Author Archives: Ratika Garg

The Untapped Gold Mine of User Behavior Analytics

User Behavior Analytics (UBA) is derived from multiple use cases of marketing and banking, where user transaction patterns are tracked to prevent fraud and abuse. This capability is now being increasingly applied to security and compliance.

Without the use of user behavior analytics (UBA), data loss prevention (DLP) solutions suffered from too many false positives and the inability to identify internal user threat patterns.

For example, a typical employee logins at 9am and if there is a pattern of VPN login sessions from different locations during the midnight hours, it is a potential disruption to the behavior patterns of the user. This issue needs to be addressed quickly before sensitive data is lost. This is a typical use case of UBA.

According to the Gartner hype cycle of Risk Management, User and Entity Behavior Analytics is at the peak of inflated expectations and would continue to rise in the next 2 to 5 years.

What is User Behavior Analytics (UBA)?

Every organization needs to protect their data against cyber-security risks but the most important threat might be the one lurking within their own organization.

Insiders with negligent intents, malicious users often have access to sensitive information.This can be exploited using any traditional security infrastructure.

User Behavior Analytics is the latest security capability that addresses this issue. It supports DLP system in an organization by detecting user action analysis. This capability is important to prevent leakage of sensitive data. It helps to detect early indicators of risk and flag inappropriate insider behavior.

If an organization is able to identify risky actions and corresponding risky user profiles  – it has the necessary context to spot disgruntled and malicious employees before they leak data.

Generally, this commences by looking at user/employee access and behavior patterns across various devices, endpoints and applications. This provides a baseline of user activities. When there is a noticeable anomaly in this behavior, then the User Behavior Analytics can be used to contain that threat.

At Zecurion, this solution creates profiles of employees’ behavior based on their history of incidents in the past. The solution checks for deviations for each employee from this profile in live mode. If it detects a sudden burst for that employee it allows security teams to place the user under additional control as quickly as possible.  This actionable risk ratings help security teams to detect, respond and contain a user threat in a timely manner.

What are the benefits of User Behavior Analytics?

User behavior analytics (UBA) can help with mitigating potential data losses regardless of the industry. It lowers the cost of a breach and because of it’s predictive nature, can also help in identifying potentially damaging user behavior, saving an imminent security breach.

In his blog titled, “Ok, So Who Really MUST Get a UEBA?”, Gartner analyst, Anton Chuvakin, says “An organization with a robust insider threat program should definitely get a UEBA (User and Entity Behavior Analysis).”

UBA is beneficial to provide in-depth data context with respect to location from where the users access devices belonging to the organization, what data is being accessed, what is the typical user pattern and what is the risk of the data itself.

What are the use cases of User Behavior Analytics?

  1. Insider Threat Detection:

This is the most common use of UBA. Insiders accidentally put data at risk – either by attaching a wrong file in an email, oversharing on social media, losing a laptop or USB, or just by using weak passwords. UBA helps to detect and classify the risk profile of employees and insider users of an organization. The focus is on risky behavior patterns and identifying access abuse and misuse.

2. Maintaining Compliance:

UBA builds on the risk management approach to information security and helps with maintaining compliance. Compliance conformance requires identifying risks and prioritizing them in order to maintain compliance. By recognizing that not all users are equal in their user behavior patterns and risk score, UBA helps an organization prioritize the analysis.  It also helps with the business rules from a compliance standpoint.

3. Risk assessment tool:

UBA’s risk-scoring helps in using this as a risk assessment tool to aid in adhering to security policy and risk assessment process. If account activity profiling is linked to DLP, it can help with managing and mitigating risks. Authentication tracking and account compromise detection adds to the risk assessment of an organization.

Conclusion:

In conclusion, User behavior analytics (UBA) is a relatively new but fast growing trend in cybersecurity. Most organizations are using UBA because of its ability to minimize false positives and identify high-risk user profiles.

UBA is a great tool to detect systems and data where compromised accounts exist.

It has multiple benefits, especially to provide additional security information that is not available through network and end point detection.

There are several use cases of UBA, the most common of them are insider threat detection, maintaining compliance and risk assessment.

