10 Reasons Why You Need Data Loss Prevention More Than Ever

10 Reasons Why You Need Data Loss Prevention More Than Ever

In 2017, the many instances of data breaches and data loss are well-known. Data moves faster than ever, and you need to stay on top of it.

That’s why data loss prevention is becoming an even bigger priority for companies across a range of industries. Don’t believe us? Take a look at some of the most compelling reasons to embrace data loss prevention today:

Reason #1: Data Has Never Been Easier to Transmit

A hack in Yahoo!’s email database last year saw one single data theft affecting some one billion accounts.

There are a lot of lessons to keep in mind here. But perhaps most important: data has never been so easy to transmit. One single instance of data loss can mean tremendous amounts of data leaking from your company or organization. And it can all happen in an instant.

Reason #2: There Are More Solutions Than Ever Before

If Reason #1 scared you, then this reason will give you a little hope. With enhanced technology come enhanced solutions. Simply put, there are more solutions for your data loss prevention than ever before, which means that implementing a solution that works doesn’t have to be a major chore.

You will have to find a solution that suits your industry and your company. But when it comes to preventing data loss, that kind of choice is ultimately not difficult relative to a data breach.

Reason #3: Data is More Important Than Ever

In today’s fast-paced corporate environment, the data that you use and organize is more important than ever. Knowledge truly is power, which is why your exclusive data doesn’t only need to remain private, but in certain cases, it needs to remain proprietary.

If data is more important than ever, it only follows that your data loss solutions should be emphasized this year.

Reason #4: Hacking and Leaks are Growing More Sophisticated

While technology to prevent data loss is improving, so are the hacks to get around these issues. Whether a data leak comes from simply remembering data or is done through hacking, you have to have a data loss prevention plan that accounts for each different type of leak.

Reason #5: You Don’t Know What You Don’t Know

Data loss prevention sounds like a great idea, but any organization will have some blind spots. Simply put, you don’t know what you don’t know, which is why data loss prevention can be put in place to cover for those blind spots.

What does this mean? You might not be sure where your confidential information is being stored, or you might not know the measures you have in place to secure it. Data loss prevention helps bring these issues to the forefront.

Reason #6: Word About Data Loss Gets Around Quickly

We live in a world of instantaneous breaking news and fast-as-light social media. If you’re going to maintain a positive image for your company, preventing data loss from ever happening should be a priority. Reacting to a negative story isn’t as pleasant as preventing the negative story in the first place.

Reason #7: Adhering to Rules and Regulations

If you want to stand up to scrutiny, you need to have the data loss prevention in place that makes your organization look good. But it shouldn’t just look good. You really should be in tune with the rules and regulations about data loss prevention, making sure not to overstep your bounds or be underprepared in any way.

Reason #8: You Have More Information to Protect

As your organization grows, so does the information with which you’re entrusted. When you have more and more data protect, your responsibility grows with the storage. Failing to protect this data will lose trust amongst customers and employees.

Reason #9: You Need to Control Your Own Corporate Network

Some of the problems associated with data loss prevention are symptoms of deeper challenges. If you don’t have control over your own systems, of course data loss prevention is going to be a problem. Data loss problems can serve to highlight what you need to fix in your company philosophy.

Reason #10: Data Loss Prevention Is Possible

Finally, you don’t have an excuse to not prevent data loss given all of the options on the market today. If it’s up to you to prevent data loss, now is the time to take action to secure your company and your data.

Who is Responsible for Security Enhancements in an Organization? Everyone!

Data is perhaps an organization’s greatest intangible asset.  Accounting principles say it can’t be valued on a balance sheet, but it is undeniable that the ability to harness, to transform and to understand data is paramount to an organization’s operating strategy and outlook.  Recent statistics even suggest that a small improvement in data understanding could increase a company’s net income by millions of dollars.1  This is a gripping statistic.  However, what is more compelling is that well over half of all organizations will experience significant data loss at some point due to a significant external event.2

This begs the question, who is responsible for security enhancements in an organization to ensure data loss prevention (“DLP”)?  The short answer to this question is everyone, starting at the top of the C Suite and extending down to the newest hire.

