The phrase “It takes a Village to raise a child” is true. But it is also true that it takes a team to develop a data governance and policy management strategy!
Teamwork is important when developing a data security strategy. As part of that process, data governance and policy management needs to be part of the equation. It’s becoming more and more clear that organizations struggle with policy management – particularly with unstructured data. The very nature of unstructured data leaves it vulnerable to exposure and loss. Insider threat is of particular concern because while hackers typically attack structured databases, your employees and other valued insiders are accessing those databases on a regular basis. The insiders can download sensitive information into spreadsheets and reports. They are accessing your intellectual property, such as product designs and roadmaps. It’s the insiders that will walk off with those designs and sell them to your competition or bring it to a competitor to jumpstart the next phase of their career. The loss of this information will not only cost you revenue, but can also result in a regulatory fine. Who can afford that?
It’s really important to work as a team to:
Define a Practical Data Governance Plan for Unstructured Data
Identify Use Cases & Conduct Workflow Reviews
Turn Use Cases Into Unified and Centralized Policies
Develop a Change Management Plan
In Fasoo’s next webinar, Why Leadership and Data Governance is Critical to Policy Management, Ron Arden and Deborah Kish will call out these steps and provide insights to what the best practices around the teamwork that will help you get to a better data governance and policy management strategy. The last of our 3 part webinar will be September 18th at 2 pm. You won’t want to miss it.
Last week, Fasoo sponsored and participated in the ISMG Cybersecurity Summit in New York City. It was a great event, well attended and in the Theater District and the ISMG folks were awesome to work with!
As part of our sponsorship, Fasoo had a 10 minute Tech Spotlight where, rather than providing a “death by powerpoint” tech dump, we thought it would be good to get everyone thinking about working together as a team with respect to their data security initiatives by following the example of geese. Below is the recap for the greater audience.
When geese fly south for the winter or are moving from one pond or lake to another, they do so in a V formation. There is a bunch of science around this, but to make a long story short they:
Flap their wings to ensure better lift and a more efficient flight
They take turns leading the way to ensure each have had a break
They stick with each other in times of trouble
Geese are sensible in that they share the responsibility of working together as a “team” to help them get to their destination efficiently and meet the goal of the journey! For the purposes of this post, we equate the journey to better data security across all businesses.
Many organizations’ stakeholders (C-Level, business unit leaders etc.) don’t talk to one another with respect to how they need to handle data security. Each has their own agenda, process, budget, ideas and such, but much more can be accomplished when working together. Understanding each others’ goals and coming up with a plan on which to execute. And so, think about the flock of geese and their relocation journey (to the south, from body of water to body of water) the way you should think about your data security projects and initiatives. Work as a team. Talk to one another and get on the same page. Talk about your data and make a plan with the goal toward protecting it and creating a stronger data security strategy that, as a company, you can achieve. Understand each other’s goals and ensure that you reach them.
Now, some geese – you may or may not know – get what is called “angel wings” – they are little tufts of feathers sticking out of the side of the wings. It is usually caused by a poor diet (i.e. bread – please don’t feed geese bread – it is no good for them) – so for the purpose of this blog, an incomplete or non existent data security strategy – but it leaves them unable to fly and vulnerable to attack from a predator (much like data to a hacker or thief without a good strategy), and ultimately – left behind.
Like the geese, work together and make sure that your journey toward stronger data security is attained. And keep in mind, things don’t happen overnight. There will be disagreements and things might feel as if they are going nowhere. But don’t give up!
The upside? There are many, but great things can come of working together as a team because, you will find that by talking to one another, you’ll discover commonalities across the organization about how data is collected, handled, and used making the journey simpler than you think. And if you feel that your organization is NOT talking? Be the thought leader or pioneer for your company or business unit. Start the conversation. I’ll help you!
Bring your ideas to the table and don’t let your business be the goose that wound up with angel wings, left behind and vulnerable to attack.
In our last post, we said “Without granular access controls, you can’t prevent a user from copying data from a file and pasting it into an email, for example. If you only encrypt a file and do not prevent copy and paste or printing, a user can easily compromise security.” And we meant it.
