Blog

Tag: persistent security

Can You Stop Former Employees Taking Your Data?It’s a good question and one that many organizations don’t think about thoroughly.  You take a lot of time onboarding an employee by doing background checks, checking references, and determining what information systems and data access the person needs to do her or his job.  You may have a comprehensive provisioning system that grants access to all applications and data.

But how about when someone leaves?  It’s great that you de-provision access the INSTANT someone becomes a former employee, but how do you protect the confidential data she or he may have been taking out each night for the last few weeks?  Organizations spend a lot of money guarding against cyberattacks from hackers and other external people, but many don’t do enough to protect their data from threats of former employees.

While an employee or contractor, many people create and use a lot of documents that contain intellectual property, financial data, employee and customer information.  Given the nature of work today, these documents are stored on laptops, mobile devices, in cloud services, and all over your organization.  In fact 70 percent of organizations do not know the location of confidential information, according to a study by the Ponemon Institute entitled “Risky Business: How Company Insiders Put High Value Information at Risk”.

A recent survey by OneLogin found that 47 percent of organizations admit that one in every 10 data breaches were tied directly to former employees.  We don’t want to stop employees from working where they want and when they want, but it’s important to control access to the documents they use, regardless of location.

The best way to control access to documents is to encrypt them and apply permission controls that limit what an authorized user can do with the document.  This applies to documents created at the desktop, reports run from databases and documents downloaded from information systems and document repositories.  The controls are persistent and even apply to all derivatives of the documents, so no matter how many copies are out there, they are controlled and managed.

When an employee leaves the organization, you only need to remove their access in one place and all sensitive documents are inaccessible.  That person now becomes an unauthorized user.  It doesn’t matter if the document is in a cloud service, on their home PC, in email or on a thumb drive.  You don’t have to go looking for them, because once you de-provision the employee, their access is gone for all documents.  If they try to open them, they see a bunch of random characters.

While controlling system access is important, controlling access to the documents that contain your sensitive data is more important.  Applying controls on the documents themselves ensures you can turn off that access with a click of a mouse the moment an employee becomes a former employee.

 

 

Photo credit ThoroughlyReviewed

Cyber Security Legislation Will Change the Face of BusinessAs 2017 gets underway, cyber security legislation will strengthen and force businesses to change the way they approach information security.  At the federal level in the United States, the US Congress and President have proposed numerous updates to existing regulations and new regulations to cover all facets of cybersecurity.  These include the Cyber Preparedness Act of 2016, Cybersecurity Systems and Risk Reporting Act and others.

At the state level, legislation was introduced or considered in at least 28 states in 2016. Fifteen of those states enacted legislation, many addressing issues related to security practices and protection of information, and cyber crimes in general, including dealing with rasomware.

One example is the new regulation by the New York State Division of Financial Services (NYS-DFS) that goes into effect on March 1, 2017 (changed from January 1) that requires organizations registered as banks, insurers, and other financial institutions in the state to implement comprehensive cyber security programs and policies.  The first bar is to encrypt nonpublic information at-rest and in-transit.  This includes confirming a third party service provider’s adherence to these enhanced data security requirements.  Covered entities have to certify they meet the first set of requirements by February 15, 2018 and annually after that.

Other key requirements of the NYS-DFS cybersecurity regulation and others is to maintain audit trails of sensitive data, including logs of access to critical systems.  While it is important to understand who can and has accessed an information system, it is more important to control and audit the access to the sensitive data inside.  Encrypting documents and controlling who can access them regardless of the user’s or file’s location is key to protecting sensitive data and meeting these regulations.  This ensures that only authorized people inside and outside of the organization can access the information.

One thing to remember is that most regulations prescribe the minimum an organization must do to comply.  As we have seen in recent years, complying with a regulation does not mean you are safe and your data is secure.  You need to think about protecting, controlling and monitoring all sensitive data inside your organization to ensure you meet regulations but also that you maintain your business.

It is clear that regulators and legislators are focused on raising the bar for cybersecurity programs and to ensure the public that nonpublic information remains private.  Organizations need to focus on developing a robust risk-based cybersecurity program rather than reactively responding to regulatory guidance.

The time is now to enhance your data security to meet new regulations and protect your business.

