Blog

Tag: file encryption

Why Zero Trust Needs a Data Security Platform

Enhance your data security with the Fasoo Zero Trust Data Security platformAre you struggling to implement Zero Trust across siloed data-centric tool sets?  You’re not alone.  Analysts say this is one of the major roadblocks to Zero Trust uptake.

The hybrid workplace left security teams scrambling to deploy new point solutions, adding to an existing array of data protection tools. These disparate solutions sit at ingress/egress points (DLP/CASB/EPP) applying rules and analytics where sensitive data intersects with users, applications, and devices.

It’s where data intersects and crosses these siloed solutions that cause real problems for Zero Trust. This interrupts the continuity of data flow, visibility is lost, and policy misconfigurations occur.

 

Zero Trust relies on context about users, applications, data, and devices everywhere, always available

Vital to Zero Trust is continuous monitoring of context to detect anomalous events. It’s the basis for adaptive risk assessments that decide if, and how much access a user merits. It won’t work if you lose sight of sensitive files and their use.

But that’s the world of the hybrid workplace. Users extract data from corporate databases, insert it into ad-hoc documents on endpoints anywhere, move it to the cloud, and share it with external partners. Sensitive files easily find their way to unmanaged devices and unsanctioned cloud services, out of the purview of corporate control.

It’s clear security and operations teams need new approaches and methods to move forward with Zero Trust initiatives.

 

Consolidate siloed data-centric processes in conjunction with implementing Zero Trust principles

Consolidation of data-centric processes into Data Security Platforms (DSP) is underway and teams can leverage this trend to accelerate Zero Trust initiatives. Gartner projects that by 2024, 30% of enterprises will adopt Data Security Platforms, up from less than 5% in 2019.

A platform better implements control and security policies using a centralized policy engine that spans all data-centric processes. The integration and continuity of processes remove siloes to enhance data visibility and make tracking more consistent. This allows you to leverage automation across the platform to make security transparent to users and operations less complex.

Forrester Research recommends a platform first establish a data control foundation with core processes. One that includes unifying data discovery, classification, control, and some form of data loss prevention and obfuscation, like encryption, as a start. The deployment of this initial core provides your team key insights into where sensitive data originates, travels, and is accessed.

A DSP delivers an infrastructure that makes it easier for security teams to implement Zero Trust across your organization’s hybrid workplace.

 

Recognize Zero Trust principles set higher standards for sensitive data control and protection

Many modern DSPs emerged during the move to a hybrid workplace, formed by traditional vendors adding adjacent technologies. Examples include DLP vendors integrating classification and alternatively classification vendors adding protection. While all are steps forward, today’s DSP capabilities vary widely and can leave Zero Trust initiatives at risk.

Zero Trust principles set a higher bar for sensitive data. It requires enhanced control, visibility, and monitoring of data that today’s traditional solutions struggle to deliver.

It’s no longer enough to keep layering MFA techniques onto user access. It’s just as critical to control how the data is used once users gain authorized access. With today’s solutions, the user has a free pass to copy, cut, paste, share, and store sensitive files as they wish.

Explicit trust requires data never be unprotected. DLP and behavior analytics query and assess files to make sure you follow rules or check for anomalous events, but don’t usually protect the data itself. Exposed data is exfiltrated and goes undetected for weeks if not months.

Security teams need to pull back the covers on DSP and understand the underlying technology. While all deliver platform advantages from tool consolidation, capabilities to achieve Zero Trust standards can be limited.

 

A true Zero Trust Data Security Platform to make security stronger and easier

For over 20 years, Fasoo developed and consolidated data-centric capabilities as we continually work to meet our customer demands for lifecycle management of sensitive data. Fasoo now leads the industry to converge Zero Trust with an advanced Data Security Platform.

Fasoo consolidates core data-centric processes to deliver the benefits of a DSP. Centralized policies, deeper data visibility, and automation all contribute to more effective and less complex operations. And within this infrastructure, Fasoo has built the most advanced control and security methods to comprehensively implement Zero Trust standards.

