Collecting Laptops From Terminated Employees? Protect Unstructured Data

I read a Tweet recently from “Accidental CISO” about collecting laptops from terminated employees during the pandemic that I deemed retweetable (if that is a word). Some comments focused more on the hardware – how to get it back – but this got me thinking more about what is actually on the hardware. What sensitive information, like intellectual property, might reside on them? It also made me think, in a situation like this, how the potential for insider theft is far greater.

Files containing IP can be either printed on home printers, sent over email to personal accounts, saved on a USB stick, screen captured and so on. These are not necessarily actions of malice, but obvious desperation to assist with the basic need for employment.

It reminded me of a webinar we did in 2019, Close the Gap on Insider Threat: Granular Access Controls and Behavior Analytics, where we focused on the best way to protect and control unstructured data without having to think about where it is located, who is accessing it or how it is being used. It’s part of a 3-part series, so check out the other two.

In my last post, I talked about how many companies are not prepared to suddenly support a remote workforce and provided some thoughts on things you can do. But this tweet brings to the surface the extent of how unpreparedness can lead to (and this is going to sound weird) intentional, non-malicious behavior.

I encourage you to think about it, watch, and at the very least, start putting a plan in place to protect and control your unstructured business critical information. The time is now to do your best research so when you are ready to pull the trigger on your unstructured data security project, you will be able to hit the ground running.

Photo credit Ian Sane

Don’t Complicate Data Discovery and Classification

Data discovery and classification is an important first step to protect your confidential data and comply with privacy regulations. You need to identify the location of your data and its value to your organization before determining how to protect it. Done right, this leads to a data-centric security and compliance program that is critical to your corporate brand and competitive advantage.

Unfortunately many discovery and classification projects stall or fail because solutions try to address all data needs, not just security and privacy. Organizations get caught up in the process and lose focus of the goal, which is to protect and control sensitive information.

There are different approaches to data discovery and classification. Content-centric approaches, like DLP, use predetermined workflow rules to control data usage. They try to classify data using complex rules and then control its movement. You may have 20 rules that try to determine if a file you are emailing contains sensitive data and another 20 to make sure you don’t copy that file to a USB drive or a cloud location.

Context-centric approaches apply rule-based analytics to assess user behavior to minimize the risk of insider threats. This might look at who creates a document, where they move it and when was it was last accessed.

These rule-based approaches attempt to model everything data and users can and cannot do. They require extensive data classification and rely on maintaining a very complex set of rules. They gather a lot of data about your data so they can attempt to determine all possible outcomes.

These approaches complicate data discovery and classification and make it difficult to protect and control sensitive data, which is your ultimate goal.

A better approach is to classify sensitive data as confidential and immediately encrypt it. This protects the data, controls user access and tracks the file wherever it travels. Rather than relying on complex classification processes to control what users can or cannot do, this approach optimizes classification and streamlines a path to protect and control your most sensitive data. You also don’t have to worry about location anymore, since the file is always encrypted and access controlled.

The goal of discovery and classification is to understand your data and protect it. Streamline that process by encrypting sensitive data and controlling its access, rather than wasting time developing and maintaining complex rules that focus on all the things users can and cannot do with it.

Stop Wealth Management Data Breaches

The financial services industry is a frequent target of hackers, but a larger threat may be trusted insiders since they have access to a lot of sensitive customer data. Advisers within wealth management practices regularly share data with other advisers, staff members, a counterparty or a trusted third-party service provider. They may inadvertently or deliberately share that data with unauthorized people and pose a risk to their firms and customers. Once shared, most firms have no control over that data. The Ponemon Institute illustrates this risk by reporting that 65% of cyber breaches originated with third parties.

Insiders regularly share customer or other sensitive information with colleagues and third-parties by generating and downloading reports from a database. Typically the reports are spreadsheets which make it easy to analyze the data. Access to the database may be restricted, but once in a spreadsheet, the sensitive data is easy to share with anyone.