Data Loss Prevention, Classification and Persistent Data SecurityTechnology advancements and rapid digitization of corporate information has made it easier for modern companies to conduct everyday business transactions. Today, business data is easier to access and share, giving companies the opportunity to reach more customers and conduct business quicker. At the same time, the unprecedented volumes of data created, accessed, shared, stored and the variety of sources is forcing companies to re-evaluate their cyber-security approach.  The collaborative nature of how business is done has extended the corporate perimeter. As a result, companies are seeing an ever increasing need for higher visibility into data, how their users access and use it and the secure it using encryption.

Users at a typical company today have 10 times the applications they had 10 years ago and they use multiple devices to create and use data and documents.  Data is proliferating – users are localizing data that is kept in company repositories, copies of data is everywhere, users are converting files to other formats, sharing them via file shares and virtual printers, copying them to portable devices, and emailing them.

Many companies that have turned to Data Loss Prevention (DLP) and encryption technologies in recent years have come quickly to the realization that some things are missing once the implementations and deployments of these technologies are completed. They realize that the DLP solution is missing the mark. They realize they don’t have a handle on where their “unstructured” data is, and worst yet if this data contains sensitive information. They realize they need to understand their data, who creates it, who uses it, its correct format, who the owner of it is and who its steward is. They realize that sensitive data must be protected end-to-end through its entire life-cycle, not just at rest, and in motion but in use to ensure there are no security gaps.

Data classification is a technology many are turning to in hopes of optimizing their DLP investments. This is a very effective complementary technology if it is deployed correctly. However, it quickly becomes a real challenge when too many classifications are put in place. Furthermore, as users are given the ability to make a determination as to what classification to apply, the door is opened to the good old “user mistakes”. It is a wiser approach to have the data classification defined at the “administrator” level rather than getting into a mess by giving users this type of control.

Another technology that is popular these days is software that crawls around to help companies get insight on where their unstructured sensitive data is. When asked, most companies say they know where their sensitive data is, but lately this has been changing and many companies are admitting that unstructured data and copy data are a big security problem. The effort for sensitive data discovery goes hand in hand with most data projects in most companies that are realigning their security posture.

Lastly, most companies implementing data classification will have limited deployments and tangible benefits without bringing into the picture persistent data-centric security as well. Persistent data-centric security brings security to the data itself at creation time rather than the security of networks, servers, devices, or applications. With this type of a security approach, access policy for authorized users travels with the data itself regardless of where the data is and what network or device it is on.

With implementing technologies for data discovery, data classification and persistent security, companies are empowered to better protect their data without  costly and painful headaches.

Keep employee information safe through persistent securityHardly a week goes by without a new data breach making the headlines.  Companies in different industries are constantly re-evaluating their security postures to determine how best to deal with the protection of sensitive and confidential data.

A lot of effort is focused on financial and customer data, but most companies overlook all of the sensitive employee information they possess and the risks associated with storing and accessing it.  This is a major area that seems to be neglected when it comes to protecting company information.

According to a recent survey titled “The State of Encryption Today”, employees’ data are not protected at the same level as business related or customer information.

Below are some interesting statistics provided by this survey:

•  Failure to consistently encrypt Human Resources files – 43%

•  Failure to consistently encrypt financial or banking details of company employees – 31%

•  Failure to encrypt healthcare information – 47%

These are significant numbers. While companies seem to concentrate on securing customer data to avoid hitting the headlines, the findings seem to point to the fact that protection of sensitive employee data is overlooked.

While companies accept and use encryption widely to ensure security, there are still some critical gaps. Encryption is mostly implemented to secure sensitive information at rest, or in motion, but there is a significant threat gap when data in use is often overlooked.

Traditionally most of us associate Human Resources departments with benefits or 401K plans. In reality they possess and control so much more sensitive data – employee healthcare information, banking information, spouse and family information, salaries and resumes just to name a few.

The State of Encryption Today study goes on to point out that 75% of respondents said they need to improve how they encrypt sensitive information and 69% said they plan to increase use of encryption over the next two years.

Below are some sound and proven suggestions to consider when companies re-assess their security posture specifically around their Human Resources departments:

  • Encrypt sensitive data and apply security policies – ensure access only by authorized users, regardless of location or format
  • Encrypt sensitive employee benefit or healthcare information
  • Secure and control employee criminal background checks and drug texting information
  • Protect employee contracts and financial information
  • Secure files and access when an employee or a contractor leaves company

Companies have the same obligation to protect sensitive employee information as they do with their customer or business related data.  Protecting sensitive employee data should not be overlooked as it requires the same rigor. Strong encryption and persistent security controls are highly effective tools that should be considered as companies re-evaluate their security policies.

