Category Archives: Data Loss Prevention

Building a Better Data Loss Prevention Strategy in 2017

Data loss might not seem preventable when you have no plan in place. You might (correctly) think that threats are coming at you from every angle.

But when you sit down and create a data loss prevention strategy from scratch, the idea of preventing this loss becomes much more clear. That’s why we’ve broken down a few of the simplest steps for drafting a data loss prevention strategy that will keep your company covered in 2017:

Step One: Evaluation—How Successful Was Your Strategy in 2016?

When looking back at your performance in 2016, the answer should be obvious: was your strategy sufficient or not?

If it wasn’t, then you’re looking at an overhaul. Specifically targeting the prevention of data loss from an internal perspective should be one of your chief priorities.

If it was, then now’s the time to innovate and stay one step ahead of the curve. What can you do to improve on last year’s performance? How might you stop data loss from internal leaks? What are the best practices you can implement as soon as possible to have a dramatic impact on the quality of your 2017 data security?

These are the essential questions you need to ask if you want your strategy to be better in 2017. Be brutally honest with yourself as you evaluate. The more honest your evaluation, the better your chances are for 2017.

Step Two: Figure Out Your Biggest Threat

After evaluation, one of the most important questions you can ask is where you think the biggest threat to your data security will come in 2017.

Will it come from an external source? Do you need to prevent hacking and phishing as you look at ways to stop data loss?

Or is the more nefarious threat from internal sources who have greater access?

Chances are, if you’ve already taken some steps to shore up your data security, the biggest threat will come from the inside. Some of these urgent threats include:

  • Contractors
  • Employees
  • Business partners
  • Compromised internal accounts
  • Careless treatment of security by insiders (non-malicious)

If it sounds incomprehensible that your data loss might come from the inside, remember that many organizations just like yours struggle with these threats every single year.

Whether a data leak occurs because someone on the inside has non-malicious intent or malicious intent doesn’t matter. What matters is identifying these threats before they happen so you can take steps to prevent them.

Step Three: Address the Top Issues

Now that you know a few of these top issues, your data loss prevention strategy needs to address them.

Simply put, how are you going to prevent data loss now that you know what the threats are?

Try taking an approach that’s just one step at a time. For example, you might focus on data breaches from contractors. There are a number of steps you could take here, including examining your current contracts and how IT is managed with contractors. You can look at what each contractor has access to when it comes to your private data. Do they have more access than they need? If so, trimming this access is a great first step.

Addressing one issue at a time might feel slow, but it’s a perfectly valid strategy when it comes to data loss.

Although you can’t plan to cover every single possible leak in data loss prevention, simply taking action rather than putting data loss on the backburner will help you build a stronger and more flexible organization when it comes to handling data loss.

Step Four: Choosing Your Area of Focus

Finally, you have to pick where you’re going to focus.

For many organizations, this will be where you’re most vulnerable. Maybe back in step one—when you did your evaluation—you found that one data loss area might be your weakest. While that can be alarming in one sense, the good news is that you’re now aware of this problem before any major data loss event.

Choose the priorities that will make the most difference in your data loss prevention. If you have quality defenses from external threats but none for internal threats, make that your focus, and vice versa.

The key here: keep in mind that data loss prevention isn’t just identifying the issues, but taking positive steps to intervene and install new best practices.

With the right strategy in place, you’ll have a far better chance of preventing data loss and enjoying a more secure company environment.

10 Reasons Why You Need Data Loss Prevention More Than Ever

10 Reasons Why You Need Data Loss Prevention More Than Ever

In 2017, the many instances of data breaches and data loss are well-known. Data moves faster than ever, and you need to stay on top of it.

That’s why data loss prevention is becoming an even bigger priority for companies across a range of industries. Don’t believe us? Take a look at some of the most compelling reasons to embrace data loss prevention today:

Reason #1: Data Has Never Been Easier to Transmit

A hack in Yahoo!’s email database last year saw one single data theft affecting some one billion accounts.

There are a lot of lessons to keep in mind here. But perhaps most important: data has never been so easy to transmit. One single instance of data loss can mean tremendous amounts of data leaking from your company or organization. And it can all happen in an instant.