Just recently, BlackRock inadvertently exposed names, email addresses and other information of 20,000 independent wealth management advisers. The data was in several spreadsheets from an internal customer relationship management system and was inadvertently posted on a website by an internal user. There was no hacking, just a mistake by a trusted insider.

In 2017, New York implemented comprehensive cybersecurity regulations to protect New York’s financial services industry and consumers from cyber attacks. Other jurisdictions are following suit. High-profile cases like the Morgan Stanley broker who stole data on more than 350,000 of the bank’s wealthiest clients in 2014 was clearly on the minds of regulators when they created these regulations. Even with these rules in place, BlackRock still experienced a data breach.

Typical approaches to stop data breaches focus on protecting devices and locations from unauthorized access, rather than the data stored on them. These solutions force you to create complex business rules that monitor data movement and alert you to abnormal activities. In the BlackRock and Morgan Stanley cases, authorized users had legitimate access to sensitive data, so these tools may not have flagged anything as abnormal.

The only effective way to restrict access of sensitive data to authorized users is to encrypt it and apply security policies that govern its access. This ensures that only authorized users can access the data, regardless of the file’s location or format. This includes sending data to a counterparty or other third-party service provider. Once encrypted, the organization can trace user activities and even revoke access whether stored on a local system, mobile device, website or cloud-based repository. If someone accesses the file, they cannot read its contents unless explicitly granted access to it.

Morgan Stanley could have prevented its employee from accessing customer information on his home computer by encrypting it and setting appropriate policies. Once he left the company, his access to company data could be immediately revoked. The BlackRock spreadsheets would have been useless to any unauthorized person, since no one could read their contents unless explicitly granted access. If hackers stole the data in either case, it would be useless to them, since it was encrypted and the hackers had no authorization to access it.

Investors trust wealth management firms to protect their sensitive data. Encrypting files and controlling user access maintains that trust and complies with privacy regulations.

Photo credit: Pavel Rybin

Fasoo Presents Incident Response Solution

Fasoo sponsored and presented at an event in Columbus, OH on November 13, 2018 entitled “Incident Detection, Response and Recovery” highlighting how to prepare and manage an incident response plan for cybersecurity and data protection. Presented and cosponsored by Catalyst Solutions, IBM and Huntington Insurance, the event brought together experts in legal, insurance, law enforcement, government, accounting and security disciplines to discuss the legal, technical and business issues of preparing for and responding to a data breach.

Bill Blake, Senior Vice President and CCO of Fasoo, presented Incident Response & Recovery: Secure Collaboration for Critical Information which highlighted the Wrapsody platform as a solution to help manage the development, access and control of an incident response plan (IRP). Bill showed an example of a CISO, Legal Counsel and an external Advisory firm securely collaborating on an IRP and how to control who could access the plan and any supporting documents involved in a response. The example showed how easy it is to securely collaborate on developing and managing the plan, but also on limiting access prior to, during and after a breach occurs. Since Wrapsody encrypts documents and controls their access, it guarantees only authorized users can access them. This is critical because if an incident response plan got into the wrong hands, malicious insiders or external parties could compromise an organization’s data security.

Ed Rice, an attorney at Sherrard, German & Kelly, P.C., talked about the importance of having a data security program in place. “Not only does it make good business sense, but under the regulatory landscape, for instance in NY, MA and CA, having such a program is a requirement when a company deals in data containing personal information. Ohio’s new data protection act actually provides a “safe harbor” from liability for a data breach if the company has in place a good data security program”.

One key to a data breach response is maintaining attorney – client privilege between internal or outside counsel and the organizations involved in the breach. A cybersecurity incident is not considered a data breach until an attorney says it is. An attorney should be involved in developing the plan so the plan and any supporting documents are considered attorney work product and come under attorney – client privilege. Since Wrapsody limits access to authorized users, if a malicious insider tried to share documents with external parties, they would not be accessible. If a court tried to subpoena the documents, attorney-client privilege would protect them legally, but Wrapsody’s encryption and access control would prevent access to the files themselves. Another key is having a detailed audit log of document access to prove to auditors, regulators and law enforcement who accessed the IRP during its preparation and execution, thus also helping establish what is subject to attorney – client privilege.