DLP should be aligned with the overall objectives of the business.  As with most things in the corporate sense, policy starts at the top.  This means that broad-based DLP policies need to be instituted from the executive level and carried throughout the organization.  Executives should consider polices such as limiting personnel to access only data that is needed to complete their specific jobs, access credentials and limitations on devices that can be used to store data away from company control and continuing professional education to ensure that all staff are aware of the existence and purpose of such policies.  These three factors are critical to enhancing security in a business because studies have largely revealed that most data leaks occur due to unintentional incidents from employees and outside vendors.3

Polices, by themselves, are unable to stand alone without enforcement.  After DLP policies are instituted, there needs to be broad-based systems and controls established that focus on both preventing and detecting possible threats.  Enforcement can take on a number of identities, but may include both passive and active administration.  Passive administration may include software designed to notify appropriate stakeholders when data is released to an unauthorized source or may include stringent processes that users must follow in order to move or access levels of data.  Passive administration should cast a wide net so that a number of external threats can be mitigated without continuous supervision.  Active administration, on the other hand, requires supervision through manual processes and testing.  Active administration may include an internal audit function conducting periodic tests of details and controls or levels of management that separate duties between preparation, authorization and custody.  These active processes should be conducted on a periodic basis with independence in mind so that personnel will not be bias in their findings.

The final key to successful security enhancements in an organization is continuous improvement.  This is largely driven by the entire team but starts with the lower operating levels.  DLP policies should define a set of feedback channels that allow for communication from the bottom to escalate to the appropriate managers who then have certain authorities to take action.  This feedback loop should be continuous and allow for meaningful revision of policies and assessment of operating protocols.  Initiatives in this arena should include ways to make processes more effective but less burdensome to complete.  Further, the feedback loop needs to be reliable such that the information is able to reach the appropriate party who then has the ability to actually implement the change.

Security enhancements in an organization is everyone’s responsibility.  Policy starts at the top and trickles down to even the newest associate.  These new associates are responsible for carrying out the tasks and providing meaningful feedback as to the operation of the DLP policies.  Managers are then required to escalate, as appropriate, and provide meaningful guidance on how to solve complexities.  In that light, DLP policies are not limited to software and hardware controls, alone.  Instead, these policies are strategic initiatives that should be aligned with the organization’s overall goals so that there can be a culture of continuous improvement from the top down and the bottom up.


1Marr, Bernard.  “Big Data:  20 Mind-Boggling Facts Everyone Must Read.”  Forbes.

2Thornton, Katie.  “11 Stats on Data Loss You Need to Know.”  Datto.

3Ernst & Young LLP.  “Data Loss Prevention.”  Ernst & Young LLP.  

Instant Messaging Apps – an Instant Threat

The Internet has revolutionized communication forever. Remember the time you’d spend all your money on text messages and multimedia messages? Those days are long past. Real-time and instant messaging is the rage now, allowing you to stay connected with friends round the clock. Apart from simple text messages, they also allow you to exchange voice messages, video recordings and pictures, and even allow you to make voice/video calls with clarity unlike ever before. All of this and more at no cost at all!

Facebook Messenger, Whatsapp, and Google Hangout are some of the more popular messaging applications the world over. Other old favorites are Viber, Snapchat, and WeChat. All these applications allow you to send and receive texts, share pictures, videos, and other files. These days IM apps also allow users to make voice and video calls and send voice messages. Group chats are also permitted in most of these applications. The new IM apps that are gaining popularity are LINE, Telegram, Kik Chat. Even applications that are traditionally not meant for messaging such as Instagram now allow users to send private messages and thus work like IM applications. Applications like Whatsapp and Snapchat have recently introduced encrypted messaging which is a secure form of messaging.

Data Leaks and Security Threats

While IM applications have definitely brought the world to our fingertips, they have also opened up gaps for hackers to steal personal and sensitive data. From identity thefts to stealing financial and corporate information, IM apps make just about everything possible. More the integration, greater the risk of a data leak through the messaging app.

Some common threats to our data and security come in the form of strangers posing as friends, seeking personal or financial information, passwords etc. Sneaky hackers send IMs from a new number with your friend’s name and photograph. Identity theft is as serious as financial theft. Sharing of devices or IM accounts with acquaintances can also leads to serious breach of security, often from unexpected quarters. Unauthorized access to smartphone or mobile device by guests, colleagues, or friends is another security threat. Accidental data sharing to groups while the intended recipient is an individual is very common.

Malware stealing personal, proprietary  and financial information can be installed into your smartphone, sneaked in by videos or links sent by unknown senders. Similarly, you must look out for new and unknown IM applications which could be created in order to steal personal data.

