Four Examples of Data-Loss Prevention Gone Wrong

It is not uncommon today to come across media headlines decrying the massive loss of data in a private company or government department. These data breaches have far-reaching consequences for both these organizations and their customers. Often, private information gets into the wrong hands and can end up hurting many people.

Not long ago, the primary concern of IT departments was to protect data from outside threats such as hackers and viruses. However, today, internal threats take up of much of these departments’ time and energy, mainly due to the proliferation of web-based applications. In addition, insider threats remain largely undetected because sensitive information comes in and leaves the company on a daily basis through emails, file transfers, webmail and social media.

Needless to say, any data loss can be a cause of significant problems to the company. Loss of sensitive information can wreak havoc to a company’s reputation and financial position due to the cost required to fix the mess. No wonder it is estimated that 70% of SMBs experience a significant data loss collapse within a year. Additionally, no company or organization is immune to data loss.

Let’s now take a look at some real life examples of data loss prevention gone wrong. Luckily, these companies detected data-breach incidents early enough to fix the mess before they suffered any major loss. However, all those who act when it is too late may not be as lucky. That’s why some companies never recover due to negative PR, legal fees, regulatory fines and loss of consumer confidence.

AMAG Pharmaceuticals

AMAG is a pharmaceutical company based in Boston that employs over 300 people. It is heavily regulated, as expected of any company dealing in health and pharmaceutical products. It lost data when an HR folder that had not synced correctly was moved in Google Drive. Consequently, all files on the folder disappeared, including many that did not belong to the person moving the folder. The employee ransacked the trash and recycle bins, but the data had already been lost. Fortunately, AMAG had a backup software that allowed them to restore all of the files. Without the backup software, AMAG would have been in serious trouble with the regulators.

Battle Bogle Hegarty

Bartle Bogle Hegarty (BBH) is a leading marketing agency based in London. It has over 1,000 employees and volunteers. It works with some of the biggest brands in the world. Their data-loss story was a result of someone trying to help by cleaning up a client’s folder. As a result, more than 1,000 folders and files were lost, even those that didn’t originally belong to the user. The “helpful employee” checked both the trash and recycle bins, but the data had already been lost. These examples show that although employees are critical to the success of your business, they also pose the biggest threat to the security and safety of your company. BBH used backup software to salvage what they could, but the metadata was already gone. Knowing where sensitive information is stored and who is accessing it is a fundamental component of any data-loss prevention (DLP) strategy.

Alzheimer’s Association

You may have heard of the Alzheimer’s Association and their great mission to eradicate this disease. With over 2,800 employees and volunteers, the charity is engaged in care, support and research to combat Alzheimer’s disease. The organization suffered massive data loss caused by a departing employee who deleted all his emails on his way out. It is unclear whether the employee was trying to be helpful or was erasing his digital footprint in the company, but his actions had dire consequences. Among the emails deleted were those that were part of a major fundraising drive. This would be a huge blow to any charity because it means loss of contact information and pledges made.

Ashley Madison

Ashley Madison, a leading infidelity and married dating site with over 40 million users, suffered arguably the biggest data breach ever recorded. Crucial personal information, such as credit card information, names and contact information, was exposed. This violation was primarily seen as an inside job.

What Your Company Doesn’t Know About Data Loss Prevention

DLP has been around long enough now that your business understands its importance.  Your business knows that not having a DLP plan can expose the company to a myriad of risks – many of which are catastrophic.  Taken a step further, you know that threats exist inside and outside the company and, therefore, DLP operates in both realms.  Armed with this knowledge, your business has successfully implemented a DLP strategy and has continued to experience growth with less risk of tragic loss.  And, if your business is like others, that is where DLP has stopped.  It is working- why change it, right?  What your business doesn’t know about DLP is that these initiatives are moldable and need to be revisited as your business changes.  Said differently, DLP is a complex system that must be retooled overtime so that it continues to benefit your company and doesn’t leave any components exposed.

What Happens when Your Business Changes but Your DLP Plan is Not Re-Adapted

DLP is designed to be dynamic.  It is often designed around business processes, which are specific to the company implementing the plan.   Your business is unique and doesn’t operate the exact same way as others.  Over time, your business will evolve and these processes will need to be rekindled.

Take the sales process as an example.  Today, many companies are using mobile apps as a way to drive sales when previous methods may have required face to face meetings or telephone conversations.  It is the same process – sales – that is being completed in different systems, but in a manner that is diametrically different.  If the underlying process is changing so dramatically, shouldn’t the DLP initiative that protects the process also change?  After all, what might have been an effective method in the old system might very well be an outdated method in the new system.

