Category Archives: Data Loss Prevention

Instant Messaging Apps – an Instant Threat

The Internet has revolutionized communication forever. Remember the time you’d spend all your money on text messages and multimedia messages? Those days are long past. Real-time and instant messaging is the rage now, allowing you to stay connected with friends round the clock. Apart from simple text messages, they also allow you to exchange voice messages, video recordings and pictures, and even allow you to make voice/video calls with clarity unlike ever before. All of this and more at no cost at all!

Facebook Messenger, Whatsapp, and Google Hangout are some of the more popular messaging applications the world over. Other old favorites are Viber, Snapchat, and WeChat. All these applications allow you to send and receive texts, share pictures, videos, and other files. These days IM apps also allow users to make voice and video calls and send voice messages. Group chats are also permitted in most of these applications. The new IM apps that are gaining popularity are LINE, Telegram, Kik Chat. Even applications that are traditionally not meant for messaging such as Instagram now allow users to send private messages and thus work like IM applications. Applications like Whatsapp and Snapchat have recently introduced encrypted messaging which is a secure form of messaging.

Data Leaks and Security Threats

While IM applications have definitely brought the world to our fingertips, they have also opened up gaps for hackers to steal personal and sensitive data. From identity thefts to stealing financial and corporate information, IM apps make just about everything possible. More the integration, greater the risk of a data leak through the messaging app.

Some common threats to our data and security come in the form of strangers posing as friends, seeking personal or financial information, passwords etc. Sneaky hackers send IMs from a new number with your friend’s name and photograph. Identity theft is as serious as financial theft. Sharing of devices or IM accounts with acquaintances can also leads to serious breach of security, often from unexpected quarters. Unauthorized access to smartphone or mobile device by guests, colleagues, or friends is another security threat. Accidental data sharing to groups while the intended recipient is an individual is very common.

Malware stealing personal, proprietary  and financial information can be installed into your smartphone, sneaked in by videos or links sent by unknown senders. Similarly, you must look out for new and unknown IM applications which could be created in order to steal personal data.

Data Leaks Prevention and Precautions

There are some simple precautions that can be taken to prevent data leak through IM applications. Personal information and sensitive corporate information should not be disclosed to anyone without establishing their identity. Do not be fooled by the DP (Display Picture) and name. Your friends and colleagues will never ask you for your details and passwords over IM. When you find strangers asking for your personal/financial information, do not hesitate to be generous with the “Block” button. Never share your passwords and sensitive data with anyone, not even bank personnel or colleagues you are working with over IM. It is best if you do not save your credit card or bank account details in any phone or mobile device.

If at any time you are under compulsion to send your personal information or credit card details to a family member or friend over IM, or if a colleague needs some sensitive information that is holding back a deal or a project, ensure that the chat uses end-to-end encryption. In case of latter, it is best to implement a mobile data loss prevention solution to prevent data leakage over mobile phones.

Activating the numeric lock or fingerprint reader is a good precaution to keep your device safe. This simple measure will ensure that no one can access your smartphone or mobile device when you’re not around. Lock IM apps with a pattern reader for added protection. Refrain from accessing web versions of IM applications from public computers.

Hacking, phishing, and phreaking are some of the top security threats in the world of technology these days.  Never click on links sent to you by unknown people. Malware are often sent in the form of innocuous links or even videos. These are installed in your smartphone or mobile device when you click them and transmit information that you send over messages. Also, do set all system downloads to “manual” to avoid unintended malware installation on your mobile device.

Messaging Apps bring our dear ones closer. They also make corporate teams work more closely together. But unfortunately, they also bring the wily data thief within harming distance. With a little precaution your instant messaging can be made as safe as a face-to-face conversation.

12 Ingredients for Creating a Successful Incident Response (IR) Plan

In AT&T’s latest Cybersecurity Insights report, 62 percent of organizations acknowledged they were breached in 2015. However, only 34 percent believe they have an effective incident response plan.