Reason #2: There Are More Solutions Than Ever Before

If Reason #1 scared you, then this reason will give you a little hope. With enhanced technology come enhanced solutions. Simply put, there are more solutions for your data loss prevention than ever before, which means that implementing a solution that works doesn’t have to be a major chore.

You will have to find a solution that suits your industry and your company. But when it comes to preventing data loss, that kind of choice is ultimately not difficult relative to a data breach.

Reason #3: Data is More Important Than Ever

In today’s fast-paced corporate environment, the data that you use and organize is more important than ever. Knowledge truly is power, which is why your exclusive data doesn’t only need to remain private, but in certain cases, it needs to remain proprietary.

If data is more important than ever, it only follows that your data loss solutions should be emphasized this year.

Reason #4: Hacking and Leaks are Growing More Sophisticated

While technology to prevent data loss is improving, so are the hacks to get around these issues. Whether a data leak comes from simply remembering data or is done through hacking, you have to have a data loss prevention plan that accounts for each different type of leak.

Reason #5: You Don’t Know What You Don’t Know

Data loss prevention sounds like a great idea, but any organization will have some blind spots. Simply put, you don’t know what you don’t know, which is why data loss prevention can be put in place to cover for those blind spots.

What does this mean? You might not be sure where your confidential information is being stored, or you might not know the measures you have in place to secure it. Data loss prevention helps bring these issues to the forefront.

Reason #6: Word About Data Loss Gets Around Quickly

We live in a world of instantaneous breaking news and fast-as-light social media. If you’re going to maintain a positive image for your company, preventing data loss from ever happening should be a priority. Reacting to a negative story isn’t as pleasant as preventing the negative story in the first place.

Reason #7: Adhering to Rules and Regulations

If you want to stand up to scrutiny, you need to have the data loss prevention in place that makes your organization look good. But it shouldn’t just look good. You really should be in tune with the rules and regulations about data loss prevention, making sure not to overstep your bounds or be underprepared in any way.

Reason #8: You Have More Information to Protect

As your organization grows, so does the information with which you’re entrusted. When you have more and more data protect, your responsibility grows with the storage. Failing to protect this data will lose trust amongst customers and employees.

Reason #9: You Need to Control Your Own Corporate Network

Some of the problems associated with data loss prevention are symptoms of deeper challenges. If you don’t have control over your own systems, of course data loss prevention is going to be a problem. Data loss problems can serve to highlight what you need to fix in your company philosophy.

Reason #10: Data Loss Prevention Is Possible

Finally, you don’t have an excuse to not prevent data loss given all of the options on the market today. If it’s up to you to prevent data loss, now is the time to take action to secure your company and your data.

Who is Responsible for Security Enhancements in an Organization? Everyone!

Data is perhaps an organization’s greatest intangible asset.  Accounting principles say it can’t be valued on a balance sheet, but it is undeniable that the ability to harness, to transform and to understand data is paramount to an organization’s operating strategy and outlook.  Recent statistics even suggest that a small improvement in data understanding could increase a company’s net income by millions of dollars.1  This is a gripping statistic.  However, what is more compelling is that well over half of all organizations will experience significant data loss at some point due to a significant external event.2

This begs the question, who is responsible for security enhancements in an organization to ensure data loss prevention (“DLP”)?  The short answer to this question is everyone, starting at the top of the C Suite and extending down to the newest hire.

DLP should be aligned with the overall objectives of the business.  As with most things in the corporate sense, policy starts at the top.  This means that broad-based DLP policies need to be instituted from the executive level and carried throughout the organization.  Executives should consider polices such as limiting personnel to access only data that is needed to complete their specific jobs, access credentials and limitations on devices that can be used to store data away from company control and continuing professional education to ensure that all staff are aware of the existence and purpose of such policies.  These three factors are critical to enhancing security in a business because studies have largely revealed that most data leaks occur due to unintentional incidents from employees and outside vendors.3

Polices, by themselves, are unable to stand alone without enforcement.  After DLP policies are instituted, there needs to be broad-based systems and controls established that focus on both preventing and detecting possible threats.  Enforcement can take on a number of identities, but may include both passive and active administration.  Passive administration may include software designed to notify appropriate stakeholders when data is released to an unauthorized source or may include stringent processes that users must follow in order to move or access levels of data.  Passive administration should cast a wide net so that a number of external threats can be mitigated without continuous supervision.  Active administration, on the other hand, requires supervision through manual processes and testing.  Active administration may include an internal audit function conducting periodic tests of details and controls or levels of management that separate duties between preparation, authorization and custody.  These active processes should be conducted on a periodic basis with independence in mind so that personnel will not be bias in their findings.