A world of outdated DLP leads to two primary risks:

  • There are gaps in protection that expose the company to unnecessary risk of loss.
  • The old DLP plan uses outdated methods that weigh down the new process and therefore make it less effective. Both of these risks are reason enough to make sure that your DLP plan is updated as there are changes to your business.

The Good News

DLP is a completely flexible system that is built to benefit your business. As a result, updating your DLP plan as your business changes doesn’t have to be a complex and costly exercise.  In fact, many of today’s best DLP initiatives are modular in nature meaning that they can be implemented in phases so that your company is not shocked with too much change in too little time1.  So, if your business process is changing in steps, then you are also able to implement changes to DLP in those same exact steps.  This may also correlate to better cost control as you can align changes in one system with another thereby reducing the rework or additional work.

Just remember that DLP doesn’t work like a Band-Aid.  In other words, you can’t just put DLP in place and then expect it to work across all of your different business processes just to rip it off one day and have everything be magically healed.  This is actually good news because as your business changes, you are already in a position to recognize support systems that may also need to be updated.  It is, therefore, natural to retool DLP and other supporting systems simultaneously as the process also undergoes changes so that your business is in a better position to recognize any new critical data that needs protected before there is risk of exposure when the new system is live.  Further, this allows other data flows to be modified that may support the changing process so that the entire network is updated and works cohesively.

DLP as a System

Similar to your company, DLP is a system of processes that work together to accomplish their tasks2.  As one system changes, so must others in order to prevent gaps in coverage that may leave data exposed to risk.  DLP doesn’t work in isolation and nor does your company.  As a result, it is important to align changes in your DLP plan with changes in your business processes so that they continue to work in tandem towards your common goals.




1Fajer, Salo.  “Debunking the Common Myths of Data Loss Prevention (DLP).”  ITProPortal.  26 July 2016.

2Simon, Bryan.  “The Truth About DLP & SIEM:  It’s a Process Not a Product.”  Darkreading.  11 September 2015.

Breaking Five Common Myths in Data Loss Prevention

Data loss prevention (“DLP”) is an ever-growing development field. In that same light, the DLP of today is diametrically different than the DLP of yesterday. Let’s be real and admit that companies today are aware that DLP strategy is important, since today’s environment includes extremely high transferability of data across virtually an unlimited number of platforms and devices. While businesses a decade ago had the luxury of not worrying as much about DLP, their successors don’t get that same opportunity. A modern business knows proper DLP polices help prevent significant threats to the organization, sales pipeline and structure. Here are 5 DLP myths that need to be broken so DLP strategies can be implemented and can operate more effectively.

Myth # 1: DLP Requires a Vast Amount of Resources to Maintain

This myth is riddled in small and medium enterprises. Rightfully so, because there is a perception that DLP requires resources that may not fit everyone’s budget. To be fair, it is always important in the business world to weigh costs and benefits, and a DLP initiative shouldn’t be treated any differently. However, modern DLP systems don’t have to cost an arm and a leg to implement and to maintain. In fact, most modern DLP systems have been developed to be flexible and to cater toward a multitude of budgets with different goals in mind. Gone are the days where DLP was made from a cookie-cutter formula with a set cost and result1.

Myth # 2: There is a Significant Lead Time in DLP – by the Time it is Implemented, it is already Outdated

Historic DLP initiatives took time to implement. This often caused frustration, due to the danger that by the time the DLP process was fully operational, enough developments in the market would outdate the current system. Modern DLP works differently, however, in that the processes are more segmented and built to work individually and in unison. The result is that DLP systems can be implemented in timely phases that allow for the acceleration of the DLP strategy and the ability to cater the implementation based on real-time development1.

Myth # 3: DLP is One Person’s Problem, but Not Mine

Successful DLP is built around a company culture and strategy. As a result, DLP cannot be tossed off as one person’s problem instead of a company-wide problem. What this means is that today’s DLP initiatives need to be shared in the company. This is due to the proliferation of electronic data use across businesses—even the junior-most employee often has significant access to data that needs to be protected! As a result, today’s DLP must be built around a culture of training, learning and responsibility across all levels2.

