Blog

Tag: Ponemon
Fasoo shows unstructured data security at Gartner SRM 2018

This year at the Gartner Security & Risk Management Summit in National Harbor, MD there was a lot of focus on reducing business risk through improved cybersecurity that focuses on protecting data as users create and share it.  One area of concern to many organizations is how to find and protect sensitive data without impacting how employees and customers work.  Data protection regulations, like GDPR, are making things more complicated, but companies need to balance security with productivity.

At the Fasoo booth, a lot of people talked about issues with combining different technologies that still focus more on protecting the location of data rather than the data itself.  One executive from a manufacturing company talked about how her DLP system can tell them that sensitive documents were shared with external parties, but can’t really control their access or stop them from going out.  This is a common concern as companies use DLP, CASB and other technologies that can’t control access everywhere.

On Tuesday, June 5, 2018, John Herring, President & CEO of Fasoo, Inc. and Ron Arden, Executive Vice President and COO of Fasoo, Inc., presented “Unstructured Data Solutions Journey”.  John talked about the challenges of balancing data security and productivity and how many of the traditional approaches of securing the data perimeter haven’t met the hype.  By securing the data itself, you don’t need to worry about where it goes, since it’s always protected and tracked.  He presented how some of Fasoo’s customers have overcome the challenges with a holistic approach to discover, classify, protect and track sensitive manufacturing data and information subject to regulatory control using Fasoo Data Radar and Wrapsody.

Fasoo presentation on protecting unstructured data at GSRM 2018

Ron showed how in three quick steps with Wrapsody an organization can securely collaborate when creating a product quote while limiting access to specific people and making it easy to ensure they each have the latest version.  With a few clicks of a mouse a sales manager encrypted a spreadsheet, applied access control to it, provided an audit trail and automatically synchronized the latest version to a central location.  As the operations manager updates the quote and shares it with a customer, the process is easy for all parties to get the latest information and ensure the entire process is secure regardless of who has the document and where they open it.

During the course of the summit, a lot of attendees and analysts came to the Fasoo booth to understand the best ways to comply with new regulations and how to protect sensitive data from both internal and external threats.  Visitors were very impressed by how the Fasoo Data Security Framework can help them achieve those goals by discovering, encrypting and controlling their sensitive data.

Attendees at the session and at the booth were excited to see that Fasoo technology is very robust, balances security with usability and integrates with an organization’s existing infrastructure.  A common strategy is to make the technology almost invisible to users unless they try to violate a security policy.  I remember one person saying, “I was a little skeptical during your presentation, but convinced once I saw it in action.”

Fasoo helps customers comply with GDPR and NYDFS 23 NYCRR 500This year at the Gartner Security & Risk Management Summit in National Harbor, MD there was a lot of focus on managing and mitigating risk to a business and how to  improve cybersecurity through data-centric protection.  One area of concern to many organizations is how to comply with some of the newer cybersecurity and data protection regulations, like GDPR, as governments are trying to improve customer and business data security.

With all the recent malware, ransomware and data breaches, there was obviously a focus on how to prevent harm to one’s business.  As businesses move more into the realm of digital business, the concept of trust is becoming a larger issue.  If your customers do not trust you with their data, they will be less likely to do business with you.

On Tuesday June 12, 2017, John Herring, President & CEO of Fasoo, Inc., Dr. Larry Ponemon of the Ponemon Institute, and Ron Arden, Executive Vice President and COO of Fasoo, Inc., presented “Do You Have a Pathway to Data Security Compliance?”John talked about the challenges of complying with the new NYDFS 23 NYCRR 500 cybersecurity regulation that affects any business regulated under banking, insurance and financial services laws in New York.  This applies to organizations doing business in NY and also affects third party service providers of those organizations.

John Herring, Larry Ponemon and Ron Arden present at Gartner summitDr. Ponemon presented recent research from his study “Countdown to Compliance: Are financial services firms prepared for NYDFS 23 NYCRR 500?”.  Some of the key findings from the survey include:

  • 60 percent of respondents believe this regulation will be more difficult to implement than GLBA, HIPAA, PCI DSS and SOX
  • Over 50 percent do not have a formal cybersecurity program
  • 68 percent believe that the inability to know where high value data assets are located will pose a significant challenge

Ron discussed a six step plan to encrypt and control unstructured data or data in files that is a key component of meeting the NYDFS, GDPR and other data protection and privacy regulations.  The session had about 150 people in it and many of them asked specific questions about who is affected, how do you work with your service providers to ensure they are protecting your sensitive data, and how to really provide complete control of your information regardless of its location.