The final key to successful security enhancements in an organization is continuous improvement.  This is largely driven by the entire team but starts with the lower operating levels.  DLP policies should define a set of feedback channels that allow for communication from the bottom to escalate to the appropriate managers who then have certain authorities to take action.  This feedback loop should be continuous and allow for meaningful revision of policies and assessment of operating protocols.  Initiatives in this arena should include ways to make processes more effective but less burdensome to complete.  Further, the feedback loop needs to be reliable such that the information is able to reach the appropriate party who then has the ability to actually implement the change.

Security enhancements in an organization is everyone’s responsibility.  Policy starts at the top and trickles down to even the newest associate.  These new associates are responsible for carrying out the tasks and providing meaningful feedback as to the operation of the DLP policies.  Managers are then required to escalate, as appropriate, and provide meaningful guidance on how to solve complexities.  In that light, DLP policies are not limited to software and hardware controls, alone.  Instead, these policies are strategic initiatives that should be aligned with the organization’s overall goals so that there can be a culture of continuous improvement from the top down and the bottom up.

Citations:

1Marr, Bernard.  “Big Data:  20 Mind-Boggling Facts Everyone Must Read.”  Forbes.

2Thornton, Katie.  “11 Stats on Data Loss You Need to Know.”  Datto.

3Ernst & Young LLP.  “Data Loss Prevention.”  Ernst & Young LLP.  

Instant Messaging Apps – an Instant Threat

The Internet has revolutionized communication forever. Remember the time you’d spend all your money on text messages and multimedia messages? Those days are long past. Real-time and instant messaging is the rage now, allowing you to stay connected with friends round the clock. Apart from simple text messages, they also allow you to exchange voice messages, video recordings and pictures, and even allow you to make voice/video calls with clarity unlike ever before. All of this and more at no cost at all!

Facebook Messenger, Whatsapp, and Google Hangout are some of the more popular messaging applications the world over. Other old favorites are Viber, Snapchat, and WeChat. All these applications allow you to send and receive texts, share pictures, videos, and other files. These days IM apps also allow users to make voice and video calls and send voice messages. Group chats are also permitted in most of these applications. The new IM apps that are gaining popularity are LINE, Telegram, Kik Chat. Even applications that are traditionally not meant for messaging such as Instagram now allow users to send private messages and thus work like IM applications. Applications like Whatsapp and Snapchat have recently introduced encrypted messaging which is a secure form of messaging.

Data Leaks and Security Threats

While IM applications have definitely brought the world to our fingertips, they have also opened up gaps for hackers to steal personal and sensitive data. From identity thefts to stealing financial and corporate information, IM apps make just about everything possible. More the integration, greater the risk of a data leak through the messaging app.

Some common threats to our data and security come in the form of strangers posing as friends, seeking personal or financial information, passwords etc. Sneaky hackers send IMs from a new number with your friend’s name and photograph. Identity theft is as serious as financial theft. Sharing of devices or IM accounts with acquaintances can also leads to serious breach of security, often from unexpected quarters. Unauthorized access to smartphone or mobile device by guests, colleagues, or friends is another security threat. Accidental data sharing to groups while the intended recipient is an individual is very common.

Malware stealing personal, proprietary  and financial information can be installed into your smartphone, sneaked in by videos or links sent by unknown senders. Similarly, you must look out for new and unknown IM applications which could be created in order to steal personal data.

Data Leaks Prevention and Precautions

There are some simple precautions that can be taken to prevent data leak through IM applications. Personal information and sensitive corporate information should not be disclosed to anyone without establishing their identity. Do not be fooled by the DP (Display Picture) and name. Your friends and colleagues will never ask you for your details and passwords over IM. When you find strangers asking for your personal/financial information, do not hesitate to be generous with the “Block” button. Never share your passwords and sensitive data with anyone, not even bank personnel or colleagues you are working with over IM. It is best if you do not save your credit card or bank account details in any phone or mobile device.