Myth # 4: Once we Implement DLP, we can let it Ride to do its Work Without Monitoring

Wouldn’t it be great if this were the case? Unfortunately, it is not so. Though today’s DLP has evolved to the point where it can be left to many effective automated processes, there is still a degree to which monitoring and improvement are necessary. Said differently, a DLP strategy is a living system, similar to other business processes. Therefore, once a DLP system is implemented, there should be additional systems in place to continuously grow and work with the system so it is more effective over time. DLP systems are like gardens: They need to be maintained or there is risk of weed overgrowth3.

Myth # 5: Let’s Just Protect the Most Important Things and let the Rest be at Risk. The Other Stuff isn’t As Important, so who Cares if the Small Stuff Slides?

DLP systems do not work in a vacuum. It is often a trap that the fiscally concerned may consider—cut out some DLP concepts to save in the short term. To reiterate, DLP systems are not effective if there are weak spots all around. Actually, weakness in one area may lead to weaknesses elsewhere downstream. To be effective, DLP systems should be set up to work in unison without one area being a strong spot at the expense of another. Companies need to focus on making sure the whole DLP system operates effectively4.

DLP initiatives are important. Nevertheless, a number of myths still swim around in the market and can prevent a business from realizing its full DLP potential. Being on top of these myths is important and can add value to any business looking to further its DLP initiatives.


1Fajer, Salo. “Debunking the Common Myths of Data Loss Prevention (DLP).” ITProPortal. 26 July 2016.

2The Absolute Security Insider. “Posts with Tag: Data Loss Prevention.” Absolute. 22 June 2016.

3IT Business Edge. “Data Loss Prevention: 5 Reasons You Need to Step up Your     Game.”

4Kolochenko, Ilia. “Five Most Common Myths About Web Security.” CSO. 3 May 2016.

2017 Developments in Data Loss Prevention

Do insiders pose the greatest threat to data loss in an organization?  Recent statistics indicate the answer is yes.  Actually, according to one study, over 90% of all cyberattacks were conducted by an insider1.  The overwhelming result is that companies must focus on preventing data loss by getting ahead of insider threats that may be due to both malicious intent and accidental occurrence.  Here are four developments for 2017 that you should focus on in conjunction with your overall insider data loss prevention (“DLP”) strategy.

  1. Detecting Data at Risk

Locating and prioritizing potential threats and data that is subject to those threats is a key concern for 2017 data loss prevention initiatives.  But before the threats can be acknowledged, the items at risk must be identified first.  Today’s companies will store many gigabytes of data across a large number of products and services.  As a result, it is critical to implement a proactive system of detection in order to actually flag data and activities that may be subject to a threat in the first place1.  Once pertinent data or activity is identified, the company will have better ability to decide how to protect it or whether additional protection protocols are necessary.

  1. Development at All Levels

Data loss prevention largely occurs because of employee error or accident.  But, the past was stricken with feedback often occurring after the fact or only certain levels of employees receiving the necessary training.  2017 data loss prevention initiatives should include active development of all levels in order to prevent significant inadvertent data loss.  These initiatives focus on the importance of providing the necessary training to all levels in the company and not just a select few.  The benefit of involving all personnel is that this creates an organizational culture focused around preventing data loss.  Said differently, organizations in 2017 should be intent on rallying the entire organization from the top down and bottom up to ensure data loss prevention strategies are implemented on a company-wide level3.

  1. Continued Move to the Cloud

As with many other applications, 2017 developments continue to push data to cloud-based platforms.  This is driven heavily by the sustained use of mobile which keeps data moving between sources.  This mobile data opens doors to data loss since most of the time users transmit the data well before they are logged into a regulated system.  2017 developments include a focus on using cloud-based platforms to better assist in predicting mobile data as well as to better discover and to understand potential gaps2.

Emphasis should also be placed on the balance between controls that offer oversight and efficiency.  Many traditional systems involving cloud platforms prevented data loss but were paired with extreme inefficiency.  Said differently, there were traditionally a number of applications that monitored mobile data that caused processes to be bulky and overdeveloped.  2017 developments should include processes focused on bolstering protection and efficiency simultaneously2.

  1. Managed Services

The field of data loss prevention continues to experience rapid growth.  Companies are continually drawn to data loss prevention initiatives in part due to lack of resources and time to monitor internally; however, additional drivers include increased regulation and large scale changes in breadth and depth of data reach.  Often times, companies are not even aware of the volume of data that needs to be protected.  The solution often lies with managed services, which leverage outside contractors who are better skilled at handling data loss prevention.  Managed services should be considered since they offer an independent vendor who can better monitor systems without the potential for insider bias2.