When faced with a potential data breach, or any incident that may potentially harm organizations and their customers, an incident response plan, or IRP, is required to protect an organization’s data and, thereby, its reputation. If IRPs are not implemented properly, organizations may not be able to recover quickly from data loss. An IRP helps to identify the best possible data loss prevention (DLP) activities that help safeguard organizations and quickly restore normal business operations. A well-defined security IRP will help safeguard against losses in case of a DL incident, a natural disaster, an external breach of critical data or IP, or an insider threat.

According to the 2016 SANS Institute survey on the state of IR, 29 percent of respondents report a remediation time of two to seven days. A lack of skilled personnel is aggravating the problem, as 65 percent of respondents reported the lack of personnel was impeding their ability to respond to incidents.

12 Common Ingredients of Implementing IRPs
IRPs cannot be a one-size-fits-all system. Every organization has its own needs. Over the years and based on many studies, the following common ingredients have been identified:

  1. Prepare: According to CISO, the team that handles threats, dealing with the fallout from a breach requires the efforts of the entire company. This requires team effort and training. Everyone must be made aware of who to report to on the IT team in case they observe something suspicious.
  1. Get approvals: IRPs are not implemented if they are not approved by the Board of Directors. It is critical to make this group understand, and get involved in, the whole process of an IRP implementation from the initial stages so that they are aware of the severe repercussions of a data loss. Once they accept the criticality of a DLP activity, creating a successful IRP will be easy.
  1. Define the team and scope ahead of time: IRP developers need to define cross-organizational goals and allocate appropriate resources, leaders, roles, and responsibilities. Everyone must know ahead of time what should be done when. The core team may comprise of individuals from privacy, security, legal, and IT who call on other departments as the need requires. Identifying the scope of IRP will allow team members to assemble the components into an effective plan.
  1. Identify measurements and matrices: For a robust IRP, organizations need to define in advance key metrics such as time to detection, time to report an incident, time to triage and investigate, the number of false positives, and the nature of the attack indicators that will be measured in case of a breach.
  1. Hold test runs: Companies must play out the various breach scenarios – something like a mock fire drill, just to ensure things are in place. This helps in identifying weak points and risk factors, and thus leads to a crisper IRP.
  1. Check alerts that appear benign: IT professionals must be very observant when checking for signs of compromises and threats, and they must never disregard a regular user’s doubts. The PCI Security Standards Council states that one of the biggest risks to an organization’s information security is often the action or inaction by employees that can lead to security incidents.
  1. Document the IRP, and keep it updated: Documenting an IRP helps organizations consider different scenarios, their implications, and the tools needed to mitigate the damage. DL assessments are part of every IRP and must be documented to support an organization’s burden of proof. An IRP must be a “living document,” that must always be kept updated. New threats from malware, identity theft, and unencrypted mobile devices are putting protected health information (PHI) at risk. An IRP should reflect these new dangers.
  1. Dont overlook your refineries and factories: Many organizations need to run industrial systems in parallel, such as an oil refinery or a factory that manufactures drugs. Such organizations usually do not feel the need to implement an IRP, thinking hackers won’t target these locations. This, more often than not, leads to a breach resulting in losses.
  1. Contain and remediate: Once an affected system has been identified, take it offline, and use it to conduct a post-mortem as to the how and what of the breach. After the root cause is identified, control the spreading of such breaches further before it affects the entire organization. The findings and details of the breach must be noted carefully, and action must be taken so that there’s no room for similar attacks to re-occur. The focus should be on investigating the malware’s techniques and infection vector so that a robust eradication and prevention plan may be developed.
    According to Marsh & McLennan Companies, “Once an organization experiences a data breach, the response is to secure defenses to make sure that history does not repeat itself.”
  1. Plan for a follow-up budget and resources: According to Gartner, Inc., 75 percent of enterprises’ information security budgets will be allocated for rapid detection and response approaches by 2020, up from less than 10 percent in 2012.
  1. Follow up: For future containment, learning and improvement, and detection, IRPs require the cooperation of an entire organization, not just the IT and security departments. For example, a bank handling the impact of a breach will need help from its PR staff, from its Web development team, from the HR team, etc.
  1. Align and integrate the IRP with an organization’s existing business continuity plans (BCP), data loss prevention (DLP) policies, and disaster recovery plan (DRP): Prioritizing the assets to rebuild to ensure business-as-usual quickly is very critical. The prioritized inventory must be updated and amended regularly as business needs evolve.