Fix a broken chain of custody of your confidential dataCompanies share a lot of confidential data with third parties.  Who is responsible for keeping that data secure?  Is it the originating company or the third party?  Or both?

This week American Express sent letters to card holders about a possible data breach.  According to reports “an unauthorized person or group accessed the system of a third-party service provider prompting American Express to warn customers that card member information may have been compromised.” The company said, “It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure.”  So is American Express to blame for this incident or is the service provider to blame?

This breach is another example of a broken chain of custody with confidential data.  American Express may have strong protections for its confidential data, but when it relinquishes control to another party that has weak controls, hackers know how to exploit the situation.  This is the same issue I talked about last year on the weakest link in the supply chain.

Think about the vulnerability of your data within your supply chain.  You may have the best security that money can buy, but once it leaves the confines of your environment, the information is out of your control.  You have to rely on the security systems of your partners to protect your information.  Unless you’ve done a security audit on those partners and are satisfied they will maintain your confidential data safely, you are vulnerable.  Hackers prefer to target the weakest link in the chain and they know smaller providers of large companies are easier targets.

This is where persistent security comes into play.  If you have strong encryption and permission controls on your confidential data, you can limit access to it regardless of where it is.  One of our customers uses our applications to exchange PCI with a third party.  The file can only be accessed a limited number of times on specific computers.  After that, the file is useless.  If someone tried to steal the file, they can’t read the data inside.  The result is no data breach.

Ultimately American Express is responsible for its card holders data, regardless of where it is.  You can best protect your confidential data throughout your supply chain by encrypting it and controlling its access at all times.  That’s better than welding your broken chain.

 

Photo credit Brian Smithson

Encrypt PHI and apply persistent security policies to stop healthcare data breachesToday, nobody argues that the healthcare industry is a gold mine for the bad guys and theft of protected health information is becoming a regular event. The “Verizon 2015 Protected Health Information Data Breach Report,” indicated that 90 percent of industries in the medical and health care arena have experienced a PHI breach and with all the reports in the media, it is clear to everyone that the situation has reached a critical point.

In 2015, we witnessed numerous health insurers and hospital systems fall victim to data breaches. While Anthem and Premera were just some of the bigger names making regular headlines last year, attacks were seen to reach even physicians’ offices.  Just recently Centene Corporation and IU Health Arnett lost hard drives that compromised almost 1,000,000 people.

Every direction we look, there is significant use of electronic medical records, electronic prescribing, and digital imaging by health care providers. Whether it is the physician’s office, hospitals, insurers, medical associations, laboratories, disease registries, or government agencies, everyone is gathering digital pieces of information on the health status, care details, and health care costs of Americans. Along with personally identifiable information (PII) like names, mailing addresses, email aliases and dates of birth, healthcare entities also hold extremely personal and protected health data, such as lab results, reports, prescribed medications and medical conditions.  In the event of a breach, unlike a credit card number, none of this information can be easily changed and the lifecycle of such information is very long – in some cases forever.

The Affordable Care Act has created significant incentives for doctors’ offices to embrace EHR systems as a replacement for paper-based medical records systems. So, now data has been integrated in an effort to do away with siloed approaches within provider groups, health plans, or government offices.

While the industry and governance bodies talk compliance, and claim protected health information is safe and secure, this is far from the truth as evidenced by the constant data breaches that are disclosed. With all the time, effort and money spent on traditional security tools used to achieve compliance, thieves bent on theft are still able to gain access to PHI for monetary gain.

The healthcare industry should consider the following steps to remain secure and stop healthcare data breaches:

  • Realize and accept your risk – Take note that the protected health data you possess is a target of criminals. Simply complying with HIPAA does not equate to properly securing and locking away PHI data from unauthorized use.
  • Identify where your PHI data is and who has access to it – Most often healthcare entities have false ideas on where sensitive data is stored and who has access to PHI. It often escapes people’s minds that their users copy sensitive data accessed from secure locations by localizing them or moving copies around. The result is security and control being lost and copies floating around on thumb drives, disks, email, laptops, home computers, and paper printouts.
  • Properly secure your data – Most, if not all, entities dealing with healthcare data secure PHI at rest and in motion while they completely miss a significant threat gap – “data in use”.
    • Label or classify data
    • Encrypt your data
    • Persistently protect data using policy-driven methods
    • Track and monitor usage
    • Dynamically adjust usage policies and access
  • Plan for breach response
    • Have means to render breached data useless
    • Have an Incident Response Plan

You can stop healthcare data breaches by putting in place data-centric, persistent security to avoid finding yourself scrambling around after the damage has been done to you and your patients.

