Blog

Tag: strong encryption

EU-US Privacy Shield and the Future of Data ProtectionThe European Commission adopted the EU-US Privacy Shield on July 12, 2016 as a replacement for the Safe Harbor rules that were overturned by the European Court of Justice in October 2015.  This new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers.

The new EU-US Privacy Shield is an example of stronger privacy and security frameworks that affect US and European businesses as they collect, manage and share personal data.  Ensuring the security of personal information, no matter its location, is no longer a technology issue.  This is a business and trade issue.  If I am a US company and want to do business online or in person with businesses and citizens of the EU, I must guarantee that sensitive personal data is always under my control and that only authorized people can access it.

It’s important to protect and control all traces of this information whether it’s inside or outside your organization.  This includes being on mobile devices or in the cloud.  The best way to achieve this is by protecting the information with strong encryption and applying persistent security policies that travel with the data.  This ensures that only authorized people can access the information and use it.

One additional wrinkle in this situation is the recent Brexit vote in the UK.  If the UK moves forward with untangling itself from the EU, how will this new framework affect companies in London and the rest of England?  Will the UK abide by these rules?  Will the US, UK and EU need another framework to address privacy and security issues?

Some UK citizens and businesses are already talking about moving to other countries as a result of the Brexit vote.  This could exacerbate the movement of sensitive data as employees leaves organizations and go to competitors or businesses move their own stores of sensitive data.  In both cases there is the possibility of data breaches and legal problems.

In the recent Ponemon study “Risky Business: How Company Insiders Put High Value Information at Risk” 56 percent of respondents say they do not educate their employees on the protection of files containing confidential information and 72 percent are not confident they can manage and control employee access to confidential files.  How will businesses protect sensitive personal data that moves between countries and businesses, if they can’t even control employee access?

If organizations train employees on how to handle sensitive data and implement persistent file-based encryption techniques to protect this data, they can ensure that hackers and malicious insiders will not be able to bypass traditional security measures and access confidential information  I assume that when I share personal or sensitive information with a company, they will protect it so that only authorized people can access it.  If a company can guarantee that my information is safe, I will do business with them.  If not, I will go elsewhere.  This is the new business reality today.

Fix a broken chain of custody of your confidential dataCompanies share a lot of confidential data with third parties.  Who is responsible for keeping that data secure?  Is it the originating company or the third party?  Or both?

This week American Express sent letters to card holders about a possible data breach.  According to reports “an unauthorized person or group accessed the system of a third-party service provider prompting American Express to warn customers that card member information may have been compromised.” The company said, “It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure.”  So is American Express to blame for this incident or is the service provider to blame?

This breach is another example of a broken chain of custody with confidential data.  American Express may have strong protections for its confidential data, but when it relinquishes control to another party that has weak controls, hackers know how to exploit the situation.  This is the same issue I talked about last year on the weakest link in the supply chain.

Think about the vulnerability of your data within your supply chain.  You may have the best security that money can buy, but once it leaves the confines of your environment, the information is out of your control.  You have to rely on the security systems of your partners to protect your information.  Unless you’ve done a security audit on those partners and are satisfied they will maintain your confidential data safely, you are vulnerable.  Hackers prefer to target the weakest link in the chain and they know smaller providers of large companies are easier targets.

This is where persistent security comes into play.  If you have strong encryption and permission controls on your confidential data, you can limit access to it regardless of where it is.  One of our customers uses our applications to exchange PCI with a third party.  The file can only be accessed a limited number of times on specific computers.  After that, the file is useless.  If someone tried to steal the file, they can’t read the data inside.  The result is no data breach.

Ultimately American Express is responsible for its card holders data, regardless of where it is.  You can best protect your confidential data throughout your supply chain by encrypting it and controlling its access at all times.  That’s better than welding your broken chain.

 

Photo credit Brian Smithson

5 Steps to protect your HR dataI recently wrote an article about the security of sensitive information in the HR department.  While everyone interacts with the people in human resources, most of us don’t think about all the sensitive information they have.