MAPFRE Settlement- An Expensive Lesson in Data Security

data loss preventionMAPFRE Life Insurance Company of Puerto Rico (“MAPFRE”) has agreed to pay a whopping $2.2 million in fines to enter into a settlement with the HHS Office of Civil rights for violations of the HIPAA privacy and security rules.

At the heart of this multi-million dollar storm was a humble USB pen drive.

On September 29, 2011, the unencrypted USB data storage device was left unsecured in the IT department of MAPFRE. This drive contained records of 2,209 individuals, including their full names, dates of birth and Social Security numbers. The pen drive was stolen overnight.

MAPFRE reported the device theft to OCR 55 days later. (60-days is the maximum time frame for reporting and announcing PHI breaches). OCR then launched an investigation to ascertain whether any HIPAA Rules had been violated. This is standard protocol for all breaches of ePHI that impact more than 500 individuals.

As the investigation proceeded, OCR discovered not one but several HIPAA non-compliance issues.

Officials at OCR determined that MAPFRE showed a callous attitude towards data protection  by not putting necessary safeguards in place to prevent the theft. MAPFRE had-

  • Failed to conduct required risk and vulnerabilities assessments to test the “confidentiality, integrity, and availability” of the ePHI under their control,
  • Did not implement any appropriate security measures
  • Had neglected to implement required security awareness and training programs for their workers.

As per the corrective action plan, MAPFRE was expected to:

  • Conduct a risk analysis and implement a risk management plan
  • Implement process for evaluating environmental and operational changes
  • Review – and revise if necessary – its current Privacy and Security Rules policies and procedures
  • Distribute the policies and procedures and assess, update, and revise them as necessary
  • Give regular training to workforce members and certify they’ve received it

MAPFRE delayed implementation of corrective measures that it had told OCR it would undertake. So despite the submission of a breach report to OCR on August 5, 2011, MAPFRE Life did not start encrypting data on laptop computers and portable storage devices until September 1, 2014.

“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well,” OCR director Jocelyn Samuels said in a statement. “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”

The resolution amount was decided upon after taking the financial position of MAPFRE into consideration as well as keeping in mind the number and severity of its HIPAA violations. Not only does OCR require payment of $2,204,182 as fines, MAPFRE is also expected to adopt a corrective action plan that addresses all areas of noncompliance.

HHS states on its website, that “A covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.” It also says that “A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.”

OCR has increased its enforcement of HIPAA Rules in recent years, with 2016 being a year when they made more settlements than in any other year to date. Last year alone a dozen healthcare organizations settled possible HIPAA violations with OCR. Earlier this year, Presence Health, a healthcare network serving residents of Illinois, agreed to pay OCR $475,000 due to an unnecessary delay in breach notification after the patients’ protected health information was exposed. OCR won’t be letting up on its aggressive enforcement pace of 2016 when it collected a record $23.5 million in HIPAA breach settlements, a steep rise up from $6.2 million in all of 2015.

There are some expensive lessons in these settlements that all HIPAA covered entities should pay heed to. Risk assessment and analysis can go a long way in keeping data secure. There should be a comprehensive risk management plan in place. In case of a breach, companies should make quick and accurate representations to OCR and should follow through on any commitments made to OCR.

Last but not the least, leaving unencrypted portable devices/drives is never a good idea and a humble USB pen drive can sometimes prove to be very very costly.