Data Leaks Prevention and Precautions

There are some simple precautions that can be taken to prevent data leak through IM applications. Personal information and sensitive corporate information should not be disclosed to anyone without establishing their identity. Do not be fooled by the DP (Display Picture) and name. Your friends and colleagues will never ask you for your details and passwords over IM. When you find strangers asking for your personal/financial information, do not hesitate to be generous with the “Block” button. Never share your passwords and sensitive data with anyone, not even bank personnel or colleagues you are working with over IM. It is best if you do not save your credit card or bank account details in any phone or mobile device.

If at any time you are under compulsion to send your personal information or credit card details to a family member or friend over IM, or if a colleague needs some sensitive information that is holding back a deal or a project, ensure that the chat uses end-to-end encryption. In case of latter, it is best to implement a mobile data loss prevention solution to prevent data leakage over mobile phones.

Activating the numeric lock or fingerprint reader is a good precaution to keep your device safe. This simple measure will ensure that no one can access your smartphone or mobile device when you’re not around. Lock IM apps with a pattern reader for added protection. Refrain from accessing web versions of IM applications from public computers.

Hacking, phishing, and phreaking are some of the top security threats in the world of technology these days.  Never click on links sent to you by unknown people. Malware are often sent in the form of innocuous links or even videos. These are installed in your smartphone or mobile device when you click them and transmit information that you send over messages. Also, do set all system downloads to “manual” to avoid unintended malware installation on your mobile device.

Messaging Apps bring our dear ones closer. They also make corporate teams work more closely together. But unfortunately, they also bring the wily data thief within harming distance. With a little precaution your instant messaging can be made as safe as a face-to-face conversation.

12 Ingredients for Creating a Successful Incident Response (IR) Plan

In AT&T’s latest Cybersecurity Insights report, 62 percent of organizations acknowledged they were breached in 2015. However, only 34 percent believe they have an effective incident response plan.

When faced with a potential data breach, or any incident that may potentially harm organizations and their customers, an incident response plan, or IRP, is required to protect an organization’s data and, thereby, its reputation. If IRPs are not implemented properly, organizations may not be able to recover quickly from data loss. An IRP helps to identify the best possible data loss prevention (DLP) activities that help safeguard organizations and quickly restore normal business operations. A well-defined security IRP will help safeguard against losses in case of a DL incident, a natural disaster, an external breach of critical data or IP, or an insider threat.

According to the 2016 SANS Institute survey on the state of IR, 29 percent of respondents report a remediation time of two to seven days. A lack of skilled personnel is aggravating the problem, as 65 percent of respondents reported the lack of personnel was impeding their ability to respond to incidents.

12 Common Ingredients of Implementing IRPs
IRPs cannot be a one-size-fits-all system. Every organization has its own needs. Over the years and based on many studies, the following common ingredients have been identified:

  1. Prepare: According to CISO, the team that handles threats, dealing with the fallout from a breach requires the efforts of the entire company. This requires team effort and training. Everyone must be made aware of who to report to on the IT team in case they observe something suspicious.
  1. Get approvals: IRPs are not implemented if they are not approved by the Board of Directors. It is critical to make this group understand, and get involved in, the whole process of an IRP implementation from the initial stages so that they are aware of the severe repercussions of a data loss. Once they accept the criticality of a DLP activity, creating a successful IRP will be easy.
  1. Define the team and scope ahead of time: IRP developers need to define cross-organizational goals and allocate appropriate resources, leaders, roles, and responsibilities. Everyone must know ahead of time what should be done when. The core team may comprise of individuals from privacy, security, legal, and IT who call on other departments as the need requires. Identifying the scope of IRP will allow team members to assemble the components into an effective plan.
  1. Identify measurements and matrices: For a robust IRP, organizations need to define in advance key metrics such as time to detection, time to report an incident, time to triage and investigate, the number of false positives, and the nature of the attack indicators that will be measured in case of a breach.
  1. Hold test runs: Companies must play out the various breach scenarios – something like a mock fire drill, just to ensure things are in place. This helps in identifying weak points and risk factors, and thus leads to a crisper IRP.
  1. Check alerts that appear benign: IT professionals must be very observant when checking for signs of compromises and threats, and they must never disregard a regular user’s doubts. The PCI Security Standards Council states that one of the biggest risks to an organization’s information security is often the action or inaction by employees that can lead to security incidents.
  1. Document the IRP, and keep it updated: Documenting an IRP helps organizations consider different scenarios, their implications, and the tools needed to mitigate the damage. DL assessments are part of every IRP and must be documented to support an organization’s burden of proof. An IRP must be a “living document,” that must always be kept updated. New threats from malware, identity theft, and unencrypted mobile devices are putting protected health information (PHI) at risk. An IRP should reflect these new dangers.
  1. Dont overlook your refineries and factories: Many organizations need to run industrial systems in parallel, such as an oil refinery or a factory that manufactures drugs. Such organizations usually do not feel the need to implement an IRP, thinking hackers won’t target these locations. This, more often than not, leads to a breach resulting in losses.
  1. Contain and remediate: Once an affected system has been identified, take it offline, and use it to conduct a post-mortem as to the how and what of the breach. After the root cause is identified, control the spreading of such breaches further before it affects the entire organization. The findings and details of the breach must be noted carefully, and action must be taken so that there’s no room for similar attacks to re-occur. The focus should be on investigating the malware’s techniques and infection vector so that a robust eradication and prevention plan may be developed.
    According to Marsh & McLennan Companies, “Once an organization experiences a data breach, the response is to secure defenses to make sure that history does not repeat itself.”
  1. Plan for a follow-up budget and resources: According to Gartner, Inc., 75 percent of enterprises’ information security budgets will be allocated for rapid detection and response approaches by 2020, up from less than 10 percent in 2012.
  1. Follow up: For future containment, learning and improvement, and detection, IRPs require the cooperation of an entire organization, not just the IT and security departments. For example, a bank handling the impact of a breach will need help from its PR staff, from its Web development team, from the HR team, etc.
  1. Align and integrate the IRP with an organization’s existing business continuity plans (BCP), data loss prevention (DLP) policies, and disaster recovery plan (DRP): Prioritizing the assets to rebuild to ensure business-as-usual quickly is very critical. The prioritized inventory must be updated and amended regularly as business needs evolve.

MAPFRE Settlement- An Expensive Lesson in Data Security

data loss preventionMAPFRE Life Insurance Company of Puerto Rico (“MAPFRE”) has agreed to pay a whopping $2.2 million in fines to enter into a settlement with the HHS Office of Civil rights for violations of the HIPAA privacy and security rules.

At the heart of this multi-million dollar storm was a humble USB pen drive.

On September 29, 2011, the unencrypted USB data storage device was left unsecured in the IT department of MAPFRE. This drive contained records of 2,209 individuals, including their full names, dates of birth and Social Security numbers. The pen drive was stolen overnight.

MAPFRE reported the device theft to OCR 55 days later. (60-days is the maximum time frame for reporting and announcing PHI breaches). OCR then launched an investigation to ascertain whether any HIPAA Rules had been violated. This is standard protocol for all breaches of ePHI that impact more than 500 individuals.

As the investigation proceeded, OCR discovered not one but several HIPAA non-compliance issues.

Officials at OCR determined that MAPFRE showed a callous attitude towards data protection  by not putting necessary safeguards in place to prevent the theft. MAPFRE had-

  • Failed to conduct required risk and vulnerabilities assessments to test the “confidentiality, integrity, and availability” of the ePHI under their control,
  • Did not implement any appropriate security measures
  • Had neglected to implement required security awareness and training programs for their workers.

As per the corrective action plan, MAPFRE was expected to:

  • Conduct a risk analysis and implement a risk management plan
  • Implement process for evaluating environmental and operational changes
  • Review – and revise if necessary – its current Privacy and Security Rules policies and procedures
  • Distribute the policies and procedures and assess, update, and revise them as necessary
  • Give regular training to workforce members and certify they’ve received it

MAPFRE delayed implementation of corrective measures that it had told OCR it would undertake. So despite the submission of a breach report to OCR on August 5, 2011, MAPFRE Life did not start encrypting data on laptop computers and portable storage devices until September 1, 2014.

“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well,” OCR director Jocelyn Samuels said in a statement. “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”

The resolution amount was decided upon after taking the financial position of MAPFRE into consideration as well as keeping in mind the number and severity of its HIPAA violations. Not only does OCR require payment of $2,204,182 as fines, MAPFRE is also expected to adopt a corrective action plan that addresses all areas of noncompliance.