During the course of the summit, a lot of attendees and analysts came to the Fasoo booth to understand the best ways to comply with these new regulations and how to protect sensitive data from both internal and external threats.  Visitors were very impressed by how the Fasoo Data Security Framework can help them achieve those goals by discovering, encrypting and controlling their sensitive data.

One interesting presentation by John Girard and Brian Reed from Gartner focused on information-centric security practices and the best ways to protect your business information.  While Gartner and most of the security industry recommends a layered approach to security, when it comes to protecting information in files, John and Brian said that EDRM is the only solution that can really protect it.  This is an important recognition that in the game of information protection and thwarting malicious or inadvertent attempts to steal sensitive data, perimeter solutions cannot meet the requirements as well as EDRM.

Attendees at the session and at the booth were excited to see that Fasoo technology is very robust, balances security with usability and integrates with an organization’s existing infrastructure.  I remember one person saying, “I was a little skeptical during your presentation, but convinced once I saw it in action.”

Ron Arden Talks About NYDFS and Cybersecurity at FinCyberSec 2017Ron Arden, Executive Vice President and COO of Fasoo, Inc., presented Countdown to Compliance with NYDFS 23 NYCRR 500 during FinCyberSec 2017 at the Stevens Institute of Technology in Hoboken, NJ on May 31, 2017.  Ron was part of a day long event that focused on technical, regulatory, process and human dimensions of cyber threats faced by financial systems and markets.

Dr. Paul Rohmeyer, who organized the conference, started the day with opening remarks that set the stage for how the world of business and cybersecurity has changed in the last year.  With constant attacks, like the WannaCry ransomware attack and the ever changing business and technology landscape, financial services companies have a lot to address as they look to safely promote new business models.

Dinesh Kumar, CTO from Mitovia, started the presentations by discussing security effectiveness.  Collectively companies spend upwards of $100 billion annually on cybersecurity, yet data breaches are a daily occurrence.  Dinesh focused on using a business model to determine outcomes of cybersecurity rather than focusing on tasks or events.  If you ask a typical cybersecurity professional what she or he does, they might tell you they monitor something or try to prevent something.  If you ask a sales person, they will say I increased revenue by xx dollars or I brought in five new customers.  They don’t tell you they made 20 phone calls or had eight lunches to get the outcomes.  Understanding that cybersecurity is a means to a business outcome helps focus resources and activities.

Fasoo sponsors FinCyberSec 2017Ron Arden was up next and focused on the new NYDFS 23 NYCRR 500 cybersecurity regulations for financial services companies doing business in NY.  Ron cited numerous statistics from the recent Ponemon survey on “Countdown to Compliance” that showed many organizations are not ready for the regulations and will need help to meet the compliance deadlines.  A big focus of the presentation talked about understanding that the purpose of the regulation is to protect financial businesses and their customers.  Ron advised the audience to not get caught up in the minutiae of the technical and governance details without focusing on the real point which is to protect nonpublic information from unauthorized access.  There were numerous audience questions about third-party service provider security readiness and how financial organizations can ensure they are covered.  It will take a combination of legal, process and technology solutions to address this.  Ron spoke about Fasoo’s six step plan to address the data-centric security and encryption requirements in the regulation which address the main information protection points of the regulation for both the covered entity and it’s service providers.

Michael Frank, President of Secure Business Strategies, finished out the morning presentations by comparing our brave new world and its cybersecurity practitioners to an Eagle Scout and how we need to think differently.  He cited the scout motto and oath and how with a few changes to wording they are very relevant to our cybersecurity fight.  Key to Michael’s presentation was that cybersecurity equals business today.  New business models from Quicken Loans, Amazon and many others are turning financial services on its head.  Key to their success is the notion of trust, which is reliant on providing a secure, end-to-end business process.  We as consumers of goods and services need to trust these providers to keep our information secure as we do business.  Without it, these businesses will fail.

The afternoon continued with numerous technical presentations and ended with a great panel discussion with a CISO and two technical practitioners.  Discussions went back to some of the morning’s topics on security effectiveness and business outcomes.  The often cited Target data breach emerged as an area to discuss that compliant does not mean secure.  Focusing on business effectiveness allows an organization to understand and prioritize its investments in security policy, process and technology.  While a cybersecurity strategy should support the business strategy, it’s amazing how many companies do not do this.