If at any time you are under compulsion to send your personal information or credit card details to a family member or friend over IM, or if a colleague needs some sensitive information that is holding back a deal or a project, ensure that the chat uses end-to-end encryption. In case of latter, it is best to implement a mobile data loss prevention solution to prevent data leakage over mobile phones.

Activating the numeric lock or fingerprint reader is a good precaution to keep your device safe. This simple measure will ensure that no one can access your smartphone or mobile device when you’re not around. Lock IM apps with a pattern reader for added protection. Refrain from accessing web versions of IM applications from public computers.

Hacking, phishing, and phreaking are some of the top security threats in the world of technology these days.  Never click on links sent to you by unknown people. Malware are often sent in the form of innocuous links or even videos. These are installed in your smartphone or mobile device when you click them and transmit information that you send over messages. Also, do set all system downloads to “manual” to avoid unintended malware installation on your mobile device.

Messaging Apps bring our dear ones closer. They also make corporate teams work more closely together. But unfortunately, they also bring the wily data thief within harming distance. With a little precaution your instant messaging can be made as safe as a face-to-face conversation.

12 Ingredients for Creating a Successful Incident Response (IR) Plan

In AT&T’s latest Cybersecurity Insights report, 62 percent of organizations acknowledged they were breached in 2015. However, only 34 percent believe they have an effective incident response plan.

When faced with a potential data breach, or any incident that may potentially harm organizations and their customers, an incident response plan, or IRP, is required to protect an organization’s data and, thereby, its reputation. If IRPs are not implemented properly, organizations may not be able to recover quickly from data loss. An IRP helps to identify the best possible data loss prevention (DLP) activities that help safeguard organizations and quickly restore normal business operations. A well-defined security IRP will help safeguard against losses in case of a DL incident, a natural disaster, an external breach of critical data or IP, or an insider threat.

According to the 2016 SANS Institute survey on the state of IR, 29 percent of respondents report a remediation time of two to seven days. A lack of skilled personnel is aggravating the problem, as 65 percent of respondents reported the lack of personnel was impeding their ability to respond to incidents.

12 Common Ingredients of Implementing IRPs
IRPs cannot be a one-size-fits-all system. Every organization has its own needs. Over the years and based on many studies, the following common ingredients have been identified:

  1. Prepare: According to CISO, the team that handles threats, dealing with the fallout from a breach requires the efforts of the entire company. This requires team effort and training. Everyone must be made aware of who to report to on the IT team in case they observe something suspicious.
  1. Get approvals: IRPs are not implemented if they are not approved by the Board of Directors. It is critical to make this group understand, and get involved in, the whole process of an IRP implementation from the initial stages so that they are aware of the severe repercussions of a data loss. Once they accept the criticality of a DLP activity, creating a successful IRP will be easy.
  1. Define the team and scope ahead of time: IRP developers need to define cross-organizational goals and allocate appropriate resources, leaders, roles, and responsibilities. Everyone must know ahead of time what should be done when. The core team may comprise of individuals from privacy, security, legal, and IT who call on other departments as the need requires. Identifying the scope of IRP will allow team members to assemble the components into an effective plan.
  1. Identify measurements and matrices: For a robust IRP, organizations need to define in advance key metrics such as time to detection, time to report an incident, time to triage and investigate, the number of false positives, and the nature of the attack indicators that will be measured in case of a breach.
  1. Hold test runs: Companies must play out the various breach scenarios – something like a mock fire drill, just to ensure things are in place. This helps in identifying weak points and risk factors, and thus leads to a crisper IRP.
  1. Check alerts that appear benign: IT professionals must be very observant when checking for signs of compromises and threats, and they must never disregard a regular user’s doubts. The PCI Security Standards Council states that one of the biggest risks to an organization’s information security is often the action or inaction by employees that can lead to security incidents.
  1. Document the IRP, and keep it updated: Documenting an IRP helps organizations consider different scenarios, their implications, and the tools needed to mitigate the damage. DL assessments are part of every IRP and must be documented to support an organization’s burden of proof. An IRP must be a “living document,” that must always be kept updated. New threats from malware, identity theft, and unencrypted mobile devices are putting protected health information (PHI) at risk. An IRP should reflect these new dangers.
  1. Dont overlook your refineries and factories: Many organizations need to run industrial systems in parallel, such as an oil refinery or a factory that manufactures drugs. Such organizations usually do not feel the need to implement an IRP, thinking hackers won’t target these locations. This, more often than not, leads to a breach resulting in losses.
  1. Contain and remediate: Once an affected system has been identified, take it offline, and use it to conduct a post-mortem as to the how and what of the breach. After the root cause is identified, control the spreading of such breaches further before it affects the entire organization. The findings and details of the breach must be noted carefully, and action must be taken so that there’s no room for similar attacks to re-occur. The focus should be on investigating the malware’s techniques and infection vector so that a robust eradication and prevention plan may be developed.
    According to Marsh & McLennan Companies, “Once an organization experiences a data breach, the response is to secure defenses to make sure that history does not repeat itself.”
  1. Plan for a follow-up budget and resources: According to Gartner, Inc., 75 percent of enterprises’ information security budgets will be allocated for rapid detection and response approaches by 2020, up from less than 10 percent in 2012.
  1. Follow up: For future containment, learning and improvement, and detection, IRPs require the cooperation of an entire organization, not just the IT and security departments. For example, a bank handling the impact of a breach will need help from its PR staff, from its Web development team, from the HR team, etc.
  1. Align and integrate the IRP with an organization’s existing business continuity plans (BCP), data loss prevention (DLP) policies, and disaster recovery plan (DRP): Prioritizing the assets to rebuild to ensure business-as-usual quickly is very critical. The prioritized inventory must be updated and amended regularly as business needs evolve.