Whatever is the use case, organizations are increasingly using UBA to set baselines about insider’s normal versus unusual behavior patterns, and detecting malicious insiders that leads to security insights with higher accuracy and faster detection and prevention of security breaches.

5 Best Practices to Follow to Make Your Data Loss Prevention Successful in 2018

In 2017, it was found that only 35% of companies in the United States had implemented solutions for data loss prevention (DLP). While external threats or attacks on large corporations such as the InterContinental Hotel Group and the U.S. Air Force are widely reported on, data loss is actually much more extensive than this and affects both large corporations and small to medium sized businesses. DLP is now essential for all companies to implement, as doing business becomes increasingly digitized. Here are 5 best practices to follow in 2018 that will lead to DLP success:

  1. Create a deployment strategy for all types of data

Sometimes it’s easiest to think of the data that your company holds in three ways – data in motion, data in use, data in store. Data in motion is fairly self-explanatory and involves any data that is in transit on the wire. Data in use is files that are open and could be breached through a moving device such as a USB. Data in store is the data that sits on file servers. Each of these needs a slightly different approach, for instance, a system that crawls is great for assessing a storage server but won’t work quite as well for data that’s already in transit.

  1. Create a document classification matrix

Keep it simple and pick three to five classifications – with the most sensitive data such as financial information and intellectual property being classification one and data that is public information being classification five. Go through and input the types of files that your company holds into this matrix, and most importantly, identify why you’re doing it. These key features of files will help with your DLP strategy in general.

  1. Communicate thoroughly to employees

Effective communication involves responsibility, ownership, training and buy-in. Buy-in can be gained at any level by thoroughly explaining the purpose of a DLP strategy and the risks involved. Letting your employees know that you take the work they do seriously and that you’re open to suggestions is essential in creating a well-run, open environment for a DLP plan to be effective.

At the management level, thorough training of the processes and procedures, as well as ensuring that everyone clearly knows their area of responsibility, is important to ensure that policies filter down to all employees. This includes repercussions when policies are not followed carefully.

  1. Identify what the risk response process will be

This involves not only the management body, but also IT and communications teams. If things really do go wrong, it’s essential that everyone knows what their role is prior to it happening. Ensure that you set expectations carefully – things aren’t necessarily going to go wrong during office hours.

  1. Carry out a gap analysis regularly

When you first implement a DLP solution, figure out what an acceptable level of risk looks like for your company. Your document classification matrix will help with this. Have your IT team regularly carry out a gap analysis where they look at the current risk level for data loss and the acceptable risk level. Have your executive level look at this reporting and decide on changes to policy, such as additional rules, processes and training, as a team.

The rate of internal data loss is drastically increasing, largely due to the number of digitized files that are increasing and the reluctance of employers to see the need for a DLP solution. When you see modern businesses losing important files through simple means, such as unencrypted emails, it’s clear that DLP needs to be taken more seriously. We’re going to see more high profile data loss incidents in 2018 so ensure that you follow these best practices to protect your company as we navigate the changes that the digital age brings.

Top 6 Reasons Why Your Data Loss Prevention Strategy May Fail

Finding a Data Loss Prevention (DLP) system that works for your company is unfortunately not enough to actually make it work. A DLP strategy is something that constantly needs to be iterated, reworked and updated depending on not just how technology changes but also, crucially, how your company and its data changes. Here are the top reasons why your data loss prevention strategy may fail.

  1. Lack of communication

Communication has to flow to every level of the company and every person in a management position needs to assume responsibility and ownership for doing this. A DLP solution needs buy-in from your employees in order to work and the DLP policy won’t work if no one actually follows it. Ensure roles and processes are defined and communicated clearly.

  1. Not understanding your employees’ motivation

This one is particularly relevant for maliciously lost data. Internally lost data can be either malicious or accidental. If it’s accidental, you know those employees made a genuine mistake and were not following the policies correctly.  A malicious attempt to leak data means that they were intentionally not following policies correctly and therefore the system has to find other ways to detect incidents when sensitive files are being accessed.