This conference was a very successful event and I expect it will continue as more emphasis is placed on practical approaches to increasing security in the financial industry.

Stop, Collaborate and Listen: Where Employee Vulnerabilities Put Data at RiskRon Arden, Executive Vice President and COO of Fasoo, Inc., recently drafted a byline for InfoSec Island that highlights the risks employees pose in their most natural environment – the office – through collaboration with their co-workers.  Email, instant messages, file transfers, and digital downloads can all expose vulnerabilities to an organization’s high-value data yet in an office environment these tasks are constantly happening.  These behaviors can put sensitive data at risk.

Some organizations may become distracted, always trying to defend themselves against the “bad guys,” and forget to keep an eye on their own flock. Executive leadership should ask themselves: do our employees access files containing high-value information? If so, how often and what are they doing with these files? Should they even be allowed to access the files in the first place?

Our recent Ponemon study, “Risky Business: How Company Insiders Put High Value Information at Risk,” found that careless employees are the primary cause of data breaches (56%). That being said, there are steps every organization can take to minimize risk.

Employees that are educated about access levels, the importance of the data they use, and protocols on how to handle the data are less likely to inadvertently send a file that is unsecured or sent it to a contact who should not have access. Consistent reminders of these protocols is also key to maintain a high level of security. Where education may fall short, data security frameworks close the gap. These frameworks can show organizations where their data is held, control access permissions and monitor the authorized users.

The Fasoo Data Security Framework helps address the need to find sensitive, high-value data and manage it so that only authorized people can access it.  Controlling this information at all times is a critical business requirement, since companies of all sizes and in all industries create and are care takers of intellectual property and sensitive customer information.  You should think of treating this high-value data the way a bank teats currency.  You need to know where it is at all times and who has access to it.

A combination of employee education, with the confidence of the data security framework safety net, will ensure that trade secrets, customer data, product designs and any confidential information remains that way.

US House Recommends 'Zero-Trust' Model for Insider Data AccessData from our Ponemon study, “Risky Business: How Company Insiders Put High Value Information at Risk,” was recently cited in Tara Seal’s Infosecurity Magazine article, “US House Recommends ‘Zero-Trust’ Model for Insider Data Access.” The article referenced the statistic that 72 percent of surveyed organizations are not confident in their ability to manage or control employee access to confidential documents and files. This leads to the actions of careless employees being the primary cause of data breaches, rather than malicious attackers.

The US House has recommended that federal agencies invoke a “zero-trust” system to keep personal, confidential data out of the hands of foreign attackers . The House views government employees as just as big a risk to their organizations as they do malicious attackers — a consideration that all organizations would benefit from adopting. While “zero-trust” sounds a bit harsh, there are multiple ways that these federal agencies can implement security measures to reduce the employee risk they fear so much.

Bill Blake, president of Fasoo, Inc., was quoted in the article saying “What should be concerning to C-level executives and corporate boards is that most organizations have no idea where mission-critical information is located on the corporate network, who has access and what they are doing with that information.  Deploying DRM solutions is a first step. Beyond that, organizations must be vigilant in applying and enforcing security policies as well as knowing where the organization’s most valuable information is located at all times.”

The first step to reducing the risk is to take control over all employee access and permissions. The second step is to consistently monitor and follow up on these protocols. How many employees really need access to sensitive data? For the employees who do access it, what are they doing with it? Who are they sharing it with? An organization that places security as a top priority should be able to easily answer these questions.

Deploying technology to help discover, protect and control confidential data at all times would be the next logical step once the organization can answer these questions.  Limiting access to select groups is important, but having a way to dynamically change that access and even revoke it on information already shared provides a more robust approach to protection.  Auditing and monitoring is key to understanding changing business requirements, since roles and responsibilities are always changing.  Coupling policy changes with technology that can enforce those policies provides the best way to invoke a “zero-trust” system.

Think of sensitive data as a toddler at the park…you must always keep an eye on it, even if from afar.

EU-US Privacy Shield and the Future of Data ProtectionThe European Commission adopted the EU-US Privacy Shield on July 12, 2016 as a replacement for the Safe Harbor rules that were overturned by the European Court of Justice in October 2015.  This new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers.

