Category Archives: Data Storage Security

Is the Hospitality Industry in Danger?

Long back in 2005, Meyers and Mills had said that using biometric technologies could improve hotel security and enhance the ability to recognize criminal activities. Fast forward to 2016 and we are seeing that the hospitality sector has become an easy prey for cyber criminals.

The leap in technology has made it easy for the hospitality industry to gather a lot of personal
data about customers that has helped them increase sales and profit margins. A recent report by Sabre Hospitality Solutions confirms that the proper use of Big Data generated can give a ‘definitive market edge’ to hoteliers.

It’s Green for the Hackers!

This has also made it easy for hackers to commit financial crimes at a larger scale. While hackers attack smaller enterprises as they usually have systems that can be easily breached, they hack into bigger franchises for gaining access to a global database. Especially for the hospitality sector, this is due to day-to-day operations of the industry involving online reservations, card-based transactions, and rewards programs. This generates a humongous database of user data that, if exposed to the wrong hands, will create havoc in personal and financial lives.

Criminals across the globe try to hack into hotel networks to rob credit card details of guests. In essence, they are trying to target thousands of cardholders together. Not only do hotels may have vulnerable systems, they may be able to detect a breach long after it has occurred. An average time as per Trustwave Spider Labs is 173.5 days.

Cybercrime is a huge risk that hotels must deal with on a regular basis. Social engineering attacks such as phishing and Advanced Persistent Threats (APT’s) are the most dangerous types of cyber-attacks as they can bypass the current security setup. Hotel Wi-Fi networks therefore need to be secure, with built-in wireless intrusion prevention and detection for enhanced security.

Sample this: As per the 2015 Trustwave Global Security Report, the global hospitality industry now sits on top of the three industries most frequently targeted by hackers.

The Challenge

This challenge of data security and safety also increases the liability of the hospitality industry as any security breach may lead to heavy financial losses (legal), loss of brand and reputation, and also loss of customer loyalty. This will lead to financial instability and failure in the long run.

Repercussions of a Security Breach

Hotels have to spend through their nose if there’s a breach of private data. The areas where the cash will flow usually cover legal processing, fines, penalties, forensic investigation expenses, credit monitoring, business interruption losses, and hiring PR professionals to help control damage and save reputation. Additional costs are required towards recovering lost data and fixing the actual cause of breach.

Several organizations that analyse security and data breach trends cite hospitality as the ‘single most vulnerable industry’. Thus, IT leaders in hospitality are making data security their number one priority.

There are Ways to Stop This Loss

Most states today have privacy laws for issuing notifications if anyone’s personal or financial information is compromised, lost, or stolen. To add on, there are multiple practices that support data loss prevention (DLP), such as the Payment Card Industry Data Security Standard (PCIDSS) that ensures ‘that all companies that process, store, or transmit credit card information maintain a secure environment’. Practices such as PCIDSS if implemented properly, can help control a lot of such incidents.

Hotels of any size must secure their network to protect hotel operations and guests’ data. They must also annually review their information technology to proactively respond to threats. To save themselves from the fate that even the likes of Hilton, Marriott, Mandarin Oriental etc. could not avoid, hotels need to employ the best security experts that can suggest digital encryption strategies about point of sale (POS) terminals, data servers and internal networks.

Image Credit: Rawpixel.com/ Adobe Stock

Is Cloud Storage Right for Your Business?

Storing data locally in your own data center has a number of limitations. Storage capacity and redundancy are limited by the server and drive space available in the data center. Increasing capacity to meet demand is costly and time-consuming. If demand falls off, you are left with wasted capacity sitting idle.

In the event of a hardware failure or power outage in the data center, your data will be unavailable, and could possibly end up corrupted or permanently damaged. In the event of a catastrophe, any backup data stored locally could be wiped out along with the production data, which would be devastating for most companies.

Benefits vary from vendor to vendor and depend on the service level you negotiate, but here are some of the primary benefits of storing data in the cloud:

  • Scalability―Cloud computing allows you to quickly and easily scale capacity, either increasing or decreasing available storage space to meet current demands. That means you will be able to handle unexpected spikes in capacity needs without having to over-invest in hardware that will spend most of the time idle.
  • Redundancy―Cloud storage providers generally provide multiple sites that are geographically separate, but with mirrored copies of all data. Hardware failures, power outages, or natural disasters affecting a site will be transparent to you because your data will still be accessible from the alternate sites.
  • Hardware Upgrades―Hardware changes so rapidly that your data center investment can be bordering on obsolescence when you have barely implemented it. A third-party vendor dedicated to providing hosted online storage will invest in hardware and infrastructure upgrades over time so you get the benefit of newer technology without having to constantly re-invest in new hardware.
  • Disaster Recovery/ Business Continuity―Storing data in the cloud also means that it is being stored offsite. In the event of a catastrophe or natural disaster impacting the local office, the data itself will still be protected and available online. Business will be able to continue almost seamlessly from alternate locations, and the data will be immediately available once normal operations resume at the primary office facility.
  • Cost―Considering what you get, scalable, redundant storage that also doubles as a disaster recovery and business continuity solution, the cost of cloud storage is typically quite reasonable. Consider as well that by engaging a third-party host for your data, you don’t have to hire personnel to manage data storage in-house, with their associated salaries and benefits. With the economies of scale offered by a cloud storage provider, adding additional space is a fraction of the investment that would be required for new hardware, and the power and cooling necessary to accomplish the same thing in an internal data center.

Leveraging cloud data storage provides a scalable, reliable, cost- effective storage solution. While there are multiple benefits, the type of cloud storage solution that works best for your company is based on your own specific needs.

Why is On-Demand Cloud Security Gaining Momentum?

 

Demand for cloud computing is high

Cloud computing today is the new normal. The need for cloud services is evidenced and accelerated by the growing number of organizations that are increasingly adopting cloud-based applications for communications, collaboration, business processing and storage. The use cases for the need is only strengthened by business drivers (cloud-driven innovation, user satisfaction, etc.) and technology drivers (agility, scalability, and costs).

Resistance to cloud adoption is gradually waning

In the near past, organizations have not been entirely comfortable with switching over to cloud computing. A big concern was (and to an extent, still is) the lack of faith in the provision of security in the cloud. Naturally, this means that organizations are not sure if data stored in the cloud is safe from incidents such as hacking and data theft. Add to this, the proliferation of bring-your-own-device (BYOD) to work―and the level of risks and concerns just shoot through the roof. A survey by HyTrust found that more than 45% of organizations identify security as a top concern when deploying cloud infrastructure.[1]

Organizations have, however, identified a mid-way through emergence of the hybrid model. The model allows organizations to leverage the benefits of cloud computing while retaining critical applications in their own data centres.  Towards this, a positive finding from the HyTrust survey is that nearly 70% of respondents believe that data breaches and other security risks are becoming less of an obstacle to cloud deployment.[2]

The shift to an on-demand cloud security model

Traditionally, organizations have deployed on-premise security controls to maintain greater control and flexibility over access and usage of data and applications. With confidence around cloud deployments growing, organizations are now extending security controls across the traditional on-premise model to an on-demand model. The drivers are the same as for any other cloud application―scalability, flexibility and cost.

The on-demand model brings in a lot more flexibility enabling organizations to deploy security agents based on usage. The benefits are immediate as the service can be deployed quickly. This allows organizations to scale their security as per business needs, without adding to costly administrative resources.

While some security controls are made available by cloud service providers, it becomes complicated and costly for organizations to keep a track of a plethora of cloud workloads. Towards this provision of an on-demand service, that gives clear visibility on all instances, streamlines security and greatly enhances operational efficiency.

As business threats are growing and getting complicated, organizations are realizing the benefits that the on-demand cloud security model can bring. While its adoption is yet to accelerate, the time is right to pause and think prudently―are you ready to do everything yourself or do you want to focus on your core business and deploy a managed service that takes care of all your vulnerabilities as well as compliance. It is time to act now.

[1] http://www.enterprisetech.com/2016/04/22/security-concerns-easing-cloud-deployment/

[2] Ibid.

Email Encryption – Not So Complex Anymore

In today’s time, when technology has taken control over almost everything in life from home to business, educational institutes, government agencies, doctor offices etc., the question arises as to how secure your data. With data breaches on the rise, data protection has become a hot topic.

How do you protect data ‘at rest’ and data ‘in transit’? How can you protect against the threat of espionage, hacktivism, spyware, or insider negligence? Encryption comes into play at this juncture. In recent years, there have been numerous reports of confidential data such as customers’ personal records being exposed through loss or theft of laptops or backup drives and data being breached when transmitted across networks by unauthorized users.

One of the proven techniques is to use algorithms for the purpose of encrypting data. The system encrypts the information contained on hard drives, disk arrays and SAN storage using an innovative, sophisticated encryption method to securely protect data stored on servers and on backup media.

Encryption protects stored information whenever physical control of the media is impossible, whether moving data to cloud, or in the case of hard drive loss. The permanent encryption of a file is a reliable way to protect any information it contains wherever the file physically resides.