Data loss prevention continues to be a hot topic in 2017 with significant developments.  These developments include detecting at risk data, company-wide education, cloud movements and managed services.  As these services expand, the goal is to cut down significantly on costly insider data breeches that could have substantial negative impact on the company.




1Friedlander, Gaby.  “The Connection Between Insider Threat and Data Loss Prevention.”  Observe IT.  2015 November 2.  27 February 2017.

2Reed, Brian and Kish, Deborah.  “Magic Quadrant for Enterprise Data Loss Prevention.”  Gartner.  16 February 2017.  23 February 2017.

3Brittain, Jac.  “Retail Technology Trends Shaping the Future of Loss Prevention.”  LPM Insider.  2016 November 28.  27 February 2017.

Building a Better Data Loss Prevention Strategy in 2017

Data loss might not seem preventable when you have no plan in place. You might (correctly) think that threats are coming at you from every angle.

But when you sit down and create a data loss prevention strategy from scratch, the idea of preventing this loss becomes much more clear. That’s why we’ve broken down a few of the simplest steps for drafting a data loss prevention strategy that will keep your company covered in 2017:

Step One: Evaluation—How Successful Was Your Strategy in 2016?

When looking back at your performance in 2016, the answer should be obvious: was your strategy sufficient or not?

If it wasn’t, then you’re looking at an overhaul. Specifically targeting the prevention of data loss from an internal perspective should be one of your chief priorities.

If it was, then now’s the time to innovate and stay one step ahead of the curve. What can you do to improve on last year’s performance? How might you stop data loss from internal leaks? What are the best practices you can implement as soon as possible to have a dramatic impact on the quality of your 2017 data security?

These are the essential questions you need to ask if you want your strategy to be better in 2017. Be brutally honest with yourself as you evaluate. The more honest your evaluation, the better your chances are for 2017.

Step Two: Figure Out Your Biggest Threat

After evaluation, one of the most important questions you can ask is where you think the biggest threat to your data security will come in 2017.

Will it come from an external source? Do you need to prevent hacking and phishing as you look at ways to stop data loss?

Or is the more nefarious threat from internal sources who have greater access?

Chances are, if you’ve already taken some steps to shore up your data security, the biggest threat will come from the inside. Some of these urgent threats include:

  • Contractors
  • Employees
  • Business partners
  • Compromised internal accounts
  • Careless treatment of security by insiders (non-malicious)

If it sounds incomprehensible that your data loss might come from the inside, remember that many organizations just like yours struggle with these threats every single year.

Whether a data leak occurs because someone on the inside has non-malicious intent or malicious intent doesn’t matter. What matters is identifying these threats before they happen so you can take steps to prevent them.

Step Three: Address the Top Issues

Now that you know a few of these top issues, your data loss prevention strategy needs to address them.

Simply put, how are you going to prevent data loss now that you know what the threats are?

Try taking an approach that’s just one step at a time. For example, you might focus on data breaches from contractors. There are a number of steps you could take here, including examining your current contracts and how IT is managed with contractors. You can look at what each contractor has access to when it comes to your private data. Do they have more access than they need? If so, trimming this access is a great first step.

Addressing one issue at a time might feel slow, but it’s a perfectly valid strategy when it comes to data loss.

Although you can’t plan to cover every single possible leak in data loss prevention, simply taking action rather than putting data loss on the backburner will help you build a stronger and more flexible organization when it comes to handling data loss.

Step Four: Choosing Your Area of Focus

Finally, you have to pick where you’re going to focus.

For many organizations, this will be where you’re most vulnerable. Maybe back in step one—when you did your evaluation—you found that one data loss area might be your weakest. While that can be alarming in one sense, the good news is that you’re now aware of this problem before any major data loss event.

Choose the priorities that will make the most difference in your data loss prevention. If you have quality defenses from external threats but none for internal threats, make that your focus, and vice versa.

The key here: keep in mind that data loss prevention isn’t just identifying the issues, but taking positive steps to intervene and install new best practices.

With the right strategy in place, you’ll have a far better chance of preventing data loss and enjoying a more secure company environment.

10 Reasons Why You Need Data Loss Prevention More Than Ever

10 Reasons Why You Need Data Loss Prevention More Than Ever

In 2017, the many instances of data breaches and data loss are well-known. Data moves faster than ever, and you need to stay on top of it.

That’s why data loss prevention is becoming an even bigger priority for companies across a range of industries. Don’t believe us? Take a look at some of the most compelling reasons to embrace data loss prevention today:

Reason #1: Data Has Never Been Easier to Transmit

A hack in Yahoo!’s email database last year saw one single data theft affecting some one billion accounts.