HHS states on its website, that “A covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.” It also says that “A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.”

OCR has increased its enforcement of HIPAA Rules in recent years, with 2016 being a year when they made more settlements than in any other year to date. Last year alone a dozen healthcare organizations settled possible HIPAA violations with OCR. Earlier this year, Presence Health, a healthcare network serving residents of Illinois, agreed to pay OCR $475,000 due to an unnecessary delay in breach notification after the patients’ protected health information was exposed. OCR won’t be letting up on its aggressive enforcement pace of 2016 when it collected a record $23.5 million in HIPAA breach settlements, a steep rise up from $6.2 million in all of 2015.

There are some expensive lessons in these settlements that all HIPAA covered entities should pay heed to. Risk assessment and analysis can go a long way in keeping data secure. There should be a comprehensive risk management plan in place. In case of a breach, companies should make quick and accurate representations to OCR and should follow through on any commitments made to OCR.

Last but not the least, leaving unencrypted portable devices/drives is never a good idea and a humble USB pen drive can sometimes prove to be very very costly.

10 Considerations for Implementing a Data Loss Prevention (DLP) Solution

Recently, industry analysts have noticed a massive resurgence in the demand for DLP solutions. In light of the growing need for DLP solutions, organizations will need to remain vigilant to a defense-in-depth framework. There must be a balance between security and usability as well as a trade-off between threat probability and ramification. Appropriate DLP practices are more important now than ever, and this trend will continue well into 2017 and beyond. That said, with data breach incidents looming large across the globe, enterprises today first need to consider all the aspects and issues before implementing a DLP solution.

So what really must be considered for implementing the best DLP solution?

DLP solutions are designed to reduce the risks related to information loss by proactively locating and controlling sensitive data. Answering the following questions in detail will help organizations implement a foolproof DLP solution to protect their sensitive data and evaluate the approach followed by a DLP solution provider:

  • What types of data should I monitor and control?
  • What actions can I take to reduce data-related risks?
  • How can I achieve this without impacting business as usual and in a cost-effective manner?
  • Does the DLP solution address a complete range of global policies that meet my compliance and corporate-security needs?
  • Does the provider:
    • Partner with infrastructure vendors to embed DLP classification technology and policies across all elements of the infrastructure?
    • Integrate with third party controls for enforcement and with SIEM vendors to provide a single pane of glass for incident management?
    • Use a common management policy and classification framework to manage policies and incidents?

10 Key Considerations

The following 10 key considerations cover sufficient ground for organizations seeking to implement a DLP solution:

  1. Understand and identify how your sensitive data are handled—DLP is a content-centered data-protection technology that relies heavily on the proper identification and classification of sensitive data and concomitant handling within an organization. This facilitates the creation and implementation of a comprehensive data-protection strategy.
  2. Assess and analyze the need to implement a DLP solution—The “go/no-go” decision should be based on an objective risk-based assessment and analysis of the following: the data that the organization wants to protect, the security risk based on current and future security architecture, total cost, cost of data loss, total cost of implementation and management, and value-added benefits of introducing DLP.
  3. Identify and involve representatives from across the board to understand the need—The team that decides the need for establishing DLP policies must have a representative from each team to develop the requisite corporate policies (senior management), perform risk assessments (risk management), identify recent security events (IT security, legal, compliance management), and ad hoc threats/concerns. This will improve understanding of organizational and business requirements, thereby helping cover more ground for implementing the DLP system.
  4. Break decision-making and implementation of the solution into phases—Before implementing the solution, the benefits and operational impact must be understood and accepted by the organization. Only then can the organization plan to implement the solution piece by piece to avoid disruption of regular functioning. There should be sufficient checkpoints to track changes and implementation of the new system.
  5. Test the implementation in a small unit before going full scale—Policy testing in controlled environments helps understand the effectiveness of the policy and its potential impact on the business before wider deployment. Phased implementation will surely help lower the impact on performance and promote a positive user experience. The DLP infrastructure and the network capacity must also be planned adequately to minimize impact on the business.
  6. Create meaningful DLP policies and policy-management processes—After the typical DLP activities have been identified, it is imperative to create relevant and meaningful policies to monitor or block (prevent) sensitive data from leaving an organization’s network. Review processes and periodic policy modifications (to combat new risks) must form a robust, controlled process.
  7. Set up an effective response mechanism—Response rules and alerts must be defined and configured to respond in a particular way for specific events. An event review team with adequate knowledge of business risk should review critical events (in detail) with care. Furthermore, this team should take appropriate actions in a timely manner following established procedures to comply with policies, laws and regulations. Doing so prevents a negative impact to the business.
  8. Gather data for proper analysis and reporting— DLP policies trigger events that usually provide critical insight on where, when, and how the sensitive data are stored and handled within the organization. This can then be related to specific policies, departments, regions, and trends. Event profiles and trends, along with periodic reporting and its meaningful analysis (using the right metrics, patterns, and trends), help improve control practices and modify policies.
  9. Security and compliance measures must be in place— As a DLP system may collect data that are personal in nature or business sensitive, it is critical to have strict adherence to data-privacy laws and regulations of the countries in which the data are collected. Based on the scope of implementation, appropriate measures, such as employee notification and consent, must be taken (if required). The DLP team should be part of the corporate security-governance structure and work closely with other security teams to ensure data protection.
  10. Make way for legitimate sharing of data—Data sharing and cross-sectional data flow of business information is the lifeline of most organizations. Now, although organizations have to protect loss or leakage of sensitive data, they must ensure that DLP solutions do not hinder legitimate data flow inside or outside the organization This point is critical, for, if overlooked, the hindrance of legitimate data flow may lead to severe losses. Hence, there must be a team in place to review the business benefits of DLP on an ongoing basis and also verify its impact on legitimate data flow within the organization.

