Blog

Tag: Protect PII

Choose Security Over ConvenienceOne of the problems of implementing security is that people perceive it as an inconvenience.  People always take the path of convenience because it’s easy.  Many years ago no one locked their doors because we weren’t worried that someone would come into our house and steal anything.  Over time that thinking changed and we all lock our homes and businesses before going out.

Many organizations think about data security and cybersecurity the same way.  While no one questions locking the doors to the office or manufacturing plant, some don’t think about locking all the doors to their sensitive information.  A common approach is to merely check the boxes to be compliant with a regulation or standard, but don’t think about the unique situation of your company.

A great example is the Target data breach a number of years ago.  The company was fully PCI compliant, which meant they checked all the boxes to protect their data, according to the standard.  Unfortunately they were attacked when someone hacked into their point of sales systems and copied millions of customer data records to locations outside the company.  In this case they were compliant, but not secure.

Another area of concern is file sharing services that offer limited security to control file access.  These may be consumer grade and perfectly fine to share pictures and school reports, but do not have the type of controls needed to protect sensitive business or customer information.

Minimizing cybersecurity threats and the damage they can cause requires organizations to develop and implement a cybersecurity plan.  This includes discovering what sensitive data you have, determining where it is and deciding how to protect it.  You need to limit data and system access to authorized users and ensure that you can account for any access to sensitive data with a complete audit trail.

Some of the new regulations and data breach protection laws may give guidance on how to protect your sensitive data.  The recent financial industry cybersecurity regulation in New York (NYS ­DFS 23 NYCRR 500) stipulates that financial organizations doing business in New York must encrypt all nonpublic data at rest and in transit.  They also must ensure access control to only authorized users and provide an audit trail to prove who had access to that data.  This also applies to third party service providers that may have access to this information.

Daily data breaches and their consequences are now priority at the board and executive level.  The NYS DFS regulations hold senior executive responsible for ensuring they comply.  The new US presidential administration has talked about making cabinet secretaries and agency heads responsible for their agencies cybersecurity.

It’s time to get serious about protecting your information.  Implement solutions that cause minimal disruption to your business but give you the protection you need.  Train your staff so they understand the value of security in their everyday lives.  Always choose security over convenience when sensitive data and privacy might be at risk.

 

Photo credit Yudis Asnar

Combat insider threatsInsider threats exist everywhere and are tricky to detect and deter.  Privileged users can pose a greater threat to your business than hackers, since they already have access to your critical business data.  If a user has legitimate access to sensitive data, that person may accidentally or deliberately share it with unauthorized people inside and outside of your business. Trying to differentiate legitimate data sharing and malicious activity is difficult.

Users need to share sensitive documents with colleagues, business partners and customers regularly. Technology makes it easy to share massive amounts of confidential data with a click or tap through email, file synch and share services or portable media. If a user regularly accesses sensitive information for her job, how do you stop that person from leaking that data to unauthorized people?

Privileged users access sensitive data in databases, on file shares and in ECMs or other content repositories to do their jobs.  If a sales person downloads sensitive data from a CRM system and has it locally in a spreadsheet, how do you stop him or her from sending it to a competitor?  What if you need to share that data with a business partner, but need to control further distribution?

These are challenges, since people need sensitive information to do their jobs, but you need to control who can access the information and what they can do with it.

You need a way to discover, classify and protect sensitive data as you create it. The Fasoo Data Security Framework classifies information based on what you deem sensitive and protects the data by encrypting files as you create them on the desktop, localize them from databases or download them from information systems.  This is the easiest way to ensure you are in control of sensitive data.

Dynamic security policies apply permission controls that grant or deny users the right to View, Edit, Copy, Paste, Print or Decrypt files.  Since roles and responsibilities are always changing, you can change security policy to meet your new business requirements after you distribute files.  You can even automatically adjust security policy based on changed content within a file.  For example, if you have a file that is for all internal employees, but you add social security numbers to it, you need to increase the security to limit access because of the sensitive nature of what’s inside.

Understanding usage patterns of your sensitive information helps you determine behavioral anomalies that could indicate an insider threat.  If normal behavior for a person is to print a few files a day, but all of a sudden they are printing hundreds, they may be stealing sensitive information.  Alerting someone to this event can prevent a possible data breach.

Combating insider threats can be challenging, but your best defense is to protect and control confidential data at the source so it is secured at rest, in motion and while in use regardless of device, storage technology, storage location, and application.

 

Photo credit Eugene Kim

Fasoo is a Proud Champion of Data Privacy DayFasoo attended “The State of Privacy” event at The Pew Charitable Trusts in Washington, DC on January 28, 2016 as part of Data Privacy Day. The luncheon and event was sponsored by the National Cyber Security Alliance (NCSA) to help raise awareness and dialogue on managing privacy in the US and internationally.

On January 27, 2014, the 113th U.S. Congress adopted S. Res. 337, a nonbinding resolution expressing support for the designation of January 28 as “National Data Privacy Day.”  Respecting Privacy, Safeguarding Data and Enabling Trust is the theme for Data Privacy Day (DPD), an international effort held annually on January 28 to create awareness about the importance of privacy and protecting personal information.

As the state of privacy continues to evolve it’s becoming more mainstream with increased awareness and changing expectations from consumers and business. This event brought together leaders from numerous organizations in partnership with the Computers, Privacy and Data Protection Conference to have a practical and solutions-focused dialogue addressing the current state and future of privacy.

The first panel discussed some results from the U.S. Consumer Privacy Index 2016 survey from NCSA and TRUSTe that asked consumers about how their private data is handled.  According to the research, consumer privacy concerns are rising with 68 percent saying a top concern is not knowing how their personal information is collected online.  There was a debate on who is responsible for privacy.  Does it fall on businesses to simplify the process for consumers in an app, for example, or is it good enough to educate users on how to protect themselves through the appropriate settings in an app or browser.

Discussions , compared with only 57 percent who ranked losing personal income at the top. Additionally, 45 percent of respondents are more worried about their online privacy than they were just one year ago; and 37 percent of respondents listed companies collecting and sharing their personal information with other companies as a top cause of concern.

Ron Arden and Avni RambhiaDuring the day, Bill Blake, President of Fasoo, Inc., and Ron Arden, Vice President – North America, had some great conversations with business leaders, analysts and media on the state of privacy, technology and how best to help protect privacy through best practices.  Awareness of privacy issues is the first step in understanding how to protect yourself and your most sensitive information.

The afternoon event had a transatlantic panel with members in the US and in Brussels talking about sharing data between the EU and US and how big data is impacting privacy in numerous ways.  One example is that analysis techniques will generate new data and what is the best way to protect and control it.

Fasoo solutions can help in this area by protecting sensitive data, including personally identifiable information (PII) and protected health information (PHI), both of which are under attack from advanced persistent threats and trusted insiders.  As privacy and security issues continue to impact business, Fasoo will continue to be an advocate and proud sponsor of NCSA activities and events that help organizations improve cyber security and protect privacy.

Categories
fasoo_logo
Contact Us
Your data security journey starts from here!
See how Fasoo can help your data privacy and security.