Data Security Priorities for SMBs in 2017

Small- and medium-sized companies (SMBs) are equally vulnerable to cyber threats and data breaches as large enterprises. According to a survey of SMBs conducted by Ponemon Institute, nearly 55% of respondents said that they experienced a cyber-attack, and at least 50% had a data breach in the past 12 months. It was also revealed that negligent employees, contractors and third parties caused most data breaches.[1]

Here are the key reasons why SMBs are becoming more vulnerable

  • Security policy is not well defined.
  • The software and methods that are in place to prevent the breach are either obsolete or not capable enough to prevent the data leakage.
  • Lack of training to the employees.
  • Not enough budget is allotted to thwart the threat.
  • Strict adherence to follow the security procedure is lacking – weak or repetitive passwords. Encryption is missing in most of the cases.
  • BYOD policies are missing.
  • Protocol to be followed in case of leak is not defined, which could in turn restrict the extent of data loss.
  • There is rarely a dedicated IT personnel overlooking the security of the system. Thus, 24/7 observation is

For all of these reasons, the loss of sensitive data is often due to negligence of the company personnel. A lot can be averted if the following requirements are addressed in the security protocol.

These essential steps are recommended for SMBs to follow and implement in order to mitigate data breach threats.

  • Regular training sessions should be conducted for the employees. Users should be educated about cyber security and informed on how to deal with the sensitive information safely.
  • Password encryption should be a must. Implementation of two-factor authentication is an easy and affordable way to safeguard the cyber content.
  • Account management should be implemented. User-defined roles should dictate who gets what kind of access to the sensitive data. Authentication of the user and the device being used to access the information should be verified.
  • Clearly define the BYOD policies to the employees so that intentional or deliberate loss of data can be mitigated.
  • Software used should be current, thus making it less vulnerable to cyber threats.
  • Policies around what data can be copied and how and where it can be duplicated should be laid out for the users.

As we step into 2017, SMBs should start gearing up to implement tailored protocols to defend against data breach, particularly from insiders. Along with taking the steps mentioned above in stride, employees should be scrutinized for their behavior in the office. Even at the time of recruitment, proper background screening should be conducted. Getting the right kind of employees and following up with a robust plan for security will aptly help mitigate the threat.

[1] http://www.ponemon.org/blog/smbs-are-vulnerable-to-cyber-attacks

Ensuring Application Security in Mobile Environment

With concepts such as bring-your-own-device (BYOD) becoming almost indispensable in today’s business environments, employees have both official and personal data on their smartphones and other devices. Because many of these devices are not very secure, hackers are having a field day. Apart from this, the risks of inadvertent data loss have also greatly increased.

In a recent analysis of downloaded applications within organizations, IBM found that these apps had access to confidential business data.

Anyone using a smartphone is aware that downloaded applications require frequent OS updates. Frequent updates cause greater exposure and vulnerability for the phones, which means that they may get corrupted or lose precious, business-critical data. Additionally, because mobile apps can access security-critical servers, storage, and networking systems, these apps are prone to and vulnerable to external attacks in which hackers can intercept data and cause huge losses. In a recent case involving an Android application, a weakness was found that could put personal user information at risk, including not only phone numbers and location details but also account balances.

Because compromised applications may at times lead to irrevocable losses for organizations in terms of finances, brand loyalty, confidential customer information, and intellectual property, application-security testing teams need to be on their toes at all times. They need to think about how to implement a robust, automated, and scalable mobile-specific security management program that can eliminate the looming risks to enterprise data with ease and efficiency.

On a positive note, most organizations have data-loss prevention (DLP) policies in place for blocking devices as soon as they are reported lost. However, most organizations do not have a clue about the type of applications installed on their employees’ mobile phones, and this is a huge cause of concern. To ensure that only safe applications are installed on corporate-owned and corporate-controlled devices, organizations have moved toward implementing mobile application management solutions. Many organizations involved in the generation and management of critical data, such as data relating to finance and security, use advanced DLP measures to control logins and access to data on mobile devices.