Our advanced methods differ from traditional solutions. We push controls and security closest to what you need to protect, the file itself, so safeguards travel with the sensitive data. Binding controls and protection to the file provide deep visibility, data is never out of sight, and policies are consistent across the hybrid workplace.

The file is the new micro perimeter where we not only control access but control how you use the data. If I simply need to view a document, why let me extract or share the data? Granular rights enforce document controls that explicitly protect data and enable least privilege Zero Trust principles.

Protection of the data itself needs to be present always. Encryption is an obvious need for an explicit-based model. It automatically encrypts a sensitive file when a user creates or modifies it – that’s true adherence to never trust, always verify principles. Don’t ask the new hire to decide.

Fasoo’s Platform delivers this and a complete suite of advanced methods that implement Zero Trust standards. Fasoo’s approach is superior and it’s why security teams select our Platform as their path to Zero Trust.

 

Learn more about Fasoo’s Zero Trust Data Security Platform

Learn more about the full suite of advanced data-centric methods Fasoo employs to truly achieve Zero Trust for data security.

Understand the core data-centric processes Fasoo’s Platform consolidates and the benefits of a Data Security Platform.

Read how one CISO used a quick-take playbook to prioritize and down-select 2023 Zero Trust Initiatives and accelerate the security team’s journey to Zero Trust.

Read More

7 Quick Takeaways on How Fasoo Enables Zero Trust Data Security

Quick takeaways on how Fasoo enables zero trust data securityEnterprise Digital Rights Management (EDRM) encrypts files, enforces user access, and controls data in use – no implicit assumptions. It sets a least privilege baseline for sensitive data on which you can dynamically grant increasing levels of explicit access. It’s what Zero Trust is all about.

Inside the perimeter, implicit trust was turned on its head by digital transformation and the hybrid workplace. Zero Trust’s explicit, least privilege, continuous monitoring, and adaptive risk assessment are the new standards for data security in today’s world.

You likely have some set of DLP or Insider Risk Management tools, but these fall well short of the new standards. So how do you move to Zero Trust Data Security?

Learn more about how to bring DLP up to Zero Trust standards.

Consider integrating EDRM. It fortifies your existing tools with strong protection methods and explicit controls. And with Fasoo’s approach to EDRM, gain the high-resolution data visibility Zero Trust continuous monitoring and adaptive access standards demand.

7 Quick Takeaways

Here are 7 quick takeaways on how EDRM and Fasoo can set you on the path to Zero Trust Data Security.

1. File-Centric, Location Agnostic

Go to the source itself. The file. Quit chasing and trying to enforce data security and control at every new place the file may travel, reside, or a user accesses it. Traffic cops at every ingress and egress point are old school, perimeter thinking. Bind all security and privacy controls to the file itself so you can persistently enforce enterprise safeguards in the cloud, WFH, on BYOD, and at supply chain partners.

2. File Encryption

It seems obvious for an explicit-based model. But today’s DLP tactics are mostly a monitor-alert approach while you expose the data to risk. Instead, automatically encrypt sensitive files when users create or modify them. Use centralized policies and hold the keys so users don’t control your data. Use this no-nonsense, least privilege baseline to build explicit access to sensitive data.

3. User Access

You don’t want an insider wandering through an entire repository or even folders – it’s too implicit. Most insider breaches are mistakes in handling sensitive data, like storing it in the wrong location. It’s better to enforce explicit access decisions, for each file, every time a user opens it. That’s Zero Trust Data Security.

4. Control Data in Use

But what happens after an insider gains access to a file? It’s a free pass to copy, cut, paste share, and store sensitive corporate data as they wish. That’s not Zero Trust. If I simply need to read the document, why let me extract or share the data? A supply chain partner needs to edit a file. But why let them copy, print, or store the document locally? Use explicit granular document rights to enforce Zero Trust least privileges and control your data in use.

5. Visibility

Visibility is knowing how your data is used, how it moves about, and what users do with it. Zero Trust relies on data visibility for continuous monitoring. Not easy in today’s hybrid workplace with existing tools. At best, its reliance and reconciliation of disparate security, network, application, repository, and endpoint logs. Better to use file-centric controls to make the file self-reporting, recording all lifetime interactions to a Central File Log no matter where it travels or who accesses it.