Once an event occurs and the organization executes the IRP, access is controlled and audited. If internal systems are compromised, Wrapsody enables mobile access to the IRP through a phone and tablet. Since each version of the IRP and any supporting documents are automatically synced to the Wrapsody server, those involved in the response will have access to the latest information, even if the IRP itself was hit with ransomware.

Protecting company and customer information is the main goal of cybersecurity. Preventing a data breach is a key tactic, but you need to have a viable incident response plan so you can act quickly and decisively if or when a breach occurs. Using Wrapsody to prepare and manage the plan along with sensitive documents should be a key tactic in your cybersecurity program.

Fasoo Highlights Unstructured Data Security at RSA 2018

Fasoo’s message of finding, protecting and controlling unstructured data definitely made an impact on attendees at the 2018 RSA Conference in San Francisco. With new regulations like the General Data Protection Regulation (GDPR) coming on quickly and the general feeling that businesses need to do more than just track file access, companies are looking for a more comprehensive and practical approach to providing secure ways to conduct business.

Over 45,000 senior executives and IT security professionals attended this year’s conference with about 2,000 visiting Fasoo’s booth. Visitors saw hourly presentations and demonstrations on how to manage and control their unstructured data which is by far the largest problem of data security. While someone hacking a database and stealing credit cards seems to make the headlines, the reality is that the majority of an organization’s intellectual property and sensitive information is stored in documents. Fasoo staff showed how Fasoo Data Radar, Fasoo Enterprise DRM, Fasoo RiskView and Wrapsody helps manage and protect the critical business information inside documents.

A lot of attendees were very interested in discovery and classification of files because many realized they don’t know what they have and where it’s located. One executive I talked to had a good handle on her databases, but when it came to downloading reports from those databases and the documents employees create every day, she acknowledged it’s a lot more challenging. She mentioned there’s a lot of redundant, obsolete and trivial (ROT) data in file shares, cloud repositories and on people’s desktops which makes controlling the important information a lot more difficult. She wanted to focus on data critical to her business and get rid of everything else. I suggested automatically securing files as users create or edit them. This protects current information and lets her quickly understand what is used and what is not.

Of course what would RSA be without some fun? Our hourly presentations were very lively and attendees got Starbucks cards, Fasoo hippos, headphones and an Amazon Echo. You had to really listen to the presentation to get some of the prizes, but the real fun started when Star Wars trivia came up. One gentleman had to perform for his prize making a convincing Chewbacca sound. There was even a little horse trading as the winner of one prize decided to swap it with the winner of another prize.

Visitors to Fasoo’s booth commented that the security solutions looked easy to use but still allowed them maximum protection of their unstructured data. This is always a critical issue as organizations try to balance security with productivity. Automating the processes of identifying, classifying and encrypting sensitive files allows employees and business partners to focus on their jobs rather than worrying about how to protect business critical information.

Cyber Security Legislation Will Change the Face of Business

As 2017 gets underway, cyber security legislation will strengthen and force businesses to change the way they approach information security. At the federal level in the United States, the US Congress and President have proposed numerous updates to existing regulations and new regulations to cover all facets of cybersecurity. These include the Cyber Preparedness Act of 2016, Cybersecurity Systems and Risk Reporting Act and others.

At the state level, legislation was introduced or considered in at least 28 states in 2016. Fifteen of those states enacted legislation, many addressing issues related to security practices and protection of information, and cyber crimes in general, including dealing with rasomware.

One example is the new regulation by the New York State Division of Financial Services (NYS-DFS) that goes into effect on March 1, 2017 (changed from January 1) that requires organizations registered as banks, insurers, and other financial institutions in the state to implement comprehensive cyber security programs and policies. The first bar is to encrypt nonpublic information at-rest and in-transit. This includes confirming a third party service provider’s adherence to these enhanced data security requirements. Covered entities have to certify they meet the first set of requirements by February 15, 2018 and annually after that.