MAPFRE Settlement- An Expensive Lesson in Data Security

data loss preventionMAPFRE Life Insurance Company of Puerto Rico (“MAPFRE”) has agreed to pay a whopping $2.2 million in fines to enter into a settlement with the HHS Office of Civil rights for violations of the HIPAA privacy and security rules.

At the heart of this multi-million dollar storm was a humble USB pen drive.

On September 29, 2011, the unencrypted USB data storage device was left unsecured in the IT department of MAPFRE. This drive contained records of 2,209 individuals, including their full names, dates of birth and Social Security numbers. The pen drive was stolen overnight.

MAPFRE reported the device theft to OCR 55 days later. (60-days is the maximum time frame for reporting and announcing PHI breaches). OCR then launched an investigation to ascertain whether any HIPAA Rules had been violated. This is standard protocol for all breaches of ePHI that impact more than 500 individuals.

As the investigation proceeded, OCR discovered not one but several HIPAA non-compliance issues.

Officials at OCR determined that MAPFRE showed a callous attitude towards data protection  by not putting necessary safeguards in place to prevent the theft. MAPFRE had-

  • Failed to conduct required risk and vulnerabilities assessments to test the “confidentiality, integrity, and availability” of the ePHI under their control,
  • Did not implement any appropriate security measures
  • Had neglected to implement required security awareness and training programs for their workers.

As per the corrective action plan, MAPFRE was expected to:

  • Conduct a risk analysis and implement a risk management plan
  • Implement process for evaluating environmental and operational changes
  • Review – and revise if necessary – its current Privacy and Security Rules policies and procedures
  • Distribute the policies and procedures and assess, update, and revise them as necessary
  • Give regular training to workforce members and certify they’ve received it

MAPFRE delayed implementation of corrective measures that it had told OCR it would undertake. So despite the submission of a breach report to OCR on August 5, 2011, MAPFRE Life did not start encrypting data on laptop computers and portable storage devices until September 1, 2014.

“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well,” OCR director Jocelyn Samuels said in a statement. “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”

The resolution amount was decided upon after taking the financial position of MAPFRE into consideration as well as keeping in mind the number and severity of its HIPAA violations. Not only does OCR require payment of $2,204,182 as fines, MAPFRE is also expected to adopt a corrective action plan that addresses all areas of noncompliance.

HHS states on its website, that “A covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.” It also says that “A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.”

OCR has increased its enforcement of HIPAA Rules in recent years, with 2016 being a year when they made more settlements than in any other year to date. Last year alone a dozen healthcare organizations settled possible HIPAA violations with OCR. Earlier this year, Presence Health, a healthcare network serving residents of Illinois, agreed to pay OCR $475,000 due to an unnecessary delay in breach notification after the patients’ protected health information was exposed. OCR won’t be letting up on its aggressive enforcement pace of 2016 when it collected a record $23.5 million in HIPAA breach settlements, a steep rise up from $6.2 million in all of 2015.