Protect Against R&D Data TheftRecently I was in a meeting with a global pharmaceutical client in New Jersey who told me of the importance they place on their highly secure, centrally managed and monitored persistent security platform to protect against data theft and ensure that their valuable R&D information cannot be lost or inadvertently sent to a competitor.

As the meeting ended, I was informed of the news about the charges brought against five people in the Untied States around trade secret theft inside another global pharmaceutical company. Allegedly a senior level manager at the company was involved in this theft.

Given the global state of business competition, there is a special appeal to the cyber thugs with high-priced or high-demand items. There is an alarming interest in stealing intellectual property, trade secrets and exactly how these items are produced.

A recent Verizon Data Breach Report 2015 identified Manufacturing as the most commonly attacked industry sector for cyber espionage.

Another recent worldwide study by consulting firm PwC and CIO and CSO magazines, “The Global State of Information Security Survey 2016”, provides some alarming indicators of the security threat landscape:

  • Theft of “hard” intellectual property increased 56% in 2015
  • Employees remain the most cited source of compromise
  • Incidents attributed to partners climbed 22%

It is time that organizations with high value data shift their security focus from the perimeter to insider threats to lock down R&D data, intellectual property and trade secrets. Today technology advancements afford a variety of methods for an employee, contractor or a partner to take critical data electronically from an organization. There are many ways for a trusted insider to steal or inadvertently share sensitive data – printing paper documents, copying files to hard drives, downloading information onto a CD or a USB memory stick, and screen captures are a few such methods as examples.

When we add mobility adoption in the workforce and how this adds to the complexity of securing high value data, this task seems almost insurmountable. Targeting and protecting critical value data ensures that a company maintains its intellectual property, R&D work and its competitive edge in the market.

Protecting this data need not be such a daunting task. A data-centric persistent security approach can effectively help you protect and lock down your data.

5 Steps to protect your HR dataI recently wrote an article about the security of sensitive information in the HR department.  While everyone interacts with the people in human resources, most of us don’t think about all the sensitive information they have.

Most of us think about benefits and our 401K when we think about dealings with HR, but there is a lot more sensitive data that is under their control.  They also deal with your healthcare information, information about your spouse and family, customer financial information, employee resumes and salaries.  They also know when you have given notice to leave the company or when you change jobs in your current company.  Add to this the responsibility of developing and circulating company policies and a wide variety of interoffice communications.

Sharing company, employee and customer information with authorized internal and external users poses a unique security challenge for any organization, since HR needs to limit access to sensitive information.  While HR may be the first line of entrée into a company, they are also the first line of defense to protect some of the most confidential information in your company.

You need to encrypt sensitive data and apply security policies to it that ensure only authorized users have access to the information, regardless of where they are or the format of the information.  Here are 5 steps to help protect your HR data.

1. Encrypt received resumes

Since resumes from qualified candidates are intellectual property and highly valuable to a company, you should encrypt them and apply a security policy automatically as soon as you receive them.  This also includes information on criminal background checks and drug testing.  This limits access to specific internal users.

2. Lock down files when an employee gives notice

When someone changes jobs within a company or gives notice to leave, you should change the security policy on sensitive company information.  You can remove them from a group that has access to information from their old job, so they only have access to information that pertains to them.

3. Maintain Client Confidentiality

You should apply security policies to customer contracts and financial information so that only those customers, appropriate outside agencies and internal employees have access.

4. Protect Intellectual Property

HR knows the people and contractors assigned to different departments and projects, so it’s important to work with them to restrict intellectual property (IP) to those that need access to it.  When a contractor leaves, access should be revoked, rendering IP useless to them.

5. Circulate Policy Manuals In-House Only

Company policy can encompass everything from sexual harassment policy to paid time off.  This information is as important as anything in your business, but should be available to every employee and contractor.  Security policies need to be flexible to allow access by all authorized parties.

 

Your HR department is the front door to your organization, so you need to implement and enforce security policies to protect the most important information in your business.  This is the best way to restrict access to employee PII and ensure that your organization’s important data is secure.

Categories
fasoo_logo
Contact Us
Your data security journey starts from here!
See how Fasoo can help your data privacy and security.