  1. Poor data classification

One key way of ensuring that files are picked up by a DLP system is by implementing a meticulous classification system. Firstly, define what your sensitive files are through a risk management system. Then figure out what are the unique features of your sensitive files that you can pinpoint and classify.

  1. Ineffective in a work environment

An overzealous solution can sometimes be as ineffective as having no solution at all. If your strategy is too intrusive on the output of your employees, then it’s human nature that they will begin to ignore it, even when it is effectively managed. Likewise, a lot of false-positives in reporting from a very strict policy can mean that actual data breaches are overlooked when they happen.

  1. Failure to identify all end points

Our increasingly mobile and remote workforce means that the number of networks, systems, devices and end points are also increasing. A DLP solution that focuses on protecting just the centralized network is no longer appropriate. There needs to be wide consideration, particularly for remote devices and the procedures and policies around this.

  1. Limited reworking

We mentioned this at the beginning because it’s one of the major flaws in many DLP solutions. Some employers view a DLP solution like a firewall – you put it up and then sit back and relax while it does the security work. DLP strategies are much more sophisticated than this and require constant iterations as things change as well as thorough assessments of how it is working in the real world, not just through statistical reporting.

These tips are designed to give you a feel for what can go wrong with DLP strategy implementation. Generally, the foundation for what can go wrong often sits in a lack of understanding about the purpose of a DLP plan, it’s communication and what needs to be done to make it work in today’s modern work environment.

5 Tips To Evaluate Your Readiness Before Implementing Data Loss Prevention (DLP) Solution

Data loss prevention (DLP) is crucial for any company that holds digital files these days, regardless of the size of the company. While much of the data loss that is reported on in the media often involves large companies, there are a number of small companies that fall victim to data breaches because they do not have the right framework to protect themselves.

A DLP solution helps to address insider threat and requires some readiness for its successful implementation. Here are some tips that will help evaluate if your organization is ready for DLP implementation.

  1. What’s the purpose?

This is a big step that a lot of people miss because it seems so obvious. The purpose is to stop data loss, correct? Narrowly speaking, yes. However, it just isn’t realistic to think that a DLP solution is going to completely prevent both internal and external data loss.

Firstly, think about why you’re implementing a DLP solution and the ramifications for your company. Does your company possess a lot of personal information or trade secrets. What would the effect on your company be if data were to leak. Far from being a pessimistic way of looking at a DLP solution, figuring out what the real risk to your company is will help you to think about the below tips.

  1. Find and define

The first step to getting ready for any DLP solution is to actually figure out what data needs to be protected. It’s not at all realistic to have an incredibly sophisticated system apply to every file your company holds. In addition, it is also important to think about how any kind of policy will impact employee output. If employees have new procedures and policies to implement with a DLP solution, you want to make sure any slowdown in implementing these is an effective use of their time.

Generally, the most sensitive data will include people’s personal details, especially social security numbers and financial information, or include trade secrets and intellectual property. Figure out what is the most sensitive information in your company, define it meticulously, and ensure that it carries a lot of weight in your DLP solution.

  1. Data movement

Next, it’s a really good idea to understand better how your data moves around your company. We tend to only think about how we use company files yet we’re one of many who do this. Preventing data loss because of an internal threat, an employee either maliciously or accidentally leaking data, is essential to your solution.

Watch where your most sensitive data moves and consider all the networks it sits on as well as end points and then think about who is using that data and what processes and protocols they go through.

  1. Following the policy

This one follows on from our last point of thinking about who is using the data and what processes they go through. All your employees will have to follow the DLP strategy that is implemented so it is essential to ensure that it is workable enough to be adhered to.

Part of this is getting buy-in from your employees. You can achieve this by making them part of the journey. Explain the purpose of what you’re doing and the risks involved, ask for suggestions or if they have noticed gaps and holes in how data moves around the organization. Communication is essential as a DLP plan is really effective only when it is implemented by everyone.

  1. Effective role management

Ensuring that everyone knows what role they play as part of the processes and procedures of a DLP plan is again about communication. Define each role clearly and give people ownership and responsibility so that they take it seriously. Assign privileges for accessing more sensitive information carefully.