Most of us think about benefits and our 401K when we think about dealings with HR, but there is a lot more sensitive data that is under their control.  They also deal with your healthcare information, information about your spouse and family, customer financial information, employee resumes and salaries.  They also know when you have given notice to leave the company or when you change jobs in your current company.  Add to this the responsibility of developing and circulating company policies and a wide variety of interoffice communications.

Sharing company, employee and customer information with authorized internal and external users poses a unique security challenge for any organization, since HR needs to limit access to sensitive information.  While HR may be the first line of entrée into a company, they are also the first line of defense to protect some of the most confidential information in your company.

You need to encrypt sensitive data and apply security policies to it that ensure only authorized users have access to the information, regardless of where they are or the format of the information.  Here are 5 steps to help protect your HR data.

1. Encrypt received resumes

Since resumes from qualified candidates are intellectual property and highly valuable to a company, you should encrypt them and apply a security policy automatically as soon as you receive them.  This also includes information on criminal background checks and drug testing.  This limits access to specific internal users.

2. Lock down files when an employee gives notice

When someone changes jobs within a company or gives notice to leave, you should change the security policy on sensitive company information.  You can remove them from a group that has access to information from their old job, so they only have access to information that pertains to them.

3. Maintain Client Confidentiality

You should apply security policies to customer contracts and financial information so that only those customers, appropriate outside agencies and internal employees have access.

4. Protect Intellectual Property

HR knows the people and contractors assigned to different departments and projects, so it’s important to work with them to restrict intellectual property (IP) to those that need access to it.  When a contractor leaves, access should be revoked, rendering IP useless to them.

5. Circulate Policy Manuals In-House Only

Company policy can encompass everything from sexual harassment policy to paid time off.  This information is as important as anything in your business, but should be available to every employee and contractor.  Security policies need to be flexible to allow access by all authorized parties.

 

Your HR department is the front door to your organization, so you need to implement and enforce security policies to protect the most important information in your business.  This is the best way to restrict access to employee PII and ensure that your organization’s important data is secure.

What Are Privileged Users Doing With Your Data?Data breaches caused by internal users resulted in 43 percent of the data loss in organizations, with half of those breaches intentional, according to a new study on data exfiltration from Intel Security.  Internal users include employees, contractors, and third-party suppliers.  Many of these people are privileged users who have legitimate access to sensitive information.

Customer information, employee information and intellectual property were the top targets for internal users; they were also the top targets for external hackers.  Microsoft Office, text and PDF documents were the most common format of data stolen by internal users, probably because these documents are stored on employee devices and easily accessible file shares, and many organizations place few controls on the data once it is no longer in a database.  Since 80% of an organization’s data is unstructured content, it makes sense that insiders would target these types of documents.

Perhaps the most interesting part of the survey is how data was taken.  60 percent of information was stolen using electronic means, like file transfer and email, but 40 percent was stolen using physical media.  The most common approach was on laptops, tablets or USB drives.  Mobile phones were involved in 15 percent of physical thefts, but printed copies, CDs, DVDs, and faxes are still being used to extract data from companies.

While perimeter-based security still seems to be the focus for stopping this type of data exfiltration, it is obviously not getting the job done.  DLP and intrusion detection and prevention technologies are valuable for focusing on data and its movement through a network, but it doesn’t help when a privileged user has access to sensitive data.  If I need to access PII or PHI as part of my job, these technologies will not stop me from accessing the information.

So how do you stop this problem?

Determine who should have access to sensitive data and apply strong encryption and permission controls to the documents containing that sensitive data.  Once implemented you need to monitor access to those documents to determine a baseline of normal behavior so you can understand when someone deviates from the norm.  You should monitor who is viewing, editing and printing documents and if they are doing something that isn’t typical for them.

Privileged users need access to sensitive documents, but you need to control who can access them and what they can do with them.  Applying access and permission controls ensures that if someone exfiltrates sensitive data, it is rendered useless to external parties.  Applying these controls and monitoring document usage helps you predict and deter insider threats before they cause harm.

How do you stop privileged users from exfiltrating sensitive data?

 

Photo credit GotCredit

Categories
Book a meeting