A comprehensive and integrated DLP solution must provide reasonable controls to protect data loss from internal sources. Management must ensure that proper measures are in place to protect sensitive corporate digital assets, including IP as well as personal and financial data. Additionally, a successful implementation of a DLP solution for large organizations requires systematic planning and execution considering the aspects discussed in this post.

Data Security Priorities for SMBs in 2017

Small- and medium-sized companies (SMBs) are equally vulnerable to cyber threats and data breaches as large enterprises. According to a survey of SMBs conducted by Ponemon Institute, nearly 55% of respondents said that they experienced a cyber-attack, and at least 50% had a data breach in the past 12 months. It was also revealed that negligent employees, contractors and third parties caused most data breaches.[1]

Here are the key reasons why SMBs are becoming more vulnerable

  • Security policy is not well defined.
  • The software and methods that are in place to prevent the breach are either obsolete or not capable enough to prevent the data leakage.
  • Lack of training to the employees.
  • Not enough budget is allotted to thwart the threat.
  • Strict adherence to follow the security procedure is lacking – weak or repetitive passwords. Encryption is missing in most of the cases.
  • BYOD policies are missing.
  • Protocol to be followed in case of leak is not defined, which could in turn restrict the extent of data loss.
  • There is rarely a dedicated IT personnel overlooking the security of the system. Thus, 24/7 observation is

For all of these reasons, the loss of sensitive data is often due to negligence of the company personnel. A lot can be averted if the following requirements are addressed in the security protocol.

These essential steps are recommended for SMBs to follow and implement in order to mitigate data breach threats.

  • Regular training sessions should be conducted for the employees. Users should be educated about cyber security and informed on how to deal with the sensitive information safely.
  • Password encryption should be a must. Implementation of two-factor authentication is an easy and affordable way to safeguard the cyber content.
  • Account management should be implemented. User-defined roles should dictate who gets what kind of access to the sensitive data. Authentication of the user and the device being used to access the information should be verified.
  • Clearly define the BYOD policies to the employees so that intentional or deliberate loss of data can be mitigated.
  • Software used should be current, thus making it less vulnerable to cyber threats.
  • Policies around what data can be copied and how and where it can be duplicated should be laid out for the users.

As we step into 2017, SMBs should start gearing up to implement tailored protocols to defend against data breach, particularly from insiders. Along with taking the steps mentioned above in stride, employees should be scrutinized for their behavior in the office. Even at the time of recruitment, proper background screening should be conducted. Getting the right kind of employees and following up with a robust plan for security will aptly help mitigate the threat.

[1] http://www.ponemon.org/blog/smbs-are-vulnerable-to-cyber-attacks

2016: Data Breach Statistics


The ITRC tracks seven categories of data loss methods: Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information: Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

The year 2016, till now, has witnessed 980 data breaches affecting 35 million plus records. The highest number of records breached has been in the Medical/ Healthcare sector, at more than 15 million records, as per the report from Identity Theft Resource Center.