Readying your company for a DLP solution is a simple step-by-step process of awareness, understanding and communication. Become aware of the type of data your company possesses, the risks it holds and understand how it moves around your company and what role your employees play in this. Then look to define the data and the roles and processes around it and communicate these clearly to your employees. Following these tips will ensure that your company implements any DLP solution effectively.

Top 5 Data Security Trends to Watch for in 2018

External data threats have been big news in previous years, particularly in the politicized landscape of 2016 and 2017. It is important not to forget that some of the mammoth breaches last year were due to internal leaking of information, indicating there clearly aren’t enough data loss protection protocols in many companies. These, and other trends, are going to dominate the IT industry in 2018, so we’ve put together a list for you to prepare you to kick start the year prepared.

  1. Advanced analytics are available –it’s all how you use them

Data loss protection (DLP) plans are looking a lot more sophisticated than they did even a couple of years ago. The philosophy behind any DLP strategy has always been to think clearly about how the data is used, and therefore how it is breached or lost. This means that it’s agile enough to keep up with changes in technology, such as advances in user and entity behavior analytics that help companies better understand the areas where data is lost, and create tools to prevent this from happening.

  1. Prevention, not just protection

In the same vein, the shift in focus is definitely turning to, not just protect existing data, but also figure out ways to prevent loss in the future. Basic security, such as a firewall, is no longer cutting it. And, businesses are figuring out that they need to get their employees onboard to assist with preventing their own internal breaches. A well-communicated DLP plan and easy-to-implement processes will swiftly help companies in 2018.

  1. Industry compliance is here

Governments have been slow to catch up with the shifts in technology, particularly in creating regulations around them. However, they will be well and truly in existence in 2018, in that there is a push to crack down on the increasing challenge of data loss. Governments will, more and more, be placing the onus on companies to get their security up to an appropriate level. For instance, the General Data Protection Regulation, which comes into force next year, affects the way companies process the data of any European citizen – a huge move.

  1. CARTA as the core strategy

The Continuous Adaptive Risk and Trust Assessment Approach (CARTA) is a framework for approaching data security that is completely adaptive in its mindset. It came about because data security measures were not proving strong enough, simply because they were innovating measures for present problems and leaving it. The CARTA approach is all about review and iteration. Constantly looking at real-time IT statistics to inform good decision-making about where to next in terms of data protection.

  1. Adapting blockchain to protect data

Through blockchain, data is stored on an open server, so it is decentralized and distributed widely. Having no central location where data is stored makes it much harder for large chunks of the same data to be lost. The blockchain network would notice any change in the data storage on its open server and therefore make it even more difficult to carry out large data hacks.
The number of high profile data losses has been increasing in recent years, and not just through criminal activity. Because of this, governments are cracking down on companies to protect citizens from having vast amounts of their personal information get into the wrong hands. Additionally, of course, for companies carrying trade secrets and other intellectual property, the incentive to get data loss protection sorted is high. Luckily, 2018 is seeing data loss protection technology heading in the right direction. The mindset is changing towards ensuring that good data loss protection strategies are both preventative and adaptive.

Insider Data Breaches – Year So Far

Half of all data loss that occurs in companies, happens externally. It’s a figure that surprises many as the panic over data loss often exists around targeting and preventing the activity of cybercriminals. Often internal data breaches are accidental – one click too many, sending the wrong attachment, the list goes on. Internal data breaches can also be malicious, particularly when there is a financial reward to releasing the data involved. Sometimes it can be difficult to imagine what those breaches might look like so we have put together a list of just some of the insider data breaches this year so far, to give you a better idea:

Department of Health and Human Services, Maine

More than 2000 individuals who received foster care benefits were affected in this breach, when all of their personal details, including children’s details, were posted on a third-party website. The Maine Office of Information Technology reported that the potential breach happened as part of a system upgrade when a contractor posted information from to a third-party website not within the state system.

Tarte Cosmetics

It’s not often that the cosmetics industry specifically is called out about data loss protection. Generally, it’s industries such as healthcare and hospitality. But, Tarte Cosmetics’ breach could not be ignored with a massive 2,000,000 customers affected by an internal data breach of their personal information including email addresses, phone numbers, physical addresses and parts of their credit card number.