What is needed to ensure that your organization has a robust risk management system in place for your applications?

To ensure that mobile applications are secure in all aspects, organizations must follow basic rules:

  • Perform stringent tests (perhaps utilizing a cloud-testing lab) for all application types (web, native, and hybrid), for all browsers, for iOS and Android (especially if it is open source), and for all software that might access the application once it is installed.
  • Perform continuous static and dynamic analyses; monitor applications to detect problems.
  • Perform checks for threats to the application due to weak encryption, client-side injection, and data storage.
  • Minimize and verify functionality and permissions, thus simplifying the code. In addition, conduct thorough data validation and perform end-to-end testing of the code to check for any shortfalls related to security.
  • Test the back end for any weaknesses in the emulators running the mobile applications.
  • Perform thorough testing (automated penetration, functional, performance, etc.) on the application for loopholes related to security and for any weaknesses related to viruses.
  • Try to avoid the data storage and transmission. If this is necessary, encrypt data during the process.
  • Detect integrity violations using a taint analysis.
  • Hard-code the applications so that no one can modify them externally.
  • Invest in an automated mobile-app security-testing tool that can perform security assessments, penetration testing, for apps being built using agile methodology.

App developers must also make their apps third-party-friendly and easy to download. This will dissuade mobile users from wanting to jailbreak or root their mobile devices, which makes the devices vulnerable and renders the features related to OS security ineffective. App developers must be motivated and trained to build apps that have strong, built-in security controls to thwart any unwarranted breaches.

If organizations perform the above tests, follow strict app development guidelines, and implement robust frameworks for security testing, they will have done all that is required to keep the mobile applications—and, more importantly, the user data—secure. These measures, coupled with use of DLP, will effectively lead to implementation of stronger security practices.

How to Select the Right Encryption Solution

In today’s fast-moving and fast-changing world, coupled with the influx of smart devices and IoT, securing data and protecting it from falling into malicious hands has become extremely challenging, complex, and necessary. The workplace no longer adheres to a typical 9-to-5 routine. Technology has created the ability to work remotely from anywhere and at any time through laptops, tablets, smartphones, etc. The gates to breaches have thus significantly increased in number, resulting in greater need to use encryption, scaling to not just a computer but to the numerous smart devices that are constantly used to access data.

Ponemon Institute conducted a survey and came up with the most prominent drivers that propel industries to consider encryption as a defense against data breaches.

We saw in one of our previous blogs how the number of breach incidents has risen to staggering heights this year. IT experts collectively agree that encryption is the key solution to this humongous problem, but it has to be the right type of encryption that is applied to the industry. A thorough knowledge of current tools and technologies that are prevailing in the market is very important before implementing any type of encryption. A customized encryption solution, apt for the said enterprise, will not only protect the loss of data but also save time and money. Now, what is the criteria for determining the type of encryption solution suitable for the enterprise? The following points will answer this question.

  1. Basic Requirements – A Must

The encryption solution should meet the following basic requirements:

  • Encryption should be automated, simple for end users to comply with, and provide non-disruptive protection.
  • There should be a robust access authentication of users, resulting in appropriate access to the data by authorized users only. The encryption should also have a provision for regular checks on user access control for validity.
  • It should be able to protect wide array of smart devices across multiple platforms such as Windows, Mac, and Android. Most smart devices already offer some kind of base protection, but this might not be sufficient for big enterprises dealing with highly sensitive data.
  • Type of encryption will also further depend on the type of data that has to be protected. This could be data in motion, data at rest, or data in use. The company might require full-disk encryption or just file encryption.
  • The need for managing the encryption keys must be assessed – can it be done by the IT department itself or should the services of a vendor be considered.
  • Another characteristic is that the encryption implemented should grow as the enterprise expands. The growing demands of the company should not hamper the prevailing encryption or render it ineffective.
  • The encryption should be such that if the data were to fall into the hands of hackers, it would be deemed incomprehensible and useless.
  1. Encryption Key – Vendor-managed or Customer-managed

An encryption vendor-managed key or a customer managed key scheme uses a pseudo-random encryption key generated by an algorithm. An unauthorized interceptor cannot access the data without this key. Customer managed key (CMK) empowers the customer completely as it makes physical location of the files less relevant, since no party can decrypt the data if the customer has chosen to withdraw access to the encryption keys.