Now, you might be asking yourself “What does it mean… granular access controls?” And the answer is simple.
Granular permissions or access controls means you grant specific permissions or enable actions when a user opens a file. This means you can either allow or prevent a person from doing things in a file when it is open – or “in use” – and since data in use is really difficult to protect, wouldn’t it make sense to add this layer of protection? By applying granular access controls, you can prevent someone from copying and pasting, taking a screen shot, or printing based on the classification of the file and security policy applied to it. Users can be either granted or denied specific actions when a document is open.
Intellectual property is extremely valuable to your business, but it is really vulnerable to theft. Think about your product design plans or maybe your trade secrets or product roadmaps. Anyone could copy and paste that information into an email and send it to anyone, take a screen shot and text it to a friend or print it and walk out the door with a piece of paper. If you’ve followed our first webinar “Overcoming Unstructured Data Security and Privacy Choke Points“, you will hopefully be thinking about getting your first line of defense, or your foundation built. In our next webinar, “How Granular Access Controls and User Behavior Analytics Close the Gap on Insider Threat” on Wednesday, August 7, 2019 at 11:30 am EST, we “get granular” about granular access controls.
Picture it. Your employees access sensitive and confidential customer information every day so they can do their jobs. Once the data leaves the protected confines of an information repository, file share or cloud-based service, your authorized users can share it with anyone, do anything with it and compromise your customer’s confidential information or your intellectual property. As a result, you may be subject to regulatory fines, not to mention losing customers because they can’t trust you to maintain their confidentiality. And as for IP? It could get in the hands of your competition, threatening your business.
What do you need to do? You need to persistently protect confidential data so that customer information and your IP is protected regardless of where it goes and who has it. Through a file-centric approach, you need to close the security gap that allows you to share sensitive data with unauthorized users by applying granular access controls to sensitive data. Without granular access controls, you can’t prevent a user from copying data from a file and pasting it into an email, for example. If you only encrypt a file and do not prevent copy and paste or printing, a user can easily compromise security.
Picture it. When you hire an employee, you are trusting them to always have the best interest of the company at heart. The employee trusts that the company will help them reach their goals in terms of career and advancement. Trust should be a two way street. But in the former, it isn’t always black and white, because we know two things:
No one is infallible
To elaborate further… not so much on “No one is infallible” because we all know, mistakes happen. Information can be accidentally sent to the wrong person through email either internal or external to the organization. But for the sake of statistics and surveys, IBM recently published a study and cites that “…inadvertent breaches from human error and system glitches were still the cause for nearly half (49%) of the data breaches in the report, costing companies over $3 million.
But maliciousness, unfortunately is a reality. Clear examples of why data may fall victim to exposure include:
The employee who gets let go
The employee who leaves the organization because they feel they are being treated unfairly
The employee who decides they can advance their career by taking intellectual property or trade secrets to the competition
To think about stronger data security and privacy protection! But first, I want you to think about the millions of heroes who have served our country.
As we approach the 4th of July, I wanted to take a moment to recognize the heroes in the many branches of the U.S. Military. From myself, and on behalf of the entire team at Fasoo, THANK YOU for your service!
And while thinking about those who have put themselves at the first line of defense, defending our country and fighting for our freedom, we are still fighting for privacy and stronger data security. As individuals, we are required to provide tons of personally identifiable information to our doctors, lawyers, employers and financial institutions – trusting that they will safeguard our information. But data leaks still happen! So we know we need to take data security and privacy seriously.
Now, I don’t want this discussion to turn political, but it was brought to my attention (thanks, Rick), in an article published by ZDNet that “The US State Department will now require new visitors to the United States to hand over their social media account names as well as email addresses and phone numbers used over the past five years.”