6. Continuous Monitoring

Just because you had access before doesn’t matter. That would be implicit trust. Zero Trust wants an explicit, context-aware decision each time. To do so, you need to monitor user identity, prior file interactions, devices, times, and places for each of the thousand if not millions of documents in your inventory. In real-time. Impossible? The Central File Log makes it easy, staging up-to-date, file-specific log data for Zero Trust monitoring.

7. Adaptive Access

Access is no longer an “all or none” decision. More “if so, how much.” It must adapt based on current circumstances, informed by the findings of continuous monitoring, and enabled by deep file visibility. Once you assess the risk, employ a wide range of granular document controls that can enforce the appropriate Zero Trust privileges.

Start on Zero Trust Data Security Now

Adopting a least privilege, explicit access to your sensitive data is key to protect your intellectual property and comply with privacy regulations. Integrating EDRM fortifies your existing tools with strong protection methods and explicit controls that are the cornerstones of Zero Trust Data Security.

As users and data continue to move around, protecting the data itself with these strong controls is your best bet to protect your business and your customers.

 

RELATED READING
Learn more about Enterprise Digital Rights Management
Learn more about how Fasoo implements Zero Trust Data Security

Read More

Three Essential Capabilities to Bring DLP up to Zero Trust Standards

Organizations are working to bring existing security capabilities up to date with Zero Trust standards.  An organization’s path to Zero Trust Data Security often starts with an existing DLP solution set.

Zero Trust is all about explicit risk assessments, monitoring, and control.  One that extends beyond just managing access to data but to control how you use the data.  An approach that uses continuous monitoring to make dynamic, explicit decisions each time a user accesses sensitive files.

Traditional DLP falls short of these standards.

Here are three essential capabilities to bring your existing data security up to Zero Trust standards.

1. Centrally Apply File Encryption

DLP solutions monitor data – Allow/Block – but the sensitive data itself is left unprotected.

Zero Trust principles dictate stronger measures like file encryption. This eliminates implicit access to files and sets a clear reference point to make Zero Trust explicit access decisions.

Zero Trust Data Security also cares about “who” encrypts the file. Many solutions rely on the user to encrypt sensitive files and in some cases, a user sets a password. This can lead to errors in protecting data and requires the encryptor – your employees – to grant access to your own critical data.

A centralized policy platform is foundational to Zero Trust Data Security. With centrally enforced policies, a file with sensitive data can be automatically encrypted when created or modified, all transparent to the user. It lifts the burden from the user, eliminates errors, and keeps workflows moving.

This also gives you control over the encryption keys – not the user, cloud provider, or any other third party. This is increasingly important in hybrid and multi-cloud workplaces as privacy regulations become more proscriptive regarding data residency and access rights.

Consistently and proactively centrally applied file encryption is a big step toward achieving Zero Trust Data Security.

 

2. Control Data-In-Use

Insider threats expose a major gap in DLP solutions. It’s the poster child example for implicit trust that Zero Trust looks to eliminate.

With DLP, once a verified user gains access to the file, it’s a free pass to use corporate sensitive data. Users can copy, cut, and paste sensitive data into new file formats; share the data across multiple collaboration applications; and store and print sensitive files on personal (BYOD) devices.

DLP binary actions, full or no access, are no longer enough. Zero Trust principles are based on a continuous, explicit risk assessment that takes a least-privilege approach to access and use. It considers the sensitivity of the data and the context in which it’s being used.

Zero Trust Data Security requires the availability of a broader range of file permissions to control data-in-use. For example, a user that only needs to read a document should be restricted from extracting or sharing the data. Allowing a user to edit a file, but restricting copy or print, are other examples of granular document controls. Disabling screen sharing when displaying sensitive data, and print watermarking are other necessary capabilities in a Zero Trust world.

Upgrading DLP with granular document rights controls provides the data-in-use options that enable Zero Trust Data Security.

 

3. Monitoring Depends on Visibility

The ability to continuously monitor data activities so you can make explicit decisions each time someone tries to access sensitive files is central to a Zero Trust approach. How you use data, how it moves about, and what users do with it is an essential input to an explicit model.