There are a lot of lessons to keep in mind here. But perhaps most important: data has never been so easy to transmit. One single instance of data loss can mean tremendous amounts of data leaking from your company or organization. And it can all happen in an instant.

Reason #2: There Are More Solutions Than Ever Before

If Reason #1 scared you, then this reason will give you a little hope. With enhanced technology come enhanced solutions. Simply put, there are more solutions for your data loss prevention than ever before, which means that implementing a solution that works doesn’t have to be a major chore.

You will have to find a solution that suits your industry and your company. But when it comes to preventing data loss, that kind of choice is ultimately not difficult relative to a data breach.

Reason #3: Data is More Important Than Ever

In today’s fast-paced corporate environment, the data that you use and organize is more important than ever. Knowledge truly is power, which is why your exclusive data doesn’t only need to remain private, but in certain cases, it needs to remain proprietary.

If data is more important than ever, it only follows that your data loss solutions should be emphasized this year.

Reason #4: Hacking and Leaks are Growing More Sophisticated

While technology to prevent data loss is improving, so are the hacks to get around these issues. Whether a data leak comes from simply remembering data or is done through hacking, you have to have a data loss prevention plan that accounts for each different type of leak.

Reason #5: You Don’t Know What You Don’t Know

Data loss prevention sounds like a great idea, but any organization will have some blind spots. Simply put, you don’t know what you don’t know, which is why data loss prevention can be put in place to cover for those blind spots.

What does this mean? You might not be sure where your confidential information is being stored, or you might not know the measures you have in place to secure it. Data loss prevention helps bring these issues to the forefront.

Reason #6: Word About Data Loss Gets Around Quickly

We live in a world of instantaneous breaking news and fast-as-light social media. If you’re going to maintain a positive image for your company, preventing data loss from ever happening should be a priority. Reacting to a negative story isn’t as pleasant as preventing the negative story in the first place.

Reason #7: Adhering to Rules and Regulations

If you want to stand up to scrutiny, you need to have the data loss prevention in place that makes your organization look good. But it shouldn’t just look good. You really should be in tune with the rules and regulations about data loss prevention, making sure not to overstep your bounds or be underprepared in any way.

Reason #8: You Have More Information to Protect

As your organization grows, so does the information with which you’re entrusted. When you have more and more data protect, your responsibility grows with the storage. Failing to protect this data will lose trust amongst customers and employees.

Reason #9: You Need to Control Your Own Corporate Network

Some of the problems associated with data loss prevention are symptoms of deeper challenges. If you don’t have control over your own systems, of course data loss prevention is going to be a problem. Data loss problems can serve to highlight what you need to fix in your company philosophy.

Reason #10: Data Loss Prevention Is Possible

Finally, you don’t have an excuse to not prevent data loss given all of the options on the market today. If it’s up to you to prevent data loss, now is the time to take action to secure your company and your data.

Who is Responsible for Security Enhancements in an Organization? Everyone!

Data is perhaps an organization’s greatest intangible asset.  Accounting principles say it can’t be valued on a balance sheet, but it is undeniable that the ability to harness, to transform and to understand data is paramount to an organization’s operating strategy and outlook.  Recent statistics even suggest that a small improvement in data understanding could increase a company’s net income by millions of dollars.1  This is a gripping statistic.  However, what is more compelling is that well over half of all organizations will experience significant data loss at some point due to a significant external event.2

This begs the question, who is responsible for security enhancements in an organization to ensure data loss prevention (“DLP”)?  The short answer to this question is everyone, starting at the top of the C Suite and extending down to the newest hire.

DLP should be aligned with the overall objectives of the business.  As with most things in the corporate sense, policy starts at the top.  This means that broad-based DLP policies need to be instituted from the executive level and carried throughout the organization.  Executives should consider polices such as limiting personnel to access only data that is needed to complete their specific jobs, access credentials and limitations on devices that can be used to store data away from company control and continuing professional education to ensure that all staff are aware of the existence and purpose of such policies.  These three factors are critical to enhancing security in a business because studies have largely revealed that most data leaks occur due to unintentional incidents from employees and outside vendors.3

Polices, by themselves, are unable to stand alone without enforcement.  After DLP policies are instituted, there needs to be broad-based systems and controls established that focus on both preventing and detecting possible threats.  Enforcement can take on a number of identities, but may include both passive and active administration.  Passive administration may include software designed to notify appropriate stakeholders when data is released to an unauthorized source or may include stringent processes that users must follow in order to move or access levels of data.  Passive administration should cast a wide net so that a number of external threats can be mitigated without continuous supervision.  Active administration, on the other hand, requires supervision through manual processes and testing.  Active administration may include an internal audit function conducting periodic tests of details and controls or levels of management that separate duties between preparation, authorization and custody.  These active processes should be conducted on a periodic basis with independence in mind so that personnel will not be bias in their findings.