Other key requirements of the NYS-DFS cybersecurity regulation and others is to maintain audit trails of sensitive data, including logs of access to critical systems. While it is important to understand who can and has accessed an information system, it is more important to control and audit the access to the sensitive data inside. Encrypting documents and controlling who can access them regardless of the user’s or file’s location is key to protecting sensitive data and meeting these regulations. This ensures that only authorized people inside and outside of the organization can access the information.

One thing to remember is that most regulations prescribe the minimum an organization must do to comply. As we have seen in recent years, complying with a regulation does not mean you are safe and your data is secure. You need to think about protecting, controlling and monitoring all sensitive data inside your organization to ensure you meet regulations but also that you maintain your business.

It is clear that regulators and legislators are focused on raising the bar for cybersecurity programs and to ensure the public that nonpublic information remains private. Organizations need to focus on developing a robust risk-based cybersecurity program rather than reactively responding to regulatory guidance.

The time is now to enhance your data security to meet new regulations and protect your business.

New Data Breach Security Laws Soon to be in Place?

This week, Obama addressed the nation with a new data breach notification bill. Although data notification is a major part of this bill, the president also mentioned about file encryption as well. The White House bill provides businesses with safe harbor by exempting them from the individual notice requirements if a risk assessment concludes that “there is no reasonable risk that a security risk has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach.” If the data is unusable, unreadable, or indecipherable data, there is a presumption that there is not a reasonable risk. If a business makes this determination, it must notify the Commission of the results and its decision, in writing, within 30 days.

In addition to this bill, the New York Attorney General intends to propose a bill that would expand his state’s definition of personal information to include email and passwords. The proposed expanded definition of private information would also include data about a consumer or employee’s medical history, health insurance information or biometric data.

The expanded definition would go beyond a standard adopted in California in 2013 that also requires companies to notify consumers if their email addresses and passwords are stolen or hacked. Last summer, Florida stiffened its breach notification requirements as well.

Here is the part though where all organization in New York should pay attention to:

“The New York bill would reward businesses for taking steps to protect personal information and cooperating quickly with New York authorities in the event of a breach. It would provide them some protection from liability in civil lawsuits if they can demonstrate having taken adequate steps to protect private information from being hacked or inadvertently released.”

From President Obama’s notification bill to the New York Attorney General’s push for stronger protection for personal information, organization must be ready to face the much more severe consequences now that this is coming from both federal and state levels.

To ensure that personal information is secure this data must be secure no matter where it goes. Fasoo Enterprise DRM (Digital Rights Management) prevents the exposure of sensitive and confidential data through encryption. It protects, controls and traces this information no matter where it is. Isn’t important for consumers and organization to know that they will be on line with the up and coming bills and laws?

Don’t slack on this part of your spending, and ensure that this kind of information is secure for your own good. Let your CEO get a better night’s sleep.

Photo Credit: dannymac15_1999

How Long Can Organizations be Affected by Healthcare Data Breaches?

2014 has been a big year for data breaches in the healthcare industry. From malicious insiders to accidental loss of devices containing patient information, the headlines for these data breaches were non-stop throughout this year. Healthcare data breaches can affect organizations even longer after the security issue was discovered. Not only financially, but the trust of patients who have had their protected health information (PHI) stolen and used in some other unauthorized way, will cause the organization to work hard to prove themselves again.

According to the Department of Health and Human Services (HHS), after a healthcare data breach has been discovered, covered entities must provide individual notification to those who might be affected no later than 60 days. But what happens after those 60 days? It would be somewhat of a relief if after the data breach it ends there, no more issues to deal with. However, depending on the type of breach and number of patients affected, even the type of technology at the organization, it could take years for an organization to regain their place as they were before the data breach.

The theft or loss of a device such as, laptops, tablets and mobile phones is a leading cause of PHI being at risk. This is definitely the reason of why file encryption is so important as not only does it keep unauthorized individuals out of the devices, it protects the data itself. Another kind of insider threat is human error, which often leads to healthcare security issues. Whether it is sent through paper mail or electronic mail, regardless, the data itself still must be protected.