Zecurion offers deeper insight into selected incidents caused either by accidental or intentional data breaches. With all such incidents, the common elements describing the impact of this growing problem are financial loss, compromised intellectual property and dwindling customer confidence. Let us see how some sectors have been impacted. The excerpts below only provide a glimpse of some of these incidents – the list goes on.


November 23, 2016 – The Navy reported that PII of 134,386 sailors was compromised from a contractor’s laptop.  Hewlett Packard Enterprise Services, through which the contractor was hired, said that no information had been misused. However, it reported that data containing names and Social Security Numbers was accessed by an unknown number of people. The investigation is ongoing and will take a few weeks before identifying those affected and next steps.

Source: Navy Times

October 28, 2016 – A breach at the Office of the Comptroller of Currency resulted in leakage of sensitive information of more than 10,000 employees. It was found that a former employee had unintentionally downloaded the information. There is no evidence on any information being misused in any way. The incident was reported to Congress as required by law.

Source: Wall Street Journal


November 30, 2016 – Emblem Health has notified that its subsidiary company, Group Health Inc. (GHI), had an accidental breach wherein an unknown number of records were exposed. The disclosed information contained the Health Insurance Claim Number (HICN) which mirrors the Social Security Number. So far, there has been no report of any kind of misuse of leaked information. As a precaution, the affected members have been offered free professional identity monitoring service for 24 months, in addition to a 24-hour dedicated helpline and $1,000,000.00 in identity theft insurance through AllClear ID.

Source: California Attorney General


December 2, 2016 – San Jose Evergreen Community College District (SJECCD), California, reported that an employee accidentally uploaded a file containing the PII of an unknown number of students on the SJECCD website. The information could be accessed if search strings were run on the site. Upon learning about the mistake, the file was immediately removed from the server. Though there is no immediate report of any misuse, the management has offered complimentary one year credit monitoring services of AllClear ID to affected students.

Source: California Attorney General

Ensuring Application Security in Mobile Environment

With concepts such as bring-your-own-device (BYOD) becoming almost indispensable in today’s business environments, employees have both official and personal data on their smartphones and other devices. Because many of these devices are not very secure, hackers are having a field day. Apart from this, the risks of inadvertent data loss have also greatly increased.

In a recent analysis of downloaded applications within organizations, IBM found that these apps had access to confidential business data.

Anyone using a smartphone is aware that downloaded applications require frequent OS updates. Frequent updates cause greater exposure and vulnerability for the phones, which means that they may get corrupted or lose precious, business-critical data. Additionally, because mobile apps can access security-critical servers, storage, and networking systems, these apps are prone to and vulnerable to external attacks in which hackers can intercept data and cause huge losses. In a recent case involving an Android application, a weakness was found that could put personal user information at risk, including not only phone numbers and location details but also account balances.

Because compromised applications may at times lead to irrevocable losses for organizations in terms of finances, brand loyalty, confidential customer information, and intellectual property, application-security testing teams need to be on their toes at all times. They need to think about how to implement a robust, automated, and scalable mobile-specific security management program that can eliminate the looming risks to enterprise data with ease and efficiency.

On a positive note, most organizations have data-loss prevention (DLP) policies in place for blocking devices as soon as they are reported lost. However, most organizations do not have a clue about the type of applications installed on their employees’ mobile phones, and this is a huge cause of concern. To ensure that only safe applications are installed on corporate-owned and corporate-controlled devices, organizations have moved toward implementing mobile application management solutions. Many organizations involved in the generation and management of critical data, such as data relating to finance and security, use advanced DLP measures to control logins and access to data on mobile devices.

What is needed to ensure that your organization has a robust risk management system in place for your applications?

To ensure that mobile applications are secure in all aspects, organizations must follow basic rules:

  • Perform stringent tests (perhaps utilizing a cloud-testing lab) for all application types (web, native, and hybrid), for all browsers, for iOS and Android (especially if it is open source), and for all software that might access the application once it is installed.
  • Perform continuous static and dynamic analyses; monitor applications to detect problems.
  • Perform checks for threats to the application due to weak encryption, client-side injection, and data storage.
  • Minimize and verify functionality and permissions, thus simplifying the code. In addition, conduct thorough data validation and perform end-to-end testing of the code to check for any shortfalls related to security.
  • Test the back end for any weaknesses in the emulators running the mobile applications.
  • Perform thorough testing (automated penetration, functional, performance, etc.) on the application for loopholes related to security and for any weaknesses related to viruses.
  • Try to avoid the data storage and transmission. If this is necessary, encrypt data during the process.
  • Detect integrity violations using a taint analysis.
  • Hard-code the applications so that no one can modify them externally.
  • Invest in an automated mobile-app security-testing tool that can perform security assessments, penetration testing, for apps being built using agile methodology.