For technical reasons, an encryption scheme uses a pseudo-random encryption key generated by an algorithm. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients.To access encrypted data, the keys are a must. An unauthorized interceptor cannot access data without this key. The key can be either vendor-managed key or be a customer managed key.

Zecurion Zserver offers an excellent solution in this context. It takes advantage of complex cryptographic techniques to protect data stored on servers, SAN and NAS storages, magnetic tapes and optical disks. With unique media encryption capabilities, it protects data in use, storage and transport. Its system is designed with a balance between ease-of-use and the strongest available control levels by allowing administrators to decide when data is encrypted and decrypted through the Zserver Enterprise Key Management Server (EKMS). Zserver uses proven encryption algorithms with key lengths up to 512 bits (AES, XTS-AES). The adaptive multithreaded encryption, the system uses can significantly increase the speed of data encryption on multiprocessor and multicore systems.

EKMS empowers the customer completely. It may make the physical location of the files less relevant, since no party can decrypt the data if the customer has chosen to withdraw access to the encryption keys. In this way, the customer has the total control on whom to give the access to the data. The solution enables customers to manage the keys that encrypt and decrypt their data. EKMS gives customers their own key layer, and sole control over the management of the encryption keys used to protect their data in the cloud. It is up to the customers to properly manage the keys to avoid any interruption of data-sharing or collaboration with their own customers and partners.

All in all, data protection is very vital to avoid any kind of loss whether the breach is intentional or just a human error. You can research the type that best suits your needs, but you should make sure that you have your data protected.

Safeguarding the Devices can Reduce Data Leaks by Over 40 Percent in Healthcare

Healthcare is the top-most targeted sector for data breaches, accounting for nearly 78 percent of total number of records exposed over January-August 2015. Of all the data breaches in healthcare, 12 percent accounts for intentional insider leaks whereas 17 percent is due to unintentional disclosure. The biggest chunk of 41 percent is attributed to lost or missing devices. Therefore safeguarding just the devices themselves can reduce the threat of data loss significantly.

The following measures can help organizations in safeguarding their devices:

  1. Reporting Loss – The first and foremost step is to report the loss or theft of any such device immediately to the organization so that proper steps can be taken.
  2. Surveillance of Premises – One of the easiest and most widely used methods to avoid any theft is monitoring the workplace by security cameras or electronic log systems of employees. Even if the device or data gets stolen or goes missing, the security equipment will help in recovering it or in identifying the offender.
  3. Educating Employees – Creating security awareness among the employees is another important step in averting potential data thefts. Various programs must be conducted for employees to educate them and make them accountable for devices allocated to them. It should be a continuous process and should be enforced through regular email reminders, desktop screen savers, placards on the walls, etc.
  4. Data Management – It has two components – documenting data storage and removing unwanted information. Data should be stored in a methodical way by defining class of data with proper labelling of sensitive information. Another important aspect is to clean unwanted and duplicate files from the system to reduce the chances of data loss.

Apart from safeguarding devices, companies should also secure them so that in case of any unexpected loss, they are prepared to deal with the ensuing data loss. Following measures could help a company in dealing with data stored in lost devices in a more effective way:

  1. Data Encryption – This can be achieved by encrypting the data on portable devices and disabling the transfer of any information from these devices to any other device. Technologies such as on-the-fly encryption, redaction, DLP (Data Loss Prevention) solution and DRM (Digital Rights Management) on sensitive data are some of the ways for enhancing data protection.
  2. Geo-fencing – Geo-fencing is a kind of virtual barrier that uses Global Positioning System (GPS) to define the geographical boundary for any portable device. Once outside the boundary, data inside that particular device cannot be accessed. It also helps in recovering the lost device.
  3. Remote Wipe – With the help of the right set of tools, the information stored in stolen devices can be partly or totally wiped remotely.

It is imperative to change the outlook of healthcare companies to equally focus on both devices and data stored inside it. Measures for device safety and for data loss prevention should be planned proactively.

Can You Really Risk a Data Breach?

 

Insider Threat is On the Rise

With the new age technology making data more accessible, there has been an increase in data breach incidents in recent years. A common data breach is human error and according to a study conducted by Verizon in 2014, it accounted for 44% of all errors. Human error can be broadly divided into two types – intentional or unintentional. The former could occur due to confusion or not understanding the security protocols and procedures. The latter may occur due to various reasons like employee dissatisfaction, monetary gain etc.

Organizations have been spending a lot of time and energy on safeguarding data from outsiders and they have succeeded in doing so to a larger extent. However, organizations are now realizing that the need to safeguard data from insider forces within the organization is critical as well.