I remember when I was a kid, the USA was referred to as “The Great American Melting Pot” where people were welcomed from all over the world to come here and live their dream! Freedom. In fact, my own family migrated from Hungary and settled in Pennsylvania in the early 1900s. Of course, this was long before the digital age. Back then, the information collected, while personally identifiable in nature, was not nearly as much in terms of “volume”. So while people are still coming to this country to live their dreams, the data requirement to do so is a magnitude far above what it used to be, exacerbating the amount of data that needs to be protected. So what I am saying here is that these visitors’ dreams should NOT include the fear of identity theft and/or exposure of personal data.
In the digital age, our thirst for knowledge and expression has us willing to give information in exchange for merchandise, a whitepaper, maybe even recognition. And we should be able, with trust and the freedom to do so, without fear. So at the risk of misquoting one of our Founding Fathers, those who would give up personal data for essential freedom, deserve both privacy and security.
So fire up the grill, add another hot dog or hamburger, tofu for my vegan friends, crack open a beer or have some wine. Enjoy your friends, family and freedom and by all means, please have a safe holiday!
This has been on my mind. A lot. Every day, I open my email to find news about how a company needs to pay a fine or a fee to either an individual or a regulator because data was leaked or stolen. This one in particular caught my eye because it is a classic example of data being accessed by likely the wrong individual and shared with someone who should definitely not have been able to see it. This one seems to be an access control and encryption play. If they were in place, this healthcare entity wouldn’t have to shell out $853K and violate HIPAA regulations in the process.
And this one! It dates back to 2015, but it is still one of the largest hack attacks to date, and the settlement (which was just reached) is nearly $1 million dollars! All because a sophisticated attack allowed the hackers to steal user credentials and 3.5 million patient records. As a result (besides the $900K) MIE has a laundry list of technologies they will be required to invest in as well as implementing “controls during the creation of accounts that allow access to ePHI”.
This tells me something. It tells me that there are still so many companies that do not have strong sensitive data security and privacy controls in place.
And, it leads me to feel even more strongly about the “file centric” approach. A file centric approach means that you are focusing on the actual data, (in both of these cases, PII) rather than the location of the data. Encryption and access control in these cases could have made a significant impact and saved; the victims of the breaches from potential harm like ID theft AND the entities themselves a lot of money. I’ll be talking more in detail about this in my upcoming webinar “Overcoming Unstructured Data Security and Privacy Choke Points” this Thursday, June 6th at 1:30 pm. I’ve embedded the link so you can go ahead and register.
2016 has been an epic year for cyber security and data breaches. From recent hacks at Yahoo and LinkedIn to problems at the FDIC and stolen intellectual property from Glaxo-Smith Kline, this year has been a boon for data breaches large and small.
The past year has shown us that malicious attacks and inadvertent mistakes continue at an alarming rate and the consequences are legal, financial and brand reputation woes.
So how will 2017 fare? Will we see more of the same or a change in the cyber security landscape?
Here are four security predictions for 2017.
1. Cyber Security Legislation will Change the Face of Business
In the US, cyber security legislation is already strengthening as states and the federal government are trying to force businesses to improve their security posture to prevent the next data breach. One example is the new regulation by the New York State Division of Financial Services (NYS-DFS) that goes into effect on January 1, 2017 that requires organizations registered as banks, insurers, and other financial institutions in the state to implement comprehensive cyber security programs and policies. The first bar is to encrypt non-public information. Executives will be held personally responsible for failure to meet these requirements, so this will definitely cause some changes.
Europe is implementing the General Data Protection Regulation (GDPR) act and I can see other countries, including the US federal government, move toward more serious legislation. As more governments realize there is a national security risk from these cyber attacks, they will implement tougher rules to help prevent the leaking of sensitive data.
2. Hackers Will Attack the Supply Chain
If a hacker wants to get access to sensitive information from a large company, the easiest approach is to go after a weak link in the supply chain. This may be a service provider, an attorney or a small business partner. The large company may have adequate security controls for data that is inside the company, but what about when it leaves the company? Does the business partner have adequate security controls?
Unless organizations are protecting the data itself, there is no guarantee that it will remain secure and only accessible by an authorized user. Until organizations persistently protect information at the data level, we will continue to see hacks on the supply chain, including more ransomware attacks, since hackers will exploit the weakest link in the chain. That weak link may be a trusted insider who inadvertently clicks on a phishing email or accidentally sends sensitive information to the wrong email.