  1. Key Management

Managing the keys is another important aspect in encryption. Depending on how big the organization is, there could be a large number of keys that need to be managed uniformly and tracked constantly. Towards this, Zecurion Zserver secures and protects confidential information at the processing and storage level on corporate servers. The Zserver Enterprise Key Management Server (EKMS) minimizes administrative overhead for encryption by generating, storing, managing, and automatically loading encryption keys across the enterprise.

According to a report by CSC, “While individuals are responsible for most data creation (70 percent), 80 percent of all data is stored by enterprises.” Encryption may not be the silver bullet to thwart data breaches completely, but is a necessary step towards mitigating the accidental or deliberate loss of critical and sensitive data. Enterprises, both small and large, should make it a mandatory requirement  and implement encryption company-wide.

Is the Hospitality Industry in Danger?

Long back in 2005, Meyers and Mills had said that using biometric technologies could improve hotel security and enhance the ability to recognize criminal activities. Fast forward to 2016 and we are seeing that the hospitality sector has become an easy prey for cyber criminals.

The leap in technology has made it easy for the hospitality industry to gather a lot of personal
data about customers that has helped them increase sales and profit margins. A recent report by Sabre Hospitality Solutions confirms that the proper use of Big Data generated can give a ‘definitive market edge’ to hoteliers.

It’s Green for the Hackers!

This has also made it easy for hackers to commit financial crimes at a larger scale. While hackers attack smaller enterprises as they usually have systems that can be easily breached, they hack into bigger franchises for gaining access to a global database. Especially for the hospitality sector, this is due to day-to-day operations of the industry involving online reservations, card-based transactions, and rewards programs. This generates a humongous database of user data that, if exposed to the wrong hands, will create havoc in personal and financial lives.

Criminals across the globe try to hack into hotel networks to rob credit card details of guests. In essence, they are trying to target thousands of cardholders together. Not only do hotels may have vulnerable systems, they may be able to detect a breach long after it has occurred. An average time as per Trustwave Spider Labs is 173.5 days.

Cybercrime is a huge risk that hotels must deal with on a regular basis. Social engineering attacks such as phishing and Advanced Persistent Threats (APT’s) are the most dangerous types of cyber-attacks as they can bypass the current security setup. Hotel Wi-Fi networks therefore need to be secure, with built-in wireless intrusion prevention and detection for enhanced security.

Sample this: As per the 2015 Trustwave Global Security Report, the global hospitality industry now sits on top of the three industries most frequently targeted by hackers.

The Challenge

This challenge of data security and safety also increases the liability of the hospitality industry as any security breach may lead to heavy financial losses (legal), loss of brand and reputation, and also loss of customer loyalty. This will lead to financial instability and failure in the long run.

Repercussions of a Security Breach

Hotels have to spend through their nose if there’s a breach of private data. The areas where the cash will flow usually cover legal processing, fines, penalties, forensic investigation expenses, credit monitoring, business interruption losses, and hiring PR professionals to help control damage and save reputation. Additional costs are required towards recovering lost data and fixing the actual cause of breach.

Several organizations that analyse security and data breach trends cite hospitality as the ‘single most vulnerable industry’. Thus, IT leaders in hospitality are making data security their number one priority.

There are Ways to Stop This Loss

Most states today have privacy laws for issuing notifications if anyone’s personal or financial information is compromised, lost, or stolen. To add on, there are multiple practices that support data loss prevention (DLP), such as the Payment Card Industry Data Security Standard (PCIDSS) that ensures ‘that all companies that process, store, or transmit credit card information maintain a secure environment’. Practices such as PCIDSS if implemented properly, can help control a lot of such incidents.