Data Breach Costs are Escalating Every Year

With data breach incidents being on the rise, the cost of data breach has also escalated as compared to previous years. A Ponemon study implies that the global average cost of per data breach rose to $154 in 2014 as compared to $145 in 2013 which accounts for a 6% increase. The cost comprises post data breach procedures including a) investigative and remedial actions, b) setting up hotlines, c) legal and consultation fee, d) notifications, e) incident response unit, etc.

In today’s era, every sector is prone to be victimized by data breach including the heavily regulated healthcare, education, retail and financial services sectors. The average time taken in cleaning up functions and remedial procedures after a data breach is usually a month, with the cost being as high as $20,000 per day.

Data recovery adds to the cost especially when the data breach is on a bigger scale or is a potential crime. Outside agencies are to be contacted and notified including law enforcement agencies. A full blown investigation takes place where the organization may have to hire a very experienced and highly recommended team of forensics and IT experts to review the case. This results in loss of productivity and hence adds to financial losses.

With Data Loss Prevention Solution and an Employee Training Program Around it, Benefits Largely Outweigh the Costs

IT managers need to be proactive, set better privacy policies in sync with company regulations and implement solutions such as data loss prevention to effective manage inside threats. According to a Ponemon report of May 2015, the involvement of the board of directors cuts down the per capita breach cost by $5.5 and insurance by $4.40. An incident response unit cuts down the cost by $12.60 and encryption by $12. Along with implementation of data loss prevention tools, successful execution of employee training programs around security policies goes a long way in mitigating the threats posed by internal factors. Towards this, it is essential that data loss prevention be treated as a business initiative rather than a mere technology tool.

2015: Data Breach Stats*, Year Until 10/06/2015

Stats Chart Updated

 

*The ITRC tracks seven categories of data loss methods:Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information:Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

Reports of Data Breaches Continue Across All Sectors

Let us see how some sectors have been impacted between January and August of 2015. The excerpts below only provide a glimpse of some of these incidents.

Financial Services

12 Aug 2015 – Nationstar Mortgage sent letters to their customers informing them of possible leakage of their personal information. All the affected customers were provided with a complimentary 1 year Experian’s ProtectMyID Elite membership, a product to detect possible data breach and to provide a feasible solution.

25 Jun 2015 – Bank of Manhattan Mortgage Lending notified their customers of a possible data breach as one of their employees responsible for handling loan files was found storing the data in a manner contrary to the bank’s policies and instructions. The Bank of Manhattan Mortgage Lending has offered services for better protection of its customers’ data like credit monitoring and identity theft protection for 12 months, solution support call center and insurance.

Healthcare

29 Jul 2015 – East Bay Perinatal Medical Associates notified their patients after a former employee was found with a list containing patient names and their contact details. The patients’ financial and bank information was not found on the employee’s laptop and the entire data was deleted from his laptop’s hard drive.

17 Jun 2015 – Patients of UC Irvine Medical Center were notified of a situation wherein an employee,not having authority to access particular patient records, was found to be going over those records. UC Irvine hired computer experts to gain insights on the volume of data accessed and solutions to overcome such problems in future. In addition, patients were also provided with credit monitoring and recovery services free of cost.

Retail

18 Jul 2015 – A pharmacy technician at CVS in San Diego was accused of stealing patients’ records, including personal information of 100 patients, for the purpose of identity theft. The data stolen was used by the technician’s property manager to obtain credit and credit cards.

Government 

13 Jul 2015 – Visitors to the Mule Creek State Prison were notified by prison authorities of possible misuse of their personal information, when the information was discovered to be in possession of individuals outside the facility. The  affected people were recommended to put a fraud alert on their credit files.

29 Jun 2015 – Twin brothers from Virginia pled guilty to charges ranging from identity theft,conspiracy to commit wire fraud to accessing protected and government computers without authorization.  The brothers stole sensitive information related to passport and visas and also planned to install a device in the State Department to get easy access to confidential information.

Zecurion Granted Patent for Preventive Shadow Copy and Content Analysis Method by US PTO

Twitter header pic 01122015New York City, New York, October 7, 2015Zecurion, a leading developer of data loss prevention solutions, announced that it has been granted the patent for its unique preventive shadow copy and content analysis method by the US Patent and Trademark Office.

Removable media devices enable users to extract significant amounts of sensitive data from a data source. Moving data using thumb drives or other removable media devices has become a common practice, even among information technology and security specialists. Such data transfers go largely undetected. Once sensitive data has moved to a removable storage device it is easily removed from the enterprise and compromised. Thus companies, governments and other organizations risk losing the data or exposing it to unauthorized recipients. Further risks include violations of laws and regulations requiring audit trails or encryption when moving sensitive data.