However, traditional DLP and network tools create a patchwork approach to data visibility with some organizations employing over 40 IT and security tools to trace data. Visibility is also thwarted in today’s hybrid workplace by cloud and work-from-home environments where data can be stored in unauthorized locations and devices.

To move toward Zero Trust Data Security, you should upgrade your DLP solutions with a file-centric approach, making the file itself the source of reporting. A unique ID embedded in each file logs every access (network/application/individual), what was done with the file, and other context-aware information like device and geographical location.

Implement a file-centric approach to achieve the visibility necessary to enable Zero Trust Data Security.

 

Update DLP to Zero Trust Data Security

Implementing a Zero Trust approach to an existing security model is gradual.  The Fasoo Data Security Platform helps you achieve success without ripping out your current DLP infrastructure.  This protects your existing investment but gives you true Zero Trust Data Security to meet your governance and regulatory requirements.

Read More

Collecting Laptops From Terminated Employees? Protect Unstructured Data

Protect data on laptops from terminated employees I read a Tweet recently from “Accidental CISO” about collecting laptops from terminated employees during the pandemic that I deemed retweetable (if that is a word).  Some comments focused more on the hardware – how to get it back – but this got me thinking more about what is actually on the hardware. What sensitive information, like intellectual property, might reside on them?  It also made me think, in a situation like this, how the potential for insider theft is far greater.

Files containing IP can be either printed on home printers, sent over email to personal accounts, saved on a USB stick, screen captured and so on.  These are not necessarily actions of malice, but obvious desperation to assist with the basic need for employment.

It reminded me of a webinar we did in 2019, Close the Gap on Insider Threat: Granular Access Controls and Behavior Analytics, where we focused on the best way to protect and control unstructured data without having to think about where it is located, who is accessing it or how it is being used.  It’s part of a 3-part series, so check out the other two.

In my last post, I talked about how many companies are not prepared to suddenly support a remote workforce and provided some thoughts on things you can do.  But this tweet brings to the surface the extent of how unpreparedness can lead to (and this is going to sound weird) intentional, non-malicious behavior.

I encourage you to think about it, watch, and at the very least, start putting a plan in place to protect and control your unstructured business critical information.  The time is now to do your best research so when you are ready to pull the trigger on your unstructured data security project, you will be able to hit the ground running.

Contact us if you want to talk about any of this and in the meantime, stay safe and healthy!

 

Photo credit Ian Sane

 

Read More

Don’t Complicate Data Discovery and Classification

Classify sensitive data as confidential and encrypt itData discovery and classification is an important first step to protect your confidential data and comply with privacy regulations.  You need to identify the location of your data and its value to your organization before determining how to protect it.  Done right, this leads to a data-centric security and compliance program that is critical to your corporate brand and competitive advantage.

Unfortunately many discovery and classification projects stall or fail because solutions try to address all data needs, not just security and privacy.  Organizations get caught up in the process and lose focus of the goal, which is to protect and control sensitive information.

There are different approaches to data discovery and classification.  Content-centric approaches, like DLP, use predetermined workflow rules to control data usage.  They try to classify data using complex rules and then control its movement.  You may have 20 rules that try to determine if a file you are emailing contains sensitive data and another 20 to make sure you don’t copy that file to a USB drive or a cloud location.

Context-centric approaches apply rule-based analytics to assess user behavior to minimize the risk of insider threats.  This might look at who creates a document, where they move it and when was it was last accessed.

These rule-based approaches attempt to model everything data and users can and cannot do.  They require extensive data classification and rely on maintaining a very complex set of rules.  They gather a lot of data about your data so they can attempt to determine all possible outcomes.

These approaches complicate data discovery and classification and make it difficult to protect and control sensitive data, which is your ultimate goal.

A better approach is to classify sensitive data as confidential and immediately encrypt it.  This protects the data, controls user access and tracks the file wherever it travels.  Rather than relying on complex classification processes to control what users can or cannot do, this approach optimizes classification and streamlines a path to protect and control your most sensitive data.  You also don’t have to worry about location anymore, since the file is always encrypted and access controlled.