There are some expensive lessons in these settlements that all HIPAA covered entities should pay heed to. Risk assessment and analysis can go a long way in keeping data secure. There should be a comprehensive risk management plan in place. In case of a breach, companies should make quick and accurate representations to OCR and should follow through on any commitments made to OCR.

Last but not the least, leaving unencrypted portable devices/drives is never a good idea and a humble USB pen drive can sometimes prove to be very very costly.

Data Security Priorities for SMBs in 2017

Small- and medium-sized companies (SMBs) are equally vulnerable to cyber threats and data breaches as large enterprises. According to a survey of SMBs conducted by Ponemon Institute, nearly 55% of respondents said that they experienced a cyber-attack, and at least 50% had a data breach in the past 12 months. It was also revealed that negligent employees, contractors and third parties caused most data breaches.[1]

Here are the key reasons why SMBs are becoming more vulnerable

  • Security policy is not well defined.
  • The software and methods that are in place to prevent the breach are either obsolete or not capable enough to prevent the data leakage.
  • Lack of training to the employees.
  • Not enough budget is allotted to thwart the threat.
  • Strict adherence to follow the security procedure is lacking – weak or repetitive passwords. Encryption is missing in most of the cases.
  • BYOD policies are missing.
  • Protocol to be followed in case of leak is not defined, which could in turn restrict the extent of data loss.
  • There is rarely a dedicated IT personnel overlooking the security of the system. Thus, 24/7 observation is

For all of these reasons, the loss of sensitive data is often due to negligence of the company personnel. A lot can be averted if the following requirements are addressed in the security protocol.

These essential steps are recommended for SMBs to follow and implement in order to mitigate data breach threats.

  • Regular training sessions should be conducted for the employees. Users should be educated about cyber security and informed on how to deal with the sensitive information safely.
  • Password encryption should be a must. Implementation of two-factor authentication is an easy and affordable way to safeguard the cyber content.
  • Account management should be implemented. User-defined roles should dictate who gets what kind of access to the sensitive data. Authentication of the user and the device being used to access the information should be verified.
  • Clearly define the BYOD policies to the employees so that intentional or deliberate loss of data can be mitigated.
  • Software used should be current, thus making it less vulnerable to cyber threats.
  • Policies around what data can be copied and how and where it can be duplicated should be laid out for the users.

As we step into 2017, SMBs should start gearing up to implement tailored protocols to defend against data breach, particularly from insiders. Along with taking the steps mentioned above in stride, employees should be scrutinized for their behavior in the office. Even at the time of recruitment, proper background screening should be conducted. Getting the right kind of employees and following up with a robust plan for security will aptly help mitigate the threat.

[1] http://www.ponemon.org/blog/smbs-are-vulnerable-to-cyber-attacks

Ensuring Application Security in Mobile Environment

With concepts such as bring-your-own-device (BYOD) becoming almost indispensable in today’s business environments, employees have both official and personal data on their smartphones and other devices. Because many of these devices are not very secure, hackers are having a field day. Apart from this, the risks of inadvertent data loss have also greatly increased.

In a recent analysis of downloaded applications within organizations, IBM found that these apps had access to confidential business data.

Anyone using a smartphone is aware that downloaded applications require frequent OS updates. Frequent updates cause greater exposure and vulnerability for the phones, which means that they may get corrupted or lose precious, business-critical data. Additionally, because mobile apps can access security-critical servers, storage, and networking systems, these apps are prone to and vulnerable to external attacks in which hackers can intercept data and cause huge losses. In a recent case involving an Android application, a weakness was found that could put personal user information at risk, including not only phone numbers and location details but also account balances.

Because compromised applications may at times lead to irrevocable losses for organizations in terms of finances, brand loyalty, confidential customer information, and intellectual property, application-security testing teams need to be on their toes at all times. They need to think about how to implement a robust, automated, and scalable mobile-specific security management program that can eliminate the looming risks to enterprise data with ease and efficiency.

On a positive note, most organizations have data-loss prevention (DLP) policies in place for blocking devices as soon as they are reported lost. However, most organizations do not have a clue about the type of applications installed on their employees’ mobile phones, and this is a huge cause of concern. To ensure that only safe applications are installed on corporate-owned and corporate-controlled devices, organizations have moved toward implementing mobile application management solutions. Many organizations involved in the generation and management of critical data, such as data relating to finance and security, use advanced DLP measures to control logins and access to data on mobile devices.