3. Organizations Will Impose Stricter Data Security on Contractors and Advisors
To meet stricter regulations and comply with data governance initiatives, organizations in 2017 will place stricter controls on how internal and outside partners access data and collaborate. Internal contractors and other advisors are typically treated as insiders who have access to sensitive data. These trusted insiders can pose serious security threats, since they do not work for the company and may not be subject to the same security standards as an employee. Based on the recent Ponemon Institute survey Risky Business: How Company Insiders Put High Value Information at Risk, 70% of organizations do not know the location of confidential information and 73% believe they lost confidential information in the past 12 months. There is a major risk that a contractor or advisor could steal intellectual property or other high value data and take it with them to their next client.
4. Enterprises Will Adopt a Data-Centric Security ApproachOver Perimeter Security
Sensitive data moves in and out of organizations everyday and the volumes will only increase in 2017. Globalization and an increasingly mobile workforce increase the risk of this data getting into the wrong hands. While many organizations focus on securing the network, servers and endpoint devices, the data itself is what matters most. This is especially true as more employees use a combination of work and personal devices and consumer versions of Enterprise File Synch and Share (EFSS) systems.
Organizations will shift their focus from protecting the perimeter to protecting the data itself by encrypting it and applying dynamic security policies that impose granular user access controls so that only authorized users can access it. These security policies will travel with the data regardless of location or device and ensure that the enterprise is always in control of it, including having a comprehensive audit trail of all access. These measures will allow executives, shareholders and other stakeholders to feel confident that business can continue without interruption and meet the governance needs of its constituents.
Gone are the days when everyone came into the office everyday for work. Changes in work habits have brought substantial growth in mobility adoption within the workforce and security challenges have followed.
Today’s employees increasingly work from outside the office and they use a number of mobile (often personal) devices to complete their daily business tasks. Gallup’s Work and Education Poll from August 2015 points out that telecommuting for work has climbed up to 37 percent in the United States.
A June 2014 survey by Gartner points out that approximately 40 percent of U.S. consumers who work for large organizations said they use their personally owned smartphone, tablet, desktop or laptop daily for some form of work. Mingling business and personal data can and does cause major security problems, since all of us may inadvertently share sensitive company information with the wrong person.
Employers need control and visibility to data security now, more than ever before, beyond what traditional solutions offer. In order to protect sensitive data, employers are looking to persistent data-centric security to tether their sensitive data all the time and anywhere.
Sensitive data must be protected at the point of origin and through its life-cycle
Highly sensitive data critical to core business functions must be protected at the source and not at the perimeter. Companies must protect data while in use whether someone is creating it or accessing it from file shares or repositories Controlling the life span of sensitive information, including disabling access dynamically is key to protecting it on mobile devices and cloud repositories.
Encryption alone is not sufficient Protection of confidential, private or highly sensitive information should combine encryption with persistent usage policies to ensure that businesses control under what conditions a user can have access and what an authorized user can do with this information once access is granted.
Sensitive data will be localized at places you don’t know, control or trust
In the daily course of business, whether through user error, complacency or malicious activity, companies lose control of sensitive data. Because the places data goes may be untrusted, one cannot rely on the security of the network, device or application to protect that data. Data must be protected all the time regardless of location or devices.
You need visibility into who accesses the protected data, when, and how many times
Detailed visibility ensures auditability and insight into usage patterns and potential issues, which in turn significantly improves control.
Since we live in a mobile and digital work environment, organizations must secure business documents that are portable, easy to copy and more prone to data breaches. Although many organizations have made large investments in perimeter based security, they are still getting breached. Insider threats and employee data theft are a top concern to every business as this type of breach, which often are the most damaging, can mean the end of business.
You can continue putting all of your resources into perimeter based security or you can look to persistent data-centric security for your data protection – all the time and anywhere.
3rd Party Cookies (Analytics)
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!