The goal of discovery and classification is to understand your data and protect it.  Streamline that process by encrypting sensitive data and controlling its access, rather than wasting time developing and maintaining complex rules that focus on all the things users can and cannot do with it.

Read More

Stop Wealth Management Data Breaches

Encrypt and control sensitive wealth management data

The financial services industry is a frequent target of hackers, but a larger threat may be trusted insiders since they have access to a lot of sensitive customer data.  Advisers within wealth management practices regularly share data with other advisers, staff members, a counterparty or a trusted third-party service provider. They may inadvertently or deliberately share that data with unauthorized people and pose a risk to their firms and customers. Once shared, most firms have no control over that data. The Ponemon Institute illustrates this risk by reporting that 65% of cyber breaches originated with third parties.

Insiders regularly share customer or other sensitive information with colleagues and third-parties by generating and downloading reports from a database. Typically the reports are spreadsheets which make it easy to analyze the data. Access to the database may be restricted, but once in a spreadsheet, the sensitive data is easy to share with anyone.

Just recently, BlackRock inadvertently exposed names, email addresses and other information of 20,000 independent wealth management advisers. The data was in several spreadsheets from an internal customer relationship management system and was inadvertently posted on a website by an internal user. There was no hacking, just a mistake by a trusted insider.

In 2017, New York implemented comprehensive cybersecurity regulations to protect New York’s financial services industry and consumers from cyber attacks. Other jurisdictions are following suit. High-profile cases like the Morgan Stanley broker who stole data on more than 350,000 of the bank’s wealthiest clients in 2014 was clearly on the minds of regulators when they created these regulations. Even with these rules in place, BlackRock still experienced a data breach.

Typical approaches to stop data breaches focus on protecting devices and locations from unauthorized access, rather than the data stored on them. These solutions force you to create complex business rules that monitor data movement and alert you to abnormal activities. In the BlackRock and Morgan Stanley cases, authorized users had legitimate access to sensitive data, so these tools may not have flagged anything as abnormal.

The only effective way to restrict access of sensitive data to authorized users is to encrypt it and apply security policies that govern its access. This ensures that only authorized users can access the data, regardless of the file’s location or format. This includes sending data to a counterparty or other third-party service provider. Once encrypted, the organization can trace user activities and even revoke access whether stored on a local system, mobile device, website or cloud-based repository. If someone accesses the file, they cannot read its contents unless explicitly granted access to it.

Morgan Stanley could have prevented its employee from accessing customer information on his home computer by encrypting it and setting appropriate policies. Once he left the company, his access to company data could be immediately revoked. The BlackRock spreadsheets would have been useless to any unauthorized person, since no one could read their contents unless explicitly granted access. If hackers stole the data in either case, it would be useless to them, since it was encrypted and the hackers had no authorization to access it.

Investors trust wealth management firms to protect their sensitive data. Encrypting files and controlling user access maintains that trust and complies with privacy regulations.

Photo credit: Pavel Rybin

Read More

Fasoo Presents Incident Response Solution

Bill Blake shows how Wrapsody helps manage an incident response plan Fasoo sponsored and presented at an event in Columbus, OH on November 13, 2018 entitled “Incident Detection, Response and Recovery” highlighting how to prepare and manage an incident response plan for cybersecurity and data protection.  Presented and cosponsored by Catalyst Solutions, IBM and Huntington Insurance, the event brought together experts in legal, insurance, law enforcement, government, accounting and security disciplines to discuss the legal, technical and business issues of preparing for and responding to a data breach.

Bill Blake, Senior Vice President and CCO of Fasoo, presented Incident Response & Recovery: Secure Collaboration for Critical Information which highlighted the Wrapsody platform as a solution to help manage the development, access and control of an incident response plan (IRP).  Bill showed an example of a CISO, Legal Counsel and an external Advisory firm securely collaborating on an IRP and how to control who could access the plan and any supporting documents involved in a response.  The example showed how easy it is to securely collaborate on developing and managing the plan, but also on limiting access prior to, during and after a breach occurs.  Since Wrapsody encrypts documents and controls their access, it guarantees only authorized users can access them.  This is critical because if an incident response plan got into the wrong hands, malicious insiders or external parties could compromise an organization’s data security.