Hotels of any size must secure their network to protect hotel operations and guests’ data. They must also annually review their information technology to proactively respond to threats. To save themselves from the fate that even the likes of Hilton, Marriott, Mandarin Oriental etc. could not avoid, hotels need to employ the best security experts that can suggest digital encryption strategies about point of sale (POS) terminals, data servers and internal networks.

Image Credit: Rawpixel.com/ Adobe Stock

2016: Data Breach Statistics, Year until 10/19/2016

*The ITRC tracks seven categories of data loss methods: Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information: Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

Zecurion offers deeper insight into selected incidents caused either by accidental or intentional data breaches. With all such incidents, the common elements describing the impact of this growing problem are financial loss, compromised intellectual property and dwindling customer confidence. Let us see how some sectors have been impacted as of October 2016. The excerpts below only provide a glimpse of some of these incidents – the list goes on.

Government

August 26, 2016 – County of Sacramento, California, issued a statement that an unknown number of records with personal data were exposed due to an error in the online automated application for Emergency Medical Service license. The information included name, address, social security number, driver’s license, phone number, date of birth of the applicants. Although there has been no report of misuse of PII, yet the county offered one year credit monitoring services of Experian to the affected people as a precaution.

Source: California Attorney General

 Healthcare

September 26, 2016 – One worker at Yale- New Haven Hospital and her friend were arrested for illegally procuring classified personal information of at least 20 near death patients and using the stolen data to obtain credit cards, becoming beneficiaries in their insurances among other planned crimes. This had been going on for two years before they were caught. A year’s credit monitoring has been offered to the victims.

Source: Media: News 3

August 12, 2016 – Bon Secours Health System disclosed that R-C Healthcare Management, a third-party vendor managing their Medicare and Medicaid reimbursement, accidentally left patients’ files accessible over the internet while updating network settings. About 665,000 records containing patient name, health insurer’s name, health insurance identification number, social security number and some health information was exposed to the general public. A forensic investigator was hired to correctly identify people that were affected by this breach and then informed about the incident. 435,000 were from Virginia and the rest were from Kentucky and South Carolina. No misuse of the exposed data has been reported so far.

Source: Media: http://www.nbcconnecticut.com/

Business

September 22, 2016 – Premier America Credit Union, California, reported that a departing employee sent an account list containing name, address and maybe social security and/or employer Identification number to his personal email address for most likely solicitation purposes in future. The employee was reminded of his obligations and company regulations and advised not to use any of this information for any purpose. The management further offered complimentary one year credit monitoring services of Experian to the victims.

Source: California Attorney General
August 8, 2016 – 7-Eleven reported that in June 2016 during a regular maintenance cycle some of the franchisees received the records of employees other than their own franchisee’s employees. The exposed information contained name, address, phone number and social security number of 7,820 employees. The correction was completed within 5 days. 7-Eleven offered 12 months of First Watch Technologies’ professional identity monitoring service to the victims in addition to $1,000,000.00 in identity theft insurance with no deductible.

Source: California Attorney General

Keep Sensitive Data Secure on a Tight Budget

As more services move towards the cloud, it is important to establish network security so as to ensure secure data transfer. Similarly, businesses that manage critical personal data need to maintain airtight security policies and procedures. Not having such policies in place may lead to security breaches or expensive client lawsuits. According to a 2016 report from the Ponemon Institute, almost 50 percent of small organizations that were surveyed experienced a data breach in the previous year. Another research by Symantec found that almost 43 percent of cyber-attacks in 2015 were targeted towards small businesses, up from 18 percent in 2011.

Small businesses make for an enticing target as they usually do not have the necessary security controls in place to secure their financial data from internal as well as external threats. Here are some low budget tips that can help small businesses keep their financial data safe.