What is needed to ensure that your organization has a robust risk management system in place for your applications?

To ensure that mobile applications are secure in all aspects, organizations must follow basic rules:

  • Perform stringent tests (perhaps utilizing a cloud-testing lab) for all application types (web, native, and hybrid), for all browsers, for iOS and Android (especially if it is open source), and for all software that might access the application once it is installed.
  • Perform continuous static and dynamic analyses; monitor applications to detect problems.
  • Perform checks for threats to the application due to weak encryption, client-side injection, and data storage.
  • Minimize and verify functionality and permissions, thus simplifying the code. In addition, conduct thorough data validation and perform end-to-end testing of the code to check for any shortfalls related to security.
  • Test the back end for any weaknesses in the emulators running the mobile applications.
  • Perform thorough testing (automated penetration, functional, performance, etc.) on the application for loopholes related to security and for any weaknesses related to viruses.
  • Try to avoid the data storage and transmission. If this is necessary, encrypt data during the process.
  • Detect integrity violations using a taint analysis.
  • Hard-code the applications so that no one can modify them externally.
  • Invest in an automated mobile-app security-testing tool that can perform security assessments, penetration testing, for apps being built using agile methodology.

App developers must also make their apps third-party-friendly and easy to download. This will dissuade mobile users from wanting to jailbreak or root their mobile devices, which makes the devices vulnerable and renders the features related to OS security ineffective. App developers must be motivated and trained to build apps that have strong, built-in security controls to thwart any unwarranted breaches.

If organizations perform the above tests, follow strict app development guidelines, and implement robust frameworks for security testing, they will have done all that is required to keep the mobile applications—and, more importantly, the user data—secure. These measures, coupled with use of DLP, will effectively lead to implementation of stronger security practices.

How to Select the Right Encryption Solution

In today’s fast-moving and fast-changing world, coupled with the influx of smart devices and IoT, securing data and protecting it from falling into malicious hands has become extremely challenging, complex, and necessary. The workplace no longer adheres to a typical 9-to-5 routine. Technology has created the ability to work remotely from anywhere and at any time through laptops, tablets, smartphones, etc. The gates to breaches have thus significantly increased in number, resulting in greater need to use encryption, scaling to not just a computer but to the numerous smart devices that are constantly used to access data.

Ponemon Institute conducted a survey and came up with the most prominent drivers that propel industries to consider encryption as a defense against data breaches.

We saw in one of our previous blogs how the number of breach incidents has risen to staggering heights this year. IT experts collectively agree that encryption is the key solution to this humongous problem, but it has to be the right type of encryption that is applied to the industry. A thorough knowledge of current tools and technologies that are prevailing in the market is very important before implementing any type of encryption. A customized encryption solution, apt for the said enterprise, will not only protect the loss of data but also save time and money. Now, what is the criteria for determining the type of encryption solution suitable for the enterprise? The following points will answer this question.

  1. Basic Requirements – A Must

The encryption solution should meet the following basic requirements:

  • Encryption should be automated, simple for end users to comply with, and provide non-disruptive protection.
  • There should be a robust access authentication of users, resulting in appropriate access to the data by authorized users only. The encryption should also have a provision for regular checks on user access control for validity.
  • It should be able to protect wide array of smart devices across multiple platforms such as Windows, Mac, and Android. Most smart devices already offer some kind of base protection, but this might not be sufficient for big enterprises dealing with highly sensitive data.
  • Type of encryption will also further depend on the type of data that has to be protected. This could be data in motion, data at rest, or data in use. The company might require full-disk encryption or just file encryption.
  • The need for managing the encryption keys must be assessed – can it be done by the IT department itself or should the services of a vendor be considered.
  • Another characteristic is that the encryption implemented should grow as the enterprise expands. The growing demands of the company should not hamper the prevailing encryption or render it ineffective.
  • The encryption should be such that if the data were to fall into the hands of hackers, it would be deemed incomprehensible and useless.
  1. Encryption Key – Vendor-managed or Customer-managed

An encryption vendor-managed key or a customer managed key scheme uses a pseudo-random encryption key generated by an algorithm. An unauthorized interceptor cannot access the data without this key. Customer managed key (CMK) empowers the customer completely as it makes physical location of the files less relevant, since no party can decrypt the data if the customer has chosen to withdraw access to the encryption keys.