Ed Rice, an attorney at Sherrard, German & Kelly, P.C., talked about the importance of having a data security program in place.  “Not only does it make good business sense, but under the regulatory landscape, for instance in NY, MA and CA, having such a program is a requirement when a company deals in data containing personal information.  Ohio’s new data protection act actually provides a “safe harbor” from liability for a data breach if the company has in place a good data security program”.

One key to a data breach response is maintaining attorney – client privilege between internal or outside counsel and the organizations involved in the breach.  A cybersecurity incident is not considered a data breach until an attorney says it is.  An attorney should be involved in developing the plan so the plan and any supporting documents are considered attorney work product and come under attorney – client privilege.  Since Wrapsody limits access to authorized users, if a malicious insider tried to share documents with external parties, they would not be accessible.  If a court tried to subpoena the documents, attorney-client privilege would protect them legally, but Wrapsody’s encryption and access control would prevent access to the files themselves.  Another key is having a detailed audit log of document access to prove to auditors, regulators and law enforcement who accessed the IRP during its preparation and execution, thus also helping establish what is subject to attorney – client privilege.

Once an event occurs and the organization executes the IRP, access is controlled and audited.  If internal systems are compromised, Wrapsody enables mobile access to the IRP through a phone and tablet.  Since each version of the IRP and any supporting documents are automatically synced to the Wrapsody server, those involved in the response will have access to the latest information, even if the IRP itself was hit with ransomware.

Protecting company and customer information is the main goal of cybersecurity.  Preventing a data breach is a key tactic, but you need to have a viable incident response plan so you can act quickly and decisively if or when a breach occurs.  Using Wrapsody to prepare and manage the plan along with sensitive documents should be a key tactic in your cybersecurity program.

Read More

Fasoo Highlights Unstructured Data Security at RSA 2018

Fasoo protects unstructured data

Fasoo’s message of finding, protecting and controlling unstructured data definitely made an impact on attendees at the 2018 RSA Conference in San Francisco.  With new regulations like the General Data Protection Regulation (GDPR) coming on quickly and the general feeling that businesses need to do more than just track file access, companies are looking for a more comprehensive and practical approach to providing secure ways to conduct business.

Over 45,000 senior executives and IT security professionals attended this year’s conference with about 2,000 visiting Fasoo’s booth.  Visitors saw hourly presentations and demonstrations on how to manage and control their unstructured data which is by far the largest problem of data security.  While someone hacking a database and stealing credit cards seems to make the headlines, the reality is that the majority of an organization’s intellectual property and sensitive information is stored in documents.  Fasoo staff showed how Fasoo Data Radar, Fasoo Enterprise DRM, Fasoo RiskView and Wrapsody helps manage and protect the critical business information inside documents.

A lot of attendees were very interested in discovery and classification of files because many realized they don’t know what they have and where it’s located.  One executive I talked to had a good handle on her databases, but when it came to downloading reports from those databases and the documents employees create every day, she acknowledged it’s a lot more challenging.  She mentioned there’s a lot of redundant, obsolete and trivial (ROT) data in file shares, cloud repositories and on people’s desktops which makes controlling the important information a lot more difficult.  She wanted to focus on data critical to her business and get rid of everything else.  I suggested automatically securing files as users create or edit them.  This protects current information and lets her quickly understand what is used and what is not.

Of course what would RSA be without some fun?  Our hourly presentations were very lively and attendees got Starbucks cards, Fasoo hippos, headphones and an Amazon Echo.  You had to really listen to the presentation to get some of the prizes, but the real fun started when Star Wars trivia came up.  One gentleman had to perform for his prize making a convincing Chewbacca sound.  There was even a little horse trading as the winner of one prize decided to swap it with the winner of another prize.

Visitors to Fasoo’s booth commented that the security solutions looked easy to use but still allowed them maximum protection of their unstructured data.  This is always a critical issue as organizations try to balance security with productivity.  Automating the processes of identifying, classifying and encrypting sensitive files allows employees and business partners to focus on their jobs rather than worrying about how to protect business critical information.