  • Install proper network and work station controls such as properly configured firewall, anti-virus software, and updated patches for all hardware and software. Criminals usually try to exploit sensitive data such as Personally Identifiable Information (PIT), business trade secrets, financial data and other critical company information. Organizations must have restrictions in place for allowing only the least number of employees having access to sensitive information, especially financial or that related to security. Strict compliance must be ensured and employees must be trained and updated about it. This will help reduce incidents of data loss/ theft. Access to all storage, computing and online-based media like servers and databases must be restricted to only a few trusted employees.
  • Establish a culture of security by training and informing employees about accessing unsafe websites while at work that may result in major breaches. Companies may also resort to block access to certain sites for security reasons.
  • Conduct periodic testing to keep a check on vulnerabilities. The frequency of testing must depend on functional criticality and size of the company. With smartphones being used as devices for transfer of data, companies must ensure that these devices also fall under the purview of DLP policies and practices. Mobile devices must have anti-virus software installed and be up-to-date.
  • Get finance teams/ CTOs involved to understand the risks involved and get a holistic view of what can be done to mitigate these risks at the base level – without incurring too much cost.
  • Implement two-factor authentication along with strong password policy. Two-factor authentication requires use of a password plus a code or a biometric marker to access data. The additional layer of security makes access to sensitive data more difficult.
  • Set aside a small budget specifically for continuous monitoring or security-related loopholes to help ward off any attacks and threats. If utilizing the services of third party vendors for securely managing data, have a Service Level Agreement (SLA) which details security expectations and gives the right to thoroughly audit the vendor to confirm and ensure compliance with policies.

In essence, by just implementing and following certain basic tenets of security, most organizations can secure their sensitive data with bare minimum costs.

Is Cloud Storage Right for Your Business?

Storing data locally in your own data center has a number of limitations. Storage capacity and redundancy are limited by the server and drive space available in the data center. Increasing capacity to meet demand is costly and time-consuming. If demand falls off, you are left with wasted capacity sitting idle.

In the event of a hardware failure or power outage in the data center, your data will be unavailable, and could possibly end up corrupted or permanently damaged. In the event of a catastrophe, any backup data stored locally could be wiped out along with the production data, which would be devastating for most companies.

Benefits vary from vendor to vendor and depend on the service level you negotiate, but here are some of the primary benefits of storing data in the cloud:

  • Scalability―Cloud computing allows you to quickly and easily scale capacity, either increasing or decreasing available storage space to meet current demands. That means you will be able to handle unexpected spikes in capacity needs without having to over-invest in hardware that will spend most of the time idle.
  • Redundancy―Cloud storage providers generally provide multiple sites that are geographically separate, but with mirrored copies of all data. Hardware failures, power outages, or natural disasters affecting a site will be transparent to you because your data will still be accessible from the alternate sites.
  • Hardware Upgrades―Hardware changes so rapidly that your data center investment can be bordering on obsolescence when you have barely implemented it. A third-party vendor dedicated to providing hosted online storage will invest in hardware and infrastructure upgrades over time so you get the benefit of newer technology without having to constantly re-invest in new hardware.
  • Disaster Recovery/ Business Continuity―Storing data in the cloud also means that it is being stored offsite. In the event of a catastrophe or natural disaster impacting the local office, the data itself will still be protected and available online. Business will be able to continue almost seamlessly from alternate locations, and the data will be immediately available once normal operations resume at the primary office facility.
  • Cost―Considering what you get, scalable, redundant storage that also doubles as a disaster recovery and business continuity solution, the cost of cloud storage is typically quite reasonable. Consider as well that by engaging a third-party host for your data, you don’t have to hire personnel to manage data storage in-house, with their associated salaries and benefits. With the economies of scale offered by a cloud storage provider, adding additional space is a fraction of the investment that would be required for new hardware, and the power and cooling necessary to accomplish the same thing in an internal data center.

Leveraging cloud data storage provides a scalable, reliable, cost- effective storage solution. While there are multiple benefits, the type of cloud storage solution that works best for your company is based on your own specific needs.