The final key to successful security enhancements in an organization is continuous improvement.  This is largely driven by the entire team but starts with the lower operating levels.  DLP policies should define a set of feedback channels that allow for communication from the bottom to escalate to the appropriate managers who then have certain authorities to take action.  This feedback loop should be continuous and allow for meaningful revision of policies and assessment of operating protocols.  Initiatives in this arena should include ways to make processes more effective but less burdensome to complete.  Further, the feedback loop needs to be reliable such that the information is able to reach the appropriate party who then has the ability to actually implement the change.

Security enhancements in an organization is everyone’s responsibility.  Policy starts at the top and trickles down to even the newest associate.  These new associates are responsible for carrying out the tasks and providing meaningful feedback as to the operation of the DLP policies.  Managers are then required to escalate, as appropriate, and provide meaningful guidance on how to solve complexities.  In that light, DLP policies are not limited to software and hardware controls, alone.  Instead, these policies are strategic initiatives that should be aligned with the organization’s overall goals so that there can be a culture of continuous improvement from the top down and the bottom up.


1Marr, Bernard.  “Big Data:  20 Mind-Boggling Facts Everyone Must Read.”  Forbes.

2Thornton, Katie.  “11 Stats on Data Loss You Need to Know.”  Datto.

3Ernst & Young LLP.  “Data Loss Prevention.”  Ernst & Young LLP.  

Instant Messaging Apps – an Instant Threat

The Internet has revolutionized communication forever. Remember the time you’d spend all your money on text messages and multimedia messages? Those days are long past. Real-time and instant messaging is the rage now, allowing you to stay connected with friends round the clock. Apart from simple text messages, they also allow you to exchange voice messages, video recordings and pictures, and even allow you to make voice/video calls with clarity unlike ever before. All of this and more at no cost at all!

Facebook Messenger, Whatsapp, and Google Hangout are some of the more popular messaging applications the world over. Other old favorites are Viber, Snapchat, and WeChat. All these applications allow you to send and receive texts, share pictures, videos, and other files. These days IM apps also allow users to make voice and video calls and send voice messages. Group chats are also permitted in most of these applications. The new IM apps that are gaining popularity are LINE, Telegram, Kik Chat. Even applications that are traditionally not meant for messaging such as Instagram now allow users to send private messages and thus work like IM applications. Applications like Whatsapp and Snapchat have recently introduced encrypted messaging which is a secure form of messaging.

Data Leaks and Security Threats

While IM applications have definitely brought the world to our fingertips, they have also opened up gaps for hackers to steal personal and sensitive data. From identity thefts to stealing financial and corporate information, IM apps make just about everything possible. More the integration, greater the risk of a data leak through the messaging app.

Some common threats to our data and security come in the form of strangers posing as friends, seeking personal or financial information, passwords etc. Sneaky hackers send IMs from a new number with your friend’s name and photograph. Identity theft is as serious as financial theft. Sharing of devices or IM accounts with acquaintances can also leads to serious breach of security, often from unexpected quarters. Unauthorized access to smartphone or mobile device by guests, colleagues, or friends is another security threat. Accidental data sharing to groups while the intended recipient is an individual is very common.

Malware stealing personal, proprietary  and financial information can be installed into your smartphone, sneaked in by videos or links sent by unknown senders. Similarly, you must look out for new and unknown IM applications which could be created in order to steal personal data.

Data Leaks Prevention and Precautions

There are some simple precautions that can be taken to prevent data leak through IM applications. Personal information and sensitive corporate information should not be disclosed to anyone without establishing their identity. Do not be fooled by the DP (Display Picture) and name. Your friends and colleagues will never ask you for your details and passwords over IM. When you find strangers asking for your personal/financial information, do not hesitate to be generous with the “Block” button. Never share your passwords and sensitive data with anyone, not even bank personnel or colleagues you are working with over IM. It is best if you do not save your credit card or bank account details in any phone or mobile device.

If at any time you are under compulsion to send your personal information or credit card details to a family member or friend over IM, or if a colleague needs some sensitive information that is holding back a deal or a project, ensure that the chat uses end-to-end encryption. In case of latter, it is best to implement a mobile data loss prevention solution to prevent data leakage over mobile phones.