Read More

Cyber Security Legislation Will Change the Face of Business

Cyber Security Legislation Will Change the Face of BusinessAs 2017 gets underway, cyber security legislation will strengthen and force businesses to change the way they approach information security.  At the federal level in the United States, the US Congress and President have proposed numerous updates to existing regulations and new regulations to cover all facets of cybersecurity.  These include the Cyber Preparedness Act of 2016, Cybersecurity Systems and Risk Reporting Act and others.

At the state level, legislation was introduced or considered in at least 28 states in 2016. Fifteen of those states enacted legislation, many addressing issues related to security practices and protection of information, and cyber crimes in general, including dealing with rasomware.

One example is the new regulation by the New York State Division of Financial Services (NYS-DFS) that goes into effect on March 1, 2017 (changed from January 1) that requires organizations registered as banks, insurers, and other financial institutions in the state to implement comprehensive cyber security programs and policies.  The first bar is to encrypt nonpublic information at-rest and in-transit.  This includes confirming a third party service provider’s adherence to these enhanced data security requirements.  Covered entities have to certify they meet the first set of requirements by February 15, 2018 and annually after that.

Other key requirements of the NYS-DFS cybersecurity regulation and others is to maintain audit trails of sensitive data, including logs of access to critical systems.  While it is important to understand who can and has accessed an information system, it is more important to control and audit the access to the sensitive data inside.  Encrypting documents and controlling who can access them regardless of the user’s or file’s location is key to protecting sensitive data and meeting these regulations.  This ensures that only authorized people inside and outside of the organization can access the information.

One thing to remember is that most regulations prescribe the minimum an organization must do to comply.  As we have seen in recent years, complying with a regulation does not mean you are safe and your data is secure.  You need to think about protecting, controlling and monitoring all sensitive data inside your organization to ensure you meet regulations but also that you maintain your business.

It is clear that regulators and legislators are focused on raising the bar for cybersecurity programs and to ensure the public that nonpublic information remains private.  Organizations need to focus on developing a robust risk-based cybersecurity program rather than reactively responding to regulatory guidance.

The time is now to enhance your data security to meet new regulations and protect your business.

Read More

New Data Breach Security Laws Soon to be in Place?

New Data Breach Security Laws Soon to be in Place?

This week, Obama addressed the nation with a new data breach notification bill. Although data notification is a major part of this bill, the president also mentioned about file encryption as well. The White House bill provides businesses with safe harbor by exempting them from the individual notice requirements if a risk assessment concludes that “there is no reasonable risk that a security risk has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach.”  If the data is unusable, unreadable, or indecipherable data, there is a presumption that there is not a reasonable risk.  If a business makes this determination, it must notify the Commission of the results and its decision, in writing, within 30 days.

In addition to this bill, the New York Attorney General intends to propose a bill that would expand his state’s definition of personal information to include email and passwords. The proposed expanded definition of private information would also include data about a consumer or employee’s medical history, health insurance information or biometric data.

The expanded definition would go beyond a standard adopted in California in 2013 that also requires companies to notify consumers if their email addresses and passwords are stolen or hacked. Last summer, Florida stiffened its breach notification requirements as well.

Here is the part though where all organization in New York should pay attention to:

“The New York bill would reward businesses for taking steps to protect personal information and cooperating quickly with New York authorities in the event of a breach. It would provide them some protection from liability in civil lawsuits if they can demonstrate having taken adequate steps to protect private information from being hacked or inadvertently released.”

From President Obama’s notification bill to the New York Attorney General’s push for stronger protection for personal information, organization must be ready to face the much more severe consequences now that this is coming from both federal and state levels.

To ensure that personal information is secure this data must be secure no matter where it goes. Fasoo Enterprise DRM (Digital Rights Management) prevents the exposure of sensitive and confidential data through encryption. It protects, controls and traces this information no matter where it is. Isn’t important for consumers and organization to know that they will be on line with the up and coming bills and laws?