These kinds of breaches can cause legal ramifications, and in this case can take a long time and financial burden to resolve. Some lawsuits filed by patients can be months after the breach but some can be even two years after patients’ PHI was exposed.

With all this being said these breaches never just end it will definitely be months, but can be a couple of years for things to settle down, but it is gaining back the trust of current, former and even future patients that will take the longest time as the organizations name and reputation has already been damaged by the breach.

As a healthcare organization, it is paramount to think about what the best data-centric solution you can have to avoid these cases. Digital rights management provide you with the ability to set specific permissions to files containing this kind of PHI data as well being able to revoke access if the device has been lost or stolen is a time stopper for how long these data breaches will cause a lingering effect for these organizations.

Photo Credit: Daniel Borman

Spike in Data Breaches Affects Public Confidence

The recent spike in data breaches this year, 24,000 news stories to be exact, has led to record low levels of confidence amongst the public about data security, according to Deloitte. Last year alone, only 5,474 data breach news stores were reported, and even less in 2012 with 4,023. This number alone does not mean a greater number of data breaches, but the increase in news stories has definitely raised the awareness amongst the public. Most of the reports have essentially been negative and have constantly brought awareness and have pushed even the government to be involved in creating reforms to put greater emphasis on making sure that organizations are accountable for the security of customers’ personally identifiable information (PII).

These statistics and information on data breaches alone have made majority of consumers have little to no confidence that organizations will keep their personal information safe from harm. It also does not help that privacy policies or terms and conditions are too hard to understand as it is not in plain English, the confidence level continues to drop.

Is it not time for organizations and consumers to be on the same page in understanding that consumer information needs to be protected, and that consumers need to know how their information is being protected in the simplest terms possible? In addition to insider threats, which accounts for such data breaches such as loss of devices containing PII, consumers and organization must continue to worry about hackers stealing files with PII data on them.

Protecting data with file encryption with data centric solutions such as information rights management (otherwise known as digital rights management or DRM) can protect the data persistently no matter where it goes, whether it is within the organization or stolen by hackers outside of the organization. Even when devices are stolen or lost and they are in the wrong hands, unauthorized access will not be allowed or access can be revoked in order to prevent another data breach from occurring.

Restoring public confidence should be the number one priority task for all organizations. With an executive order from the President, and also severe penalties from the FCC, to new laws being passed regarding data security, don’t be caught unprepared without the complete data security solution to protect consumer data from being accessed by unauthorized people.

Photo Credit: Otto Kristensen

Government Pushes Organizations to Implement Stronger Data Security

From the FBI, Department of Homeland Security (DHS) to the FCC all the way up to the White House is pushing for stronger data security measures amongst organizations that deal with sensitive customer information. Just last week, the FCC fined two telecommunication companies $10 million, for neglecting to protect over 300,000 customers’ personally identifiable information (PII). This is the FCC’s first data security case and its largest privacy violation action ever. The telecoms failed to encrypt to secure the online data which included Social Security numbers, addresses, names and driver’s license information, which meant that anyone could access it without entering a password.

It is no wonder that because of these lax security practices that identity theft has become the fastest growing crime in the U.S. In addition, Obama has signed an executive order in relation to make organization increase data security as well as push the charge for enforcement responsibilities for government.

The need for data security has dramatically increased since big retail stores, financial organizations, health care industries and other organization continue to make headlines for major data breaches in leaking sensitive customer information reaching numbers from hundreds of thousands to several million. In addition, it’s not just the outside hackers that are causing these problems, but also insider threat of current or former employees that the FBI and DHS have warned about causing these massive data breaches.

Digital rights management or information rights management is a form of file encryption that could have… scratch that, that can prevent this data from being accessed by unauthorized users. Persistent data protection, dynamic permission control and intelligent monitoring, these are just a few key features that Fasoo Enterprise DRM provides for organizations to save them from these kinds of data breaches.

