovery: Secure Collaboration for Critical Information which highlighted the Wrapsody platform as a solution to help manage the development, access and control of an incident response plan (IRP).  Bill showed an example of a CISO, Legal Counsel and an external Advisory firm securely collaborating on an IRP and how to control who could access the plan and any supporting documents involved in a response.  The example showed how easy it is to securely collaborate on developing and managing the plan, but also on limiting access prior to, during and after a breach occurs.  Since Wrapsody encrypts documents and controls their access, it guarantees only authorized users can access them.  This is critical because if an incident response plan got into the wrong hands, malicious insiders or external parties could compromise an organization’s data security.

Fasoo’s message of finding, protecting and controlling unstructured data definitely made an impact on attendees at the 2018 RSA Conference in San Francisco.  With new regulations like the General Data Protection Regulation (GDPR) coming on quickly and the general feeling that businesses need to do more than just track file access, companies are looking for a more comprehensive and practical approach to providing secure ways to conduct business.

Over 45,000 senior executives and IT security professionals attended this year’s conference with about 2,000 visiting Fasoo’s booth.  Visitors saw hourly presentations and demonstrations on how to manage and control their unstructured data which is by far the largest problem of data security.  While someone hacking a database and stealing credit cards seems to make the headlines, the reality is that the majority of an organization’s intellectual property and sensitive information is stored in documents.  Fasoo staff showed how Fasoo Data Radar, Fasoo Enterprise DRM, Fasoo RiskView and Wrapsody helps manage and protect the critical business information inside documents.

As 2017 gets underway, cyber security legislation will strengthen and force businesses to change the way they approach information security.  At the federal level in the United States, the US Congress and President have proposed numerous updates to existing regulations and new regulations to cover all facets of cybersecurity.  These include the Cyber Preparedness Act of 2016, Cybersecurity Systems and Risk Reporting Act and others.

At the state level, legislation was introduced or considered in at least 28 states in 2016. Fifteen of those states enacted legislation, many addressing issues related to security practices and protection of information, and cyber crimes in general, including dealing with rasomware.

This week, Obama addressed the nation with a new data breach notification bill. Although data notification is a major part of this bill, the president also mentioned about file encryption as well. The White House bill provides businesses with safe harbor by exempting them from the individual notice requirements if a risk assessment concludes that “there is no reasonable risk that a security risk has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach.”  If the data is unusable, unreadable, or indecipherable data, there is a presumption that there is not a reasonable risk.  If a business makes this determination, it must notify the Commission of the results and its decision, in writing, within 30 days.

2014 has been a big year for data breaches in the healthcare industry. From malicious insiders to accidental loss of devices containing patient information, the headlines for these data breaches were non-stop throughout this year. Healthcare data breaches can affect organizations even longer after the security issue was discovered. Not only financially, but the trust of patients who have had their protected health information (PHI) stolen and used in some other unauthorized way, will cause the organization to work hard to prove themselves again.

The recent spike in data breaches this year, 24,000 news stories to be exact, has led to record low levels of confidence amongst the public about data security, according to Deloitte. Last year alone, only 5,474 data breach news stores were reported, and even less in 2012 with 4,023. This number alone does not mean a greater number of data breaches, but the increase in news stories has definitely raised the awareness amongst the public. Most of the reports have essentially been negative and have constantly brought awareness and have pushed even the government to be involved in creating reforms to put greater emphasis on making sure that organizations are accountable for the security of customers’ personally identifiable information (PII).

From the FBI, Department of Homeland Security (DHS) to the FCC all the way up to the White House is pushing for stronger data security measures amongst organizations that deal with sensitive customer information. Just last week, the FCC fined two telecommunication companies $10 million, for neglecting to protect over 300,000 customers’ personally identifiable information (PII). This is the FCC’s first data security case and its largest privacy violation action ever. The telecoms failed to encrypt to secure the online data which included Social Security numbers, addresses, names and driver’s license information, which meant that anyone could access it without entering a password.

It is no wonder that because of these lax security practices that identity theft has become the fastest growing crime in the U.S. In addition, Obama has signed an executive order in relation to make organization increase data security as well as push the charge for enforcement responsibilities for government.