The new EU-US Privacy Shield is an example of stronger privacy and security frameworks that affect US and European businesses as they collect, manage and share personal data.  Ensuring the security of personal information, no matter its location, is no longer a technology issue.  This is a business and trade issue.  If I am a US company and want to do business online or in person with businesses and citizens of the EU, I must guarantee that sensitive personal data is always under my control and that only authorized people can access it.

It’s important to protect and control all traces of this information whether it’s inside or outside your organization.  This includes being on mobile devices or in the cloud.  The best way to achieve this is by protecting the information with strong encryption and applying persistent security policies that travel with the data.  This ensures that only authorized people can access the information and use it.

One additional wrinkle in this situation is the recent Brexit vote in the UK.  If the UK moves forward with untangling itself from the EU, how will this new framework affect companies in London and the rest of England?  Will the UK abide by these rules?  Will the US, UK and EU need another framework to address privacy and security issues?

Some UK citizens and businesses are already talking about moving to other countries as a result of the Brexit vote.  This could exacerbate the movement of sensitive data as employees leaves organizations and go to competitors or businesses move their own stores of sensitive data.  In both cases there is the possibility of data breaches and legal problems.

In the recent Ponemon study “Risky Business: How Company Insiders Put High Value Information at Risk” 56 percent of respondents say they do not educate their employees on the protection of files containing confidential information and 72 percent are not confident they can manage and control employee access to confidential files.  How will businesses protect sensitive personal data that moves between countries and businesses, if they can’t even control employee access?

If organizations train employees on how to handle sensitive data and implement persistent file-based encryption techniques to protect this data, they can ensure that hackers and malicious insiders will not be able to bypass traditional security measures and access confidential information  I assume that when I share personal or sensitive information with a company, they will protect it so that only authorized people can access it.  If a company can guarantee that my information is safe, I will do business with them.  If not, I will go elsewhere.  This is the new business reality today.

Common Headline in 2015: Healthcare Data Breach

How many more data breaches can patients take? This could ultimately be the question based on last year and this year’s surge of healthcare data breaches. Once again, the personal health information of 3,000 people was leaked after a data breach at a Georgia program that offers services for seniors. The breach included the health diagnoses of people in the Community Care Services Program.

What was the cause? An email was mistakenly sent to a “contracted provider”.

We are all but too familiar with this kind of data breach. An insider not malicious, but nevertheless, accidently sends the sensitive data to wrong person, is one of the main reasons for these data breaches. Back in March 2015, an article at that point the Anthem and Premera data breaches had just occurred, and we were worried at that time as well. Four months have passed and the numbers are not slowing down.

In a recent study by the Ponemon Institute, a shockingly high 91 percent of respondents reporting falling victim to at least one data breach in the last two years. The majority of respondents had suffered 11 or more incidents. However, the main reason for that report, and what healthcare organizations should of realized is not that this industry has failed in the realms of data security. It should be that these organizations should now, even right this minute, take the necessary steps to securing and encrypting their data. More and more laws are being put into place, and those in violation of not abiding by these laws to secure customers’ data will result not only in loss of customers, but hefty fines.

Unfortunately, even at a time where legislation is making the push for these laws to encrypt all data, there was a recent announcement by UCLA Health System, and now the data breach has affecting over 4.5 million people. The stolen data was totally unencrypted making the threat to the people whose data was in the UCLA Health Systems computers more serious. But then again, as we just mentioned it is not too late to make the decision to secure the data.

How do we secure that data? Well, using a multilayered approach to information security that focuses on the data rather than the perimeter is a more effective way to deal and mitigate these threats. A data-centric security model with people-centric policy allows you to implement effective file-level security policies and granular permission controls for all kinds of data no matter where they are.

Here are some advantages from a previous blog, but still applies to providing a data-centric security approach to protecting your sensitive information:

 

· Encrypt PHI (Protected Health Information) to meet HIPAA and new data protection legislation

· Secure files downloaded from heath information systems

· Control who can View, Edit, Print and take a Screen Capture of protected documents

· Dynamically control who can access the file

· Trace and control user/file activities in real-time

· Scan files to identify PHI and apply security policies automatically

 

Protecting your patient’s information ensures you meet healthcare regulations and ensures patient confidentiality.  Reduce the risk of HIPAA violations and PHI exposure in a time where healthcare data breaches alone are reaching record numbers in 2015.

 

Photo credit by: Purple Slog

Categories
Book a meeting