Blog

Tag: ponemon institute

Can You Stop Former Employees Taking Your Data?It’s a good question and one that many organizations don’t think about thoroughly.  You take a lot of time onboarding an employee by doing background checks, checking references, and determining what information systems and data access the person needs to do her or his job.  You may have a comprehensive provisioning system that grants access to all applications and data.

But how about when someone leaves?  It’s great that you de-provision access the INSTANT someone becomes a former employee, but how do you protect the confidential data she or he may have been taking out each night for the last few weeks?  Organizations spend a lot of money guarding against cyberattacks from hackers and other external people, but many don’t do enough to protect their data from threats of former employees.

While an employee or contractor, many people create and use a lot of documents that contain intellectual property, financial data, employee and customer information.  Given the nature of work today, these documents are stored on laptops, mobile devices, in cloud services, and all over your organization.  In fact 70 percent of organizations do not know the location of confidential information, according to a study by the Ponemon Institute entitled “Risky Business: How Company Insiders Put High Value Information at Risk”.

A recent survey by OneLogin found that 47 percent of organizations admit that one in every 10 data breaches were tied directly to former employees.  We don’t want to stop employees from working where they want and when they want, but it’s important to control access to the documents they use, regardless of location.

The best way to control access to documents is to encrypt them and apply permission controls that limit what an authorized user can do with the document.  This applies to documents created at the desktop, reports run from databases and documents downloaded from information systems and document repositories.  The controls are persistent and even apply to all derivatives of the documents, so no matter how many copies are out there, they are controlled and managed.

When an employee leaves the organization, you only need to remove their access in one place and all sensitive documents are inaccessible.  That person now becomes an unauthorized user.  It doesn’t matter if the document is in a cloud service, on their home PC, in email or on a thumb drive.  You don’t have to go looking for them, because once you de-provision the employee, their access is gone for all documents.  If they try to open them, they see a bunch of random characters.

While controlling system access is important, controlling access to the documents that contain your sensitive data is more important.  Applying controls on the documents themselves ensures you can turn off that access with a click of a mouse the moment an employee becomes a former employee.

 

 

Photo credit ThoroughlyReviewed

Click here to see the Countdown to Compliance, Fasoo Sponsored Ponemon Institute Survey of NYDFS 23 NYCRR 500Fasoo sponsored a Ponemon Institute survey to determine the readiness of financial firms doing business in New York State to comply with the new cybersecurity regulation NYDFS 23 NYCRR 500 that went into effect on March 1, 2017.  The regulation includes deadlines to implement procedures and solutions to achieve compliance with the new standards.  Since New York is one of the world’s financial capitals, the state wants to ensure that organizations that operate under the banking, insurance or financial services regulations provide a secure information sharing environment to protect companies and their customers.

“The survey is aptly titled “Countdown to Compliance,” said Dr. Larry Ponemon.  “Our goal is to provide insight into the challenges these organizations face in complying with the demanding new requirements which apply to all ‘nonpublic information’ – at rest, in-transit and shared with third parties.  The survey will provide insight into their efforts to comply over the next 180 to 365 days.”

Many organizations may not realize they are covered under these regulations, but if you just go to the NY Department of Financial Services website, you can search for your business.  If you are a financial institution,

insurance company, insurance licensee or service contract provider, you are most likely covered.  This also includes foreign banks that are New York State-chartered or licensed.

This is the second Ponemon Institute survey sponsored by Fasoo during the past year. The previous research, titled “Risky Business: How Company Insiders Put High Value Information at Risk” polled IT security practitioners on risks of data breaches by trusted insiders.  The information in that survey is still very relevant to financial services firms and any business today.

“Both of these Ponemon surveys build market awareness and inform CIO/CISO and Compliance Officer leadership as to the need and now the mandatory New York State requirements for data-centric security, audit, and compliance solutions,” said John Herring, CEO of Fasoo, Inc.  “We are joining with leading Legal, GRC and Insurance cybersecurity professionals to sponsor several events across New York State to highlight strategies and enterprise ready data-centric solutions to address regulatory compliance.”