App developers must also make their apps third-party-friendly and easy to download. This will dissuade mobile users from wanting to jailbreak or root their mobile devices, which makes the devices vulnerable and renders the features related to OS security ineffective. App developers must be motivated and trained to build apps that have strong, built-in security controls to thwart any unwarranted breaches.

If organizations perform the above tests, follow strict app development guidelines, and implement robust frameworks for security testing, they will have done all that is required to keep the mobile applications—and, more importantly, the user data—secure. These measures, coupled with use of DLP, will effectively lead to implementation of stronger security practices.

How to Select the Right Encryption Solution

In today’s fast-moving and fast-changing world, coupled with the influx of smart devices and IoT, securing data and protecting it from falling into malicious hands has become extremely challenging, complex, and necessary. The workplace no longer adheres to a typical 9-to-5 routine. Technology has created the ability to work remotely from anywhere and at any time through laptops, tablets, smartphones, etc. The gates to breaches have thus significantly increased in number, resulting in greater need to use encryption, scaling to not just a computer but to the numerous smart devices that are constantly used to access data.

Ponemon Institute conducted a survey and came up with the most prominent drivers that propel industries to consider encryption as a defense against data breaches.

We saw in one of our previous blogs how the number of breach incidents has risen to staggering heights this year. IT experts collectively agree that encryption is the key solution to this humongous problem, but it has to be the right type of encryption that is applied to the industry. A thorough knowledge of current tools and technologies that are prevailing in the market is very important before implementing any type of encryption. A customized encryption solution, apt for the said enterprise, will not only protect the loss of data but also save time and money. Now, what is the criteria for determining the type of encryption solution suitable for the enterprise? The following points will answer this question.

  1. Basic Requirements – A Must

The encryption solution should meet the following basic requirements:

  • Encryption should be automated, simple for end users to comply with, and provide non-disruptive protection.
  • There should be a robust access authentication of users, resulting in appropriate access to the data by authorized users only. The encryption should also have a provision for regular checks on user access control for validity.
  • It should be able to protect wide array of smart devices across multiple platforms such as Windows, Mac, and Android. Most smart devices already offer some kind of base protection, but this might not be sufficient for big enterprises dealing with highly sensitive data.
  • Type of encryption will also further depend on the type of data that has to be protected. This could be data in motion, data at rest, or data in use. The company might require full-disk encryption or just file encryption.
  • The need for managing the encryption keys must be assessed – can it be done by the IT department itself or should the services of a vendor be considered.
  • Another characteristic is that the encryption implemented should grow as the enterprise expands. The growing demands of the company should not hamper the prevailing encryption or render it ineffective.
  • The encryption should be such that if the data were to fall into the hands of hackers, it would be deemed incomprehensible and useless.
  1. Encryption Key – Vendor-managed or Customer-managed

An encryption vendor-managed key or a customer managed key scheme uses a pseudo-random encryption key generated by an algorithm. An unauthorized interceptor cannot access the data without this key. Customer managed key (CMK) empowers the customer completely as it makes physical location of the files less relevant, since no party can decrypt the data if the customer has chosen to withdraw access to the encryption keys.

  1. Key Management

Managing the keys is another important aspect in encryption. Depending on how big the organization is, there could be a large number of keys that need to be managed uniformly and tracked constantly. Towards this, Zecurion Zserver secures and protects confidential information at the processing and storage level on corporate servers. The Zserver Enterprise Key Management Server (EKMS) minimizes administrative overhead for encryption by generating, storing, managing, and automatically loading encryption keys across the enterprise.

According to a report by CSC, “While individuals are responsible for most data creation (70 percent), 80 percent of all data is stored by enterprises.” Encryption may not be the silver bullet to thwart data breaches completely, but is a necessary step towards mitigating the accidental or deliberate loss of critical and sensitive data. Enterprises, both small and large, should make it a mandatory requirement  and implement encryption company-wide.