Towards this, while encryption provides a viable solution, it has many drawbacks too. Encrypting large amounts of data can be time consuming and encryption policies are difficult to enforce. Without user diligence and willingness to comply with encryption requirements, encryption is a relatively weak security mechanism for removable media.

Zecurion’s preventive shadow copy and content analysis method solves the problem by providing a system that would automatically enforce a removable media security policy without relying on the user to take action such as encrypting data to be transferred. The method guarantees that a file will be written to the removable media only after it has been checked by control software to assure its compliance with security policies.

Alexey Raevsky, Zecurion’s CEO, said “We are very excited to be granted the patent for our unique preventive shadow copy and content analysis method. Our invention addresses the challenge that corporates face in enforcing removable media security policy. In addition, the method is completely transparent to users, enabling information security managers to achieve better success with implementation policies, while also freeing up resources to focus on other threats corporates may be facing.”

For more information, please call +1 866 581-0999.

Are Your Systems Overloaded with Piecemeal Solutions?

Sensitive information in terms of personal information pertaining to clients, customers, employees, and business-related information including business plans, strategy documents and financial records are of utmost importance for organizations in today’s knowledge driven world. If any of this information gets lost, stolen or tempered with, not only it burns a hole in the organization’s pockets for figuring out a viable and corrective measure but also brings down the reputation of the organization and people associated with it.

There are several ways how companies have been dealing with this kind of problem ever since business relationships started developing. Firewall is amongst one of the widely used programs for preventing any kind of intrusion or unauthorized transmission. It could be a very good line of defense for an organization to safeguard its assets but with the rapidly changing technology and ever growing data,organizations ought to have something more flexible, productive, secure and scalable solution.

In recent years, IT managers have implemented various security solutions beyond firewall to control the access of external devices and data exchange between employees with other stake holders outside the company. The solutions primarily focus on any of the components such as encryption, monitoring, scheduling and filtering of data while transmitting data over the network.

These piecemeal solutions might have helped organizations in winning small battles; however companies do not prepare themselves for the war in terms of data breach.

A survey by Osterman Research suggests that 30-60 percent of security solutions purchased become shelfware and are never utilized by the company due to various reasons.

In a race to solve immediate security issues, organizations have always focused on data access policies and not on data breach policies which are much bigger and larger than just restricting data access.

The most common solutions for data breach control are data management solutions in the market allowing IT managers to have access based on data classification, rules for data monitoring, data filtering based on sensitive keywords and dynamic data access and approvals.

DLP (Data Loss Prevention) is the common tool for data management solutions which integrates all these different components (Data Access and Rights Management, Web Filtering, eForensics, Endpoint Control, Network Diagnostics, Laptop Theft, Policy Enforcements, etc.) into one solution which can be easily managed by IT staff.

It is easy to define and enforce policies in DLP which removes the need for defining it in multiple tools and acts as an effective tool for IT managers. The data can be easily discovered, managed and protected at the same time. DLP solutions are quite flexible in defining rules for various users and also enable compliance with regulations such as HIPAA.

DLP is also equipped with the capability to protect data stored in cloud or mobile devices and helps in preventing data loss beyond the perimeter of the organization’s network. Most of the organizations focus on what the network is receiving to avoid any virus attack but ignore what’s going out and that is where the sensitive data becomes vulnerable.

In the short run, opting for piecemeal solutions may be cheaper and viable, but this is a more myopic view of looking at such an important issue. It may result in a financial burden or even can lead to brand tarnishing.  Instead, one should look at a broader perspective. A progressive way will be to implement a DLP solution which definitely will fetch better results as it does not require installing and managing different components at various locations. Perhaps, this will be advantageous and will prevent any intrusion or data loss thereby saving the organization from any kind of financial burden or loss of reputation.

Zecurion Whitepaper: Securing Corporate Data on Mobile Devices

Regmobile_miniulating the information flow between various devices has been a top priority for Information Technology (IT) managers. With the advent of bring-your-own-device (BYOD) to the workplace, their task has become even more challenging to secure data and ensure seamless data access between desktops, laptops and mobile devices. MobMobThis situation is compounded by the fact that IT managers are often unaware of mobile devices being on the corporate network. Towards this, download Zecurion’s latest whitepaper on Mobile DLP to:

  • Explore the challenges of BYOD
  • Gain awareness about the benefits of mobile data loss prevention (DLP) solutions
  • Learn how to ensure data security on mobile devices
  • Understand how Zecurion Mobile DLP can help ensure data traveling between mobile devices is not compromised