Arkansas Department of Medicaid

Arkansas Department of Medicaid reported that 26,000 Medicaid recipients’ personal information was breached when a former analyst sent the information to her home email address a day before she was fired for an unrelated matter.

Spectrum

Originally known as Time Warner Cable, in September this year, this company saw 4,000,000 of its customer records breached internally, including login credentials. The breach occurred because of a breakdown in security around the cloud-based computing they were using and the provider it was connected to.

South Washington County School District

Possibly one of the most concerning breaches of all this year, due to the potential for harm it could have caused was one which came from a South Washington School District. While there were only 9,600 files breached, the information was about children, specifically grades, ID numbers, and, concerningly, bus routes, pick-up and drop-off times and locations. Officials are calling it an “inadvertent employee error.”

Inadvertent employee errors are a reality these days. In the United States, there has been estimated to be well over 1.5 million internal data breaches, just in 2017. Sometimes these can be on purpose, but they can also be a completely harmless mistake that was in no way intended. The good news is that there are sophisticated data loss prevention strategies, plans and technology out there that can be implemented, in order to protect this from happening. It’s crucial that employees are onboard with rolling out this implementation, so knowledge about the very real nature of internal data breaches can be helpful in getting them on board.

7 Reasons Why Your Organization Will Need Data Loss Prevention in 2018

As we enter 2018, data loss prevention is becoming a necessary part of business planning, as there just don’t appear to be many industries immune to breaches. 2017 has seen a spate of data loss breaches from not just some of conventional industries such as healthcare, financial services and retail, but also others like automotive, hospitality and even the military, in some cases. Here are some reasons why your business really needs data loss prevention in 2018:

  1. The threat is not just external

There’s a difference between what you see reported in the news media and what is actually happening in the U.S. and around the globe. Statistically speaking, internal threats account for just over half of all data loss. That’s according to an Insider Threats Report from 2017. While it doesn’t pay to solely look at one piece of data, the trend of roughly half of all threats being internal has existed across multiple studies for a number of years.

  1. Financial ramifications can be huge

According to a poll of 1,000 business decision makers, the average cost believed to be incurred from a data breach was around $1 million. Clearly, this depends a great deal on what industry you are in, but it’s something to be mindful of, particularly if your data is sensitive and would be worth something to other people.

  1. Financial ramifications are just the start

Quantifying the consequences of an internal data breach is a difficult thing to do, largely because loss of reputation and trust. Even if your business can take the financial hit from fines and compensation, it also has to withstand what can be sometimes a substantial loss of business. This can be particularly harmful for small businesses who don’t quite have the buffer of the larger, often multinational counterparts.

  1. Big data is here to stay

Companies are now moving to a place where they exist on data, and the growth of the big data industry is proof of that. While sensitive data nowadays often consists of things such as financial details and social security numbers, companies will increasingly find in the future that the data they keep on customers is more sophisticated and personal – and therefore sometimes more valuable to an outsider, which can lead to an internal worker deliberately releasing it.

  1. Thoughts on the Cloud are in the cloud

Most of us are moving to cloud-based computing and SaaS applications as a cost-effective way of storing and using data without having to pay for large builds. However, this also means that a DLP plan needs to be in place to ensure that sensitive data that your company currently keeps in the cloud is encrypted and that its transmission to third parties is prevented.

  1. Intellectual property protection is important to your customers and your business

This can be one of the biggest long-term consequences of data loss. While a breach of personal information about customers can be wide scale in its negative effects, an intellectual property breach is narrow, but incredibly damaging. If your company holds trade secrets, plans etc, either for your business or your customer, it’s essential that these are protected appropriately with a DLP strategy.

  1. Endpoints are increasing

With remote work becoming more and more common, the number of endpoints that data is stored on is therefore also increasing. These can be within your business’ computer network but it can also be outside it, in public places or at home. In these cases, you need a technology monitor that is installed on all of these devices that prevents certain sensitive or confidential actions happening as part of your DLP strategy.