If want to get an early release copy of the “Countdown to Compliance” survey and keep apprised of Fasoo sponsored NYDFS events, please register here.

 

Photo credit thenails

Fasoo and Ponemon Study Reveals Employees Highest Security Risk to OrganizationsFasoo just released the results of the security industry’s first look at how confident organizations are about protecting intellectual property and other high value information.  In the latest Ponemon Institute survey titled, “Risky Business: How Company Insiders Put High Value Information at Risk”, 72 percent of organizations are not confident they can manage and control employee access to confidential documents and files.  This study reveals that insiders are the highest security risk to an organization.

The Ponemon Institute surveyed 637 U.S. IT security practitioners familiar with their organization’s approach to protecting data, documents and files against cyberattacks. For the purpose of this research, high value information includes trade secrets, new product designs, merger and acquisition activity, intellectual property, financial data, and confidential business information.

Based on the findings of the research, employees and other insiders often lack the information, conscientiousness and guidance needed to make intelligent decisions about the information they access and share.  Companies are more confident they can stop external attackers from accessing confidential information than their own employees and contractors.  This study should make executives and security professionals think about how they control internal access to sensitive information.

Some of the key findings from the study include:

  • 56 percent of companies believe the primary cause of data breaches are careless employees
  • 70 percent can’t locate confidential information
  • 60 percent don’t have visibility into what confidential documents and files employees are sharing
  • 73 percent say their organization lost confidential information in the last 12 months
  • 59 percent are not confident in preventing data leakage by careless employees

Safeguarding high value information is a two-way street. Employees need to be responsible and follow data protection policies and safeguards. Companies need to have the tools, expertise and governance practices to protect sensitive and confidential information.

An interesting finding in the Ponemon survey is that sales departments, C-level executives, Finance and Human Resources pose the greatest risk to information assets.  This points to a greater risk of insider threats compromising sensitive data than external hackers and cyber criminals.

“There is a belief that data breaches are the work of malicious actors, internal and external, but it is more often the result of careless behavior by employees who don’t understand the impact of sharing files. The findings in this study should serve as a wake-up call for all organizations determined to protect high value information,” said Larry Ponemon, President, Ponemon Institute. “Better security hygiene, including education and consequences for risky behavior, should include every employee with access to information in addition to the organization locking down proprietary data, intellectual property and confidential information that shouldn’t be accessed by everyone.”

Click here to access the full report.

Pants DownTechnology has changed the way we live our lives. Whether we are at work, home or outside, we have become dependent on our computers, mobile phones and the internet. On a daily basis, we all interact with a significant number of applications.

Demand for technology has led to an explosion of software we use daily, whether these are applications used in the office or at home. Demand for new or updated functionality has shortened software release cycles and application developers need to rapidly introduce new features to outpace competition and meet customer demand. With this reality, application security risk management can no longer be treated as a nice-to-have element.  It must be a mission-critical requirement at every company that develops software.

Gone are the days with long release cycles and infrequent updates.  Application developers are faced with increased pressure to release software, updates and new features and this presents a significant issue with security. While software companies primarily focus on user experience and business value, often they miss the importance of ensuring the applications are truly secure without vulnerabilities.

Surveys like the recent Ponemon Institute 2016 Application Security Risk Management Study indicate that basic security steps are often neglected – 48% of respondents said their organizations don’t take basic security measures. How can applications be secure without appropriate security testing?

Application security testing ensures that potential application security vulnerabilities are remedied prior to the release and consumption by users. Static Application Security Testing (SAST) is one of the tools that must be part of every application development company’s security risk management process.

Often, companies think of SAST with high volume of vulnerability findings making remediation ineffective and time consuming. Learn about Fasoo’s SPARROW capabilities.

  • SPARROW enables developers and quality/security managers to remediate flaws reported through code suggestions.
  • SPARROW’s Intelligent Alarm Clustering groups related vulnerabilities in source code with a unique ID enabling faster remediation.

Organizations must utilize SAST in the scope of their application security preparedness to reduce risks that are introduced by application infrastructures. SAST must be part of security risk management practices in every company developing applications.

Categories
Book a meeting