Activating the numeric lock or fingerprint reader is a good precaution to keep your device safe. This simple measure will ensure that no one can access your smartphone or mobile device when you’re not around. Lock IM apps with a pattern reader for added protection. Refrain from accessing web versions of IM applications from public computers.

Hacking, phishing, and phreaking are some of the top security threats in the world of technology these days.  Never click on links sent to you by unknown people. Malware are often sent in the form of innocuous links or even videos. These are installed in your smartphone or mobile device when you click them and transmit information that you send over messages. Also, do set all system downloads to “manual” to avoid unintended malware installation on your mobile device.

Messaging Apps bring our dear ones closer. They also make corporate teams work more closely together. But unfortunately, they also bring the wily data thief within harming distance. With a little precaution your instant messaging can be made as safe as a face-to-face conversation.

12 Ingredients for Creating a Successful Incident Response (IR) Plan

In AT&T’s latest Cybersecurity Insights report, 62 percent of organizations acknowledged they were breached in 2015. However, only 34 percent believe they have an effective incident response plan.

When faced with a potential data breach, or any incident that may potentially harm organizations and their customers, an incident response plan, or IRP, is required to protect an organization’s data and, thereby, its reputation. If IRPs are not implemented properly, organizations may not be able to recover quickly from data loss. An IRP helps to identify the best possible data loss prevention (DLP) activities that help safeguard organizations and quickly restore normal business operations. A well-defined security IRP will help safeguard against losses in case of a DL incident, a natural disaster, an external breach of critical data or IP, or an insider threat.

According to the 2016 SANS Institute survey on the state of IR, 29 percent of respondents report a remediation time of two to seven days. A lack of skilled personnel is aggravating the problem, as 65 percent of respondents reported the lack of personnel was impeding their ability to respond to incidents.

12 Common Ingredients of Implementing IRPs
IRPs cannot be a one-size-fits-all system. Every organization has its own needs. Over the years and based on many studies, the following common ingredients have been identified:

  1. Prepare: According to CISO, the team that handles threats, dealing with the fallout from a breach requires the efforts of the entire company. This requires team effort and training. Everyone must be made aware of who to report to on the IT team in case they observe something suspicious.
  1. Get approvals: IRPs are not implemented if they are not approved by the Board of Directors. It is critical to make this group understand, and get involved in, the whole process of an IRP implementation from the initial stages so that they are aware of the severe repercussions of a data loss. Once they accept the criticality of a DLP activity, creating a successful IRP will be easy.
  1. Define the team and scope ahead of time: IRP developers need to define cross-organizational goals and allocate appropriate resources, leaders, roles, and responsibilities. Everyone must know ahead of time what should be done when. The core team may comprise of individuals from privacy, security, legal, and IT who call on other departments as the need requires. Identifying the scope of IRP will allow team members to assemble the components into an effective plan.
  1. Identify measurements and matrices: For a robust IRP, organizations need to define in advance key metrics such as time to detection, time to report an incident, time to triage and investigate, the number of false positives, and the nature of the attack indicators that will be measured in case of a breach.
  1. Hold test runs: Companies must play out the various breach scenarios – something like a mock fire drill, just to ensure things are in place. This helps in identifying weak points and risk factors, and thus leads to a crisper IRP.
  1. Check alerts that appear benign: IT professionals must be very observant when checking for signs of compromises and threats, and they must never disregard a regular user’s doubts. The PCI Security Standards Council states that one of the biggest risks to an organization’s information security is often the action or inaction by employees that can lead to security incidents.
  1. Document the IRP, and keep it updated: Documenting an IRP helps organizations consider different scenarios, their implications, and the tools needed to mitigate the damage. DL assessments are part of every IRP and must be documented to support an organization’s burden of proof. An IRP must be a “living document,” that must always be kept updated. New threats from malware, identity theft, and unencrypted mobile devices are putting protected health information (PHI) at risk. An IRP should reflect these new dangers.
  1. Dont overlook your refineries and factories: Many organizations need to run industrial systems in parallel, such as an oil refinery or a factory that manufactures drugs. Such organizations usually do not feel the need to implement an IRP, thinking hackers won’t target these locations. This, more often than not, leads to a breach resulting in losses.
  1. Contain and remediate: Once an affected system has been identified, take it offline, and use it to conduct a post-mortem as to the how and what of the breach. After the root cause is identified, control the spreading of such breaches further before it affects the entire organization. The findings and details of the breach must be noted carefully, and action must be taken so that there’s no room for similar attacks to re-occur. The focus should be on investigating the malware’s techniques and infection vector so that a robust eradication and prevention plan may be developed.
    According to Marsh & McLennan Companies, “Once an organization experiences a data breach, the response is to secure defenses to make sure that history does not repeat itself.”
  1. Plan for a follow-up budget and resources: According to Gartner, Inc., 75 percent of enterprises’ information security budgets will be allocated for rapid detection and response approaches by 2020, up from less than 10 percent in 2012.
  1. Follow up: For future containment, learning and improvement, and detection, IRPs require the cooperation of an entire organization, not just the IT and security departments. For example, a bank handling the impact of a breach will need help from its PR staff, from its Web development team, from the HR team, etc.
  1. Align and integrate the IRP with an organization’s existing business continuity plans (BCP), data loss prevention (DLP) policies, and disaster recovery plan (DRP): Prioritizing the assets to rebuild to ensure business-as-usual quickly is very critical. The prioritized inventory must be updated and amended regularly as business needs evolve.