A data loss protection strategy doesn’t have to be an alarming addition to your company’s business plan. However, it is starting to become concerning how many businesses, big and small, are avoiding the need for one of these, given that amount of data we use is growing exponentially. Internal threats can be both malicious and totally by accident, so it’s important to protect your employees, your company and, of course, your customer from the ramifications of data breaches.

What You Did Not Do in 2017 to Prevent Data Loss

We all know data loss is an issue. We see stories in the news media of large airlines or financial services compromising large quantities of sensitive information, some of which could have been very preventable. However, it’s not just big businesses that are a target. Roughly half of all data loss happens internally, either by malicious intent, or inadvertently. This means that any employee in a business that holds information online and in computer systems could potentially lose your company’s data. We’ve outlined some of the key things you probably didn’t do in 2017 so you can get your company ready for 2018.

  1. Back it up

This doesn’t just mean occasionally getting out a hard drive to double save the important stuff. Every company should have a backup procedure for their files. Of course, it’s sensible to employ more security measures for more sensitive files, but a data loss protection plan will ensure that files are being regularly protected and can therefore be restored if a loss of data occurs.

  1. Multiple backup points

One backup point has been proven to be not enough for truly sensitive data. Apply the 3-2-1 rule as part of your data loss protection plan. Information that needs to be highly protected has 3 backups, general day-to-day information that has much less importance has 1, and give moderate level information 2 backup points. It also helps to have offsite backups as well. Particularly when there is an external breach, it can affect entire physical locations due to how malware operates in shutting providers down.

  1. Get your audit on

One of the easiest ways for data to slip through the cracks, either intentionally or by an employee’s mistake, is when systems aren’t up to date. You would be amazed how much of your software and hardware needs patches and upgrades. Auditing is the perfect end of year job to go into 2018 with a fresh start and an updated system. Often it doesn’t end up being super expensive – you’re probably already aware of the big-ticket items that need to be upgraded.

  1. Sort out a communication plan

You can’t single-handedly prevent data loss from your company, but you can empower your employees to take heed and ensure that the systems that you have in place are working correctly. Surveys and feedback loops are a great way of winning employee engagement. Ask them how they use the data – they are the ones who are handling it day-to-day after all. And as you iterate and improve data loss protection plans, ask them for feedback. You’re much more likely to get buy-in if they feel that the way they work is being taken into account.

A great number of instances where critical company information is lost is often very preventable. We say preventable because backups are a huge part of protecting your company from potential data breaches. Ensure that, if anything goes wrong, you’re still able to access the information from another endpoint.

Any good data loss protection strategy starts with a review of the status quo so do a full audit of the ‘goings-on’ of your data, software and hardware – and be critical about where there’s room for improvement. Next, get your employees onboard to ensure that any efforts are fully integrated within all areas of the company. A thorough and well-thought out data loss protection plan can save your company huge fines, loss of reputation and potential loss of business.

The Top Industry Targets for Data Breaches – Are You on the List?

It’s important to know what your data breach risk is. It’s something that affects every company worldwide that operates even part of its services online. However, some companies are more at risk than others, sometimes due to the sensitive nature of information about individuals possessed by these companies, but also how easy it is for the data to be lost in some way. This is generally when companies have an insufficient or incomplete data loss protection strategy that prevents against both internal and external threats. Here are some of the top industries that have data breaches:

  1. Healthcare
    Healthcare is a prime target because of the huge amount of sensitive information, from medical records to payment information, kept by healthcare organizations. Due to the sheer size and scale of many healthcare organizations, often upgrading software and protection systems becomes so big that it’s overlooked in favor of what feel like more immediate issues, such as staffing and equipment. Around 100 million health records were compromised in 2015 and similar figures stack up for 2016 also.
  1. Financial Services
    Frighteningly, almost half (49%) of global financial services organizations have experienced a data breach in the past, according to the 2017 Data Threat Report. IBM has found that one of the biggest vulnerabilities for financial services firms is actually human error. Insider involvement accounted for 58% of all breaches in 2016; of these, 53% acted inadvertently, while 5% acted with malicious intent. Unfortunately, many of these could have been avoided with an agile data protection plan that was well-communicated to all employees.
  1. Government
    Governments have always been classic targets for any kind of information breach, due to the sensitive nature of the data that they hold and the power that they wield. They’re also a huge employer. If you were to add up the various parts of the US government from military, to bureaucratic and civilian, you can get figures of close to 5 million individuals working for the US government and having access to its computer systems. With roughly half of data breaches occurring internally, that’s 5 million potential ways to lose confidential government information.
  1. Transport and Logistics
    This is also a huge industry and covers everything from giant airlines, to small owner-operated delivery services. The US Department of Transportation said, “the growing reliance on cyber-based control, navigation, tracking, positioning and communications systems, as well as the ease with which malicious actors can exploit cyber systems serving transportation.” Essentially, the transportation industry exists in a mobile world and mobile is one of the easiest end-points for data to be breached. It’s often not protected properly by companies, which can lead to employees easily losing information or being targeted by cyber-criminals.

Even if your company’s not on this list, it’s important for you to take steps to ensure that the data stays safe and secure. Data breaches have become so serious that companies can be liable for serious fines if it is deemed that their security was not up to scratch. If you’re a SME or SMB especially, they are the kind of fines that could put you out of business completely, or ruin your reputation. Look into a data loss protection strategy that works for the needs of your company and figure out ways to get your staff on-board to ensure that no data is lost from your organization.

Unique Data Loss Risks Faced by the Hospitality Industry

Data collection, data mining and big data, in general, have the ability to transform how industries, such as the hospitality industry, provide their services. The ability to access information about an individual, from basic contact information, to payment information, to behavioral information, means that benefits that consumers have come to expect – such as ease and personalization – can be easily employed.

The data captured by the hospitality industry, particularly hotels and restaurants, is often very comprehensive and sensitive, meaning it has serious ramifications if that data is lost. A person staying in a hotel will be handing over contact and payment details, using hotel wi-fi for business and personal use, and ordering services for their own personal comfort. Research indicates that the  hospitality industry accounts for nearly 14 percent of all breaches, second only to the retail industry. Here are some of the unique data loss risks the hospitality industry is facing:

  1. Large numbers of SMEs and SMBs

From the huge boutique hotel industry that’s booming, to owner-operated restaurants and bars, a great deal of the hospitality industry is made up of SMEs. Often, even when these businesses are part of a wider syndicate, there won’t necessarily be standardized rules for data security.

So, what’s the big deal with SMEs? Due to their size, SMEs and SMBs often don’t have any thorough data loss protection strategy in place. Cost, time and lack of knowledge are the general contributing factors here. However, DLP plans are now much more affordable and easy to implement, so it really comes down to the industry getting itself up to speed by educating that DLP implementation is essential and possible to do.

  1. Paper still rules the roost

Hotels, especially, still rely heavily on paper to conduct their day-to-day business. It’s common-place for services rendered and paid for to be carried out on paper throughout the whole transaction. Physical loss is one of the easiest ways for data to escape internally, either on purpose or by accident. Either way, due to the lack of digital footprint, it’s incredibly difficult to track where the leak came from.

Add to this, that according to Shred-it’s 2017 Security Tracker, less than half (49 percent) of small businesses shred all documents, including non-confidential ones, it’s clear that the hospitality industry needs to address this as part of their DLP strategy.

  1. Employee training is outward focused

Hospitality is a wholly customer-focused service industry. Huge amounts of resource are poured into staff training to ensure that customer’s needs and desires are being met and align with the kind of service the company is trying to provide.

The reality of this is that very little attention is focused towards internal processes. There are many statistics that suggest that roughly half of all data losses occur because of internal threats – people maliciously or unintentionally leaking sensitive data. This means that hospitality companies need to distribute their resource more efficiently and start focusing on creating internal DLP processes that work and that prevent the leakage of data.

While the potential for data to improve the services of the hospitality industry is huge, it brings with it large amounts of sensitive data that are not currently being properly protected with adequate data loss protection strategies. The high numbers of small to medium businesses, combined with the fact that the largely paper-based hospitality industry has an outward focus, means that there is plenty of work to do to ensure that the data of customer’s is protected from potential internal data loss threats.