  1. Key Management

Managing the keys is another important aspect in encryption. Depending on how big the organization is, there could be a large number of keys that need to be managed uniformly and tracked constantly. Towards this, Zecurion Zserver secures and protects confidential information at the processing and storage level on corporate servers. The Zserver Enterprise Key Management Server (EKMS) minimizes administrative overhead for encryption by generating, storing, managing, and automatically loading encryption keys across the enterprise.

According to a report by CSC, “While individuals are responsible for most data creation (70 percent), 80 percent of all data is stored by enterprises.” Encryption may not be the silver bullet to thwart data breaches completely, but is a necessary step towards mitigating the accidental or deliberate loss of critical and sensitive data. Enterprises, both small and large, should make it a mandatory requirement  and implement encryption company-wide.

Is the Hospitality Industry in Danger?

Long back in 2005, Meyers and Mills had said that using biometric technologies could improve hotel security and enhance the ability to recognize criminal activities. Fast forward to 2016 and we are seeing that the hospitality sector has become an easy prey for cyber criminals.

The leap in technology has made it easy for the hospitality industry to gather a lot of personal
data about customers that has helped them increase sales and profit margins. A recent report by Sabre Hospitality Solutions confirms that the proper use of Big Data generated can give a ‘definitive market edge’ to hoteliers.

It’s Green for the Hackers!

This has also made it easy for hackers to commit financial crimes at a larger scale. While hackers attack smaller enterprises as they usually have systems that can be easily breached, they hack into bigger franchises for gaining access to a global database. Especially for the hospitality sector, this is due to day-to-day operations of the industry involving online reservations, card-based transactions, and rewards programs. This generates a humongous database of user data that, if exposed to the wrong hands, will create havoc in personal and financial lives.

Criminals across the globe try to hack into hotel networks to rob credit card details of guests. In essence, they are trying to target thousands of cardholders together. Not only do hotels may have vulnerable systems, they may be able to detect a breach long after it has occurred. An average time as per Trustwave Spider Labs is 173.5 days.

Cybercrime is a huge risk that hotels must deal with on a regular basis. Social engineering attacks such as phishing and Advanced Persistent Threats (APT’s) are the most dangerous types of cyber-attacks as they can bypass the current security setup. Hotel Wi-Fi networks therefore need to be secure, with built-in wireless intrusion prevention and detection for enhanced security.

Sample this: As per the 2015 Trustwave Global Security Report, the global hospitality industry now sits on top of the three industries most frequently targeted by hackers.

The Challenge

This challenge of data security and safety also increases the liability of the hospitality industry as any security breach may lead to heavy financial losses (legal), loss of brand and reputation, and also loss of customer loyalty. This will lead to financial instability and failure in the long run.

Repercussions of a Security Breach

Hotels have to spend through their nose if there’s a breach of private data. The areas where the cash will flow usually cover legal processing, fines, penalties, forensic investigation expenses, credit monitoring, business interruption losses, and hiring PR professionals to help control damage and save reputation. Additional costs are required towards recovering lost data and fixing the actual cause of breach.

Several organizations that analyse security and data breach trends cite hospitality as the ‘single most vulnerable industry’. Thus, IT leaders in hospitality are making data security their number one priority.

There are Ways to Stop This Loss

Most states today have privacy laws for issuing notifications if anyone’s personal or financial information is compromised, lost, or stolen. To add on, there are multiple practices that support data loss prevention (DLP), such as the Payment Card Industry Data Security Standard (PCIDSS) that ensures ‘that all companies that process, store, or transmit credit card information maintain a secure environment’. Practices such as PCIDSS if implemented properly, can help control a lot of such incidents.

Hotels of any size must secure their network to protect hotel operations and guests’ data. They must also annually review their information technology to proactively respond to threats. To save themselves from the fate that even the likes of Hilton, Marriott, Mandarin Oriental etc. could not avoid, hotels need to employ the best security experts that can suggest digital encryption strategies about point of sale (POS) terminals, data servers and internal networks.

Image Credit: Rawpixel.com/ Adobe Stock