Don’t slack on this part of your spending, and ensure that this kind of information is secure for your own good. Let your CEO get a better night’s sleep.

 

Photo Credit: dannymac15_1999

Read More

How Long Can Organizations be Affected by Healthcare Data Breaches?

How Long Can Organization be Affected by Healthcare Data Breaches?

2014 has been a big year for data breaches in the healthcare industry. From malicious insiders to accidental loss of devices containing patient information, the headlines for these data breaches were non-stop throughout this year. Healthcare data breaches can affect organizations even longer after the security issue was discovered. Not only financially, but the trust of patients who have had their protected health information (PHI) stolen and used in some other unauthorized way, will cause the organization to work hard to prove themselves again.

According to the Department of Health and Human Services (HHS), after a healthcare data breach has been discovered, covered entities must provide individual notification to those who might be affected no later than 60 days. But what happens after those 60 days? It would be somewhat of a relief if after the data breach it ends there, no more issues to deal with. However, depending on the type of breach and number of patients affected, even the type of technology at the organization, it could take years for an organization to regain their place as they were before the data breach.

The theft or loss of a device such as, laptops, tablets and mobile phones is a leading cause of PHI being at risk. This is definitely the reason of why file encryption is so important as not only does it keep unauthorized individuals out of the devices, it protects the data itself. Another kind of insider threat is human error, which often leads to healthcare security issues. Whether it is sent through paper mail or electronic mail, regardless, the data itself still must be protected.

These kinds of breaches can cause legal ramifications, and in this case can take a long time and financial burden to resolve. Some lawsuits filed by patients can be months after the breach but some can be even two years after patients’ PHI was exposed.

With all this being said these breaches never just end it will definitely be months, but can be a couple of years for things to settle down, but it is gaining back the trust of current, former and even future patients that will take the longest time as the organizations name and reputation has already been damaged by the breach.

As a healthcare organization, it is paramount to think about what the best data-centric solution you can have to avoid these cases. Digital rights management provide you with the ability to set specific permissions to files containing this kind of PHI data as well being able to revoke access if the device has been lost or stolen is a time stopper for how long these data breaches will cause a lingering effect for these organizations.

 

Photo Credit: Daniel Borman

Read More

Spike in Data Breaches Affects Public Confidence

Spike in Data Breaches Affects Public Confidence

The recent spike in data breaches this year, 24,000 news stories to be exact, has led to record low levels of confidence amongst the public about data security, according to Deloitte. Last year alone, only 5,474 data breach news stores were reported, and even less in 2012 with 4,023. This number alone does not mean a greater number of data breaches, but the increase in news stories has definitely raised the awareness amongst the public. Most of the reports have essentially been negative and have constantly brought awareness and have pushed even the government to be involved in creating reforms to put greater emphasis on making sure that organizations are accountable for the security of customers’ personally identifiable information (PII).

These statistics and information on data breaches alone have made majority of consumers have little to no confidence that organizations will keep their personal information safe from harm. It also does not help that privacy policies or terms and conditions are too hard to understand as it is not in plain English, the confidence level continues to drop.

Is it not time for organizations and consumers to be on the same page in understanding that consumer information needs to be protected, and that consumers need to know how their information is being protected in the simplest terms possible? In addition to insider threats, which accounts for such data breaches such as loss of devices containing PII, consumers and organization must continue to worry about hackers stealing files with PII data on them.

Protecting data with file encryption with data centric solutions such as information rights management (otherwise known as digital rights management or DRM) can protect the data persistently no matter where it goes, whether it is within the organization or stolen by hackers outside of the organization. Even when devices are stolen or lost and they are in the wrong hands, unauthorized access will not be allowed or access can be revoked in order to prevent another data breach from occurring.

Restoring public confidence should be the number one priority task for all organizations. With an executive order from the President, and also severe penalties from the FCC, to new laws being passed regarding data security, don’t be caught unprepared without the complete data security solution to protect consumer data from being accessed by unauthorized people.

 

Photo Credit: Otto Kristensen

Read More
Categories

Find out what Fasoo can do for you

Contact Us
Contact  Us
Contact Us
Book a meeting