MAPFRE Settlement- An Expensive Lesson in Data Security

data loss preventionMAPFRE Life Insurance Company of Puerto Rico (“MAPFRE”) has agreed to pay a whopping $2.2 million in fines to enter into a settlement with the HHS Office of Civil rights for violations of the HIPAA privacy and security rules.

At the heart of this multi-million dollar storm was a humble USB pen drive.

On September 29, 2011, the unencrypted USB data storage device was left unsecured in the IT department of MAPFRE. This drive contained records of 2,209 individuals, including their full names, dates of birth and Social Security numbers. The pen drive was stolen overnight.

MAPFRE reported the device theft to OCR 55 days later. (60-days is the maximum time frame for reporting and announcing PHI breaches). OCR then launched an investigation to ascertain whether any HIPAA Rules had been violated. This is standard protocol for all breaches of ePHI that impact more than 500 individuals.

As the investigation proceeded, OCR discovered not one but several HIPAA non-compliance issues.

Officials at OCR determined that MAPFRE showed a callous attitude towards data protection  by not putting necessary safeguards in place to prevent the theft. MAPFRE had-

  • Failed to conduct required risk and vulnerabilities assessments to test the “confidentiality, integrity, and availability” of the ePHI under their control,
  • Did not implement any appropriate security measures
  • Had neglected to implement required security awareness and training programs for their workers.

As per the corrective action plan, MAPFRE was expected to:

  • Conduct a risk analysis and implement a risk management plan
  • Implement process for evaluating environmental and operational changes
  • Review – and revise if necessary – its current Privacy and Security Rules policies and procedures
  • Distribute the policies and procedures and assess, update, and revise them as necessary
  • Give regular training to workforce members and certify they’ve received it

MAPFRE delayed implementation of corrective measures that it had told OCR it would undertake. So despite the submission of a breach report to OCR on August 5, 2011, MAPFRE Life did not start encrypting data on laptop computers and portable storage devices until September 1, 2014.

“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well,” OCR director Jocelyn Samuels said in a statement. “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”

The resolution amount was decided upon after taking the financial position of MAPFRE into consideration as well as keeping in mind the number and severity of its HIPAA violations. Not only does OCR require payment of $2,204,182 as fines, MAPFRE is also expected to adopt a corrective action plan that addresses all areas of noncompliance.

HHS states on its website, that “A covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.” It also says that “A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.”

OCR has increased its enforcement of HIPAA Rules in recent years, with 2016 being a year when they made more settlements than in any other year to date. Last year alone a dozen healthcare organizations settled possible HIPAA violations with OCR. Earlier this year, Presence Health, a healthcare network serving residents of Illinois, agreed to pay OCR $475,000 due to an unnecessary delay in breach notification after the patients’ protected health information was exposed. OCR won’t be letting up on its aggressive enforcement pace of 2016 when it collected a record $23.5 million in HIPAA breach settlements, a steep rise up from $6.2 million in all of 2015.

There are some expensive lessons in these settlements that all HIPAA covered entities should pay heed to. Risk assessment and analysis can go a long way in keeping data secure. There should be a comprehensive risk management plan in place. In case of a breach, companies should make quick and accurate representations to OCR and should follow through on any commitments made to OCR.

Last but not the least, leaving unencrypted portable devices/drives is never a good idea and a humble USB pen drive can sometimes prove to be very very costly.