Do not face the hefty fines thrown down by the government, and be prepared with a reliable and robust solution that will prevent these kinds of data breaches (Target, JPMorgan, AT&T, etc.) from happening. The government has now put the responsibility to the organization to act in implementing data security solutions to protect sensitive customer PII and gain the trust of not only their current customers but future customers as well.

Photo Credit: Nicolas Raymond

Share Your Files Securely with Partners and Customers

Recent headlines involving unencrypted portable media such as CDs and USBs have hit the news. Most recently in Arizona, two unencrypted computer discs containing names and Social Security numbers were sent to another partner and after a month, the partner still said it had not received the discs. This situation along with many other healthcare industry data breaches proves that in no way is any organization immune to this threat.

As stated in this article and many people would agree, that these incidents underline the increased importance of health data encryption as a top priority for the healthcare industry. However, as it is impossible not to continue to have these relationship with partners, and regardless these sensitive files will need to continue to make their way outside of the organization through email, cloud-based file-sharing services, FTP and portable media such as USB and CD, the need for security measures for files shared with outside parties has become critical to an organization’s security agenda.

When a file is shared externally, Fasoo, the leader in data and software security, ensures a secure exchange of information and guarantees that files are shared only with the intended recipients through file encryption. The sender can decide who can access sensitive files and what permissions they have on the document such as View, Edit or Print. Persistent security remains in place and provides the sender with assurance that the files are secure even after they are sent.

Even when files are inadvertently or intentionally sent to other parties, a sender can revoke future access to them. All actions are logged for future analysis and provide you with peace of mind.

Fasoo allows employees to securely share sensitive intellectual property so that they can safely collaborate with partners and customers without the fear of data breaches no matter where their files are. The security policy applied to these files defines who can View, Edit, Print and Screen Capture them.

Could this solution, Fasoo Secure Exchange (FSE) from Fasoo have prevented this data breach along with others, from happening? If not the theft part of it, then certainly the accessing part of this theft could have been prevented. With new legislation that requires health insurers to encrypt all health information on computers, and potential fines starting at the $10,000 range to most recently over millions of dollars in other organizations, it’s time for all organizations especially healthcare organizations to make the move to find the best solution to encrypt sensitive information, and maintain most importantly the trust of your customers.

Photo Credit: ausslegall

Privacy and Security Guidelines, Do You Follow Them at Your Company?

How many of you have company privacy and security guidelines at your company? Do you really follow each and every guideline? Based on a recent article of the data breach at AT&T, it doesn’t look like that is the case. One of its employees did not follow their “strict privacy and security guidelines” and gained access to customers’ accounts without authorization. Some of this information includes Social Security numbers, driver’s license numbers and Customer Proprietary Network Information (CPNI) which specifies services purchased, including which numbers the customer has called and when.

Although this employee no longer works at AT&T, the question that everyone has when a data breach occurs is what are they doing now to mitigate the risk of future breaches? Anybody who has received a notification letter most likely will provide you with a numbers to contact for free credit monitoring, but for some companies such as this case, two, three or more breaches continue to occur.

As we all know many other companies in other industries have these same guidelines, but seem to have similar insider data breaches occur. The health care industry has been busy with these kinds of breaches, notably, Aventura Hospital and Medical Center, with as many as 82,000 patients Patient Health Information (PHI) being leaked. Then in the banking industry, two former executives at Teche Federal Bank which was acquired by IberiaBank stole several thousand customer files and provided them to competitor JD Bank.

These data breaches from insider threats have occurred as the FBI and Department of Homeland Security warned of an increase in insider threats from current and former employees.

Many companies only have such guidelines, but the only sure way to protect customers’ sensitive information is to protect the data itself. File encryption solutions such as Fasoo Enterprise DRM (Digital Rights Management) provides persistent file-based security for any business environment. This ensures organization to protect, control and trace sensitive files containing intellectual property, trade secrets, PII and more. This ultimately prevents insiders whether malicious or by accident from causing any data breaches to the organization.

No longer can privacy and security guidelines protect the confidential information of consumers, it is up to securing the data to prevent data breach cases mentioned above from happening.

Photo Credit: CucombreLibre

Blog