Category Archives: Insider Threat

Data Security Priorities for SMBs in 2017

Small- and medium-sized companies (SMBs) are equally vulnerable to cyber threats and data breaches as large enterprises. According to a survey of SMBs conducted by Ponemon Institute, nearly 55% of respondents said that they experienced a cyber-attack, and at least 50% had a data breach in the past 12 months. It was also revealed that negligent employees, contractors and third parties caused most data breaches.[1]

Here are the key reasons why SMBs are becoming more vulnerable

  • Security policy is not well defined.
  • The software and methods that are in place to prevent the breach are either obsolete or not capable enough to prevent the data leakage.
  • Lack of training to the employees.
  • Not enough budget is allotted to thwart the threat.
  • Strict adherence to follow the security procedure is lacking – weak or repetitive passwords. Encryption is missing in most of the cases.
  • BYOD policies are missing.
  • Protocol to be followed in case of leak is not defined, which could in turn restrict the extent of data loss.
  • There is rarely a dedicated IT personnel overlooking the security of the system. Thus, 24/7 observation is

For all of these reasons, the loss of sensitive data is often due to negligence of the company personnel. A lot can be averted if the following requirements are addressed in the security protocol.

These essential steps are recommended for SMBs to follow and implement in order to mitigate data breach threats.

  • Regular training sessions should be conducted for the employees. Users should be educated about cyber security and informed on how to deal with the sensitive information safely.
  • Password encryption should be a must. Implementation of two-factor authentication is an easy and affordable way to safeguard the cyber content.
  • Account management should be implemented. User-defined roles should dictate who gets what kind of access to the sensitive data. Authentication of the user and the device being used to access the information should be verified.
  • Clearly define the BYOD policies to the employees so that intentional or deliberate loss of data can be mitigated.
  • Software used should be current, thus making it less vulnerable to cyber threats.
  • Policies around what data can be copied and how and where it can be duplicated should be laid out for the users.

As we step into 2017, SMBs should start gearing up to implement tailored protocols to defend against data breach, particularly from insiders. Along with taking the steps mentioned above in stride, employees should be scrutinized for their behavior in the office. Even at the time of recruitment, proper background screening should be conducted. Getting the right kind of employees and following up with a robust plan for security will aptly help mitigate the threat.

[1] http://www.ponemon.org/blog/smbs-are-vulnerable-to-cyber-attacks

2016: Data Breach Statistics, Year until 10/19/2016

*The ITRC tracks seven categories of data loss methods: Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information: Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

Zecurion offers deeper insight into selected incidents caused either by accidental or intentional data breaches. With all such incidents, the common elements describing the impact of this growing problem are financial loss, compromised intellectual property and dwindling customer confidence. Let us see how some sectors have been impacted as of October 2016. The excerpts below only provide a glimpse of some of these incidents – the list goes on.

Government

August 26, 2016 – County of Sacramento, California, issued a statement that an unknown number of records with personal data were exposed due to an error in the online automated application for Emergency Medical Service license. The information included name, address, social security number, driver’s license, phone number, date of birth of the applicants. Although there has been no report of misuse of PII, yet the county offered one year credit monitoring services of Experian to the affected people as a precaution.

Source: California Attorney General

 Healthcare

September 26, 2016 – One worker at Yale- New Haven Hospital and her friend were arrested for illegally procuring classified personal information of at least 20 near death patients and using the stolen data to obtain credit cards, becoming beneficiaries in their insurances among other planned crimes. This had been going on for two years before they were caught. A year’s credit monitoring has been offered to the victims.

Source: Media: News 3

August 12, 2016 – Bon Secours Health System disclosed that R-C Healthcare Management, a third-party vendor managing their Medicare and Medicaid reimbursement, accidentally left patients’ files accessible over the internet while updating network settings. About 665,000 records containing patient name, health insurer’s name, health insurance identification number, social security number and some health information was exposed to the general public. A forensic investigator was hired to correctly identify people that were affected by this breach and then informed about the incident. 435,000 were from Virginia and the rest were from Kentucky and South Carolina. No misuse of the exposed data has been reported so far.

Source: Media: http://www.nbcconnecticut.com/

Business

September 22, 2016 – Premier America Credit Union, California, reported that a departing employee sent an account list containing name, address and maybe social security and/or employer Identification number to his personal email address for most likely solicitation purposes in future. The employee was reminded of his obligations and company regulations and advised not to use any of this information for any purpose. The management further offered complimentary one year credit monitoring services of Experian to the victims.

Source: California Attorney General
August 8, 2016 – 7-Eleven reported that in June 2016 during a regular maintenance cycle some of the franchisees received the records of employees other than their own franchisee’s employees. The exposed information contained name, address, phone number and social security number of 7,820 employees. The correction was completed within 5 days. 7-Eleven offered 12 months of First Watch Technologies’ professional identity monitoring service to the victims in addition to $1,000,000.00 in identity theft insurance with no deductible.

Source: California Attorney General

Keep Sensitive Data Secure on a Tight Budget

As more services move towards the cloud, it is important to establish network security so as to ensure secure data transfer. Similarly, businesses that manage critical personal data need to maintain airtight security policies and procedures. Not having such policies in place may lead to security breaches or expensive client lawsuits. According to a 2016 report from the Ponemon Institute, almost 50 percent of small organizations that were surveyed experienced a data breach in the previous year. Another research by Symantec found that almost 43 percent of cyber-attacks in 2015 were targeted towards small businesses, up from 18 percent in 2011.

Small businesses make for an enticing target as they usually do not have the necessary security controls in place to secure their financial data from internal as well as external threats. Here are some low budget tips that can help small businesses keep their financial data safe.

  • Install proper network and work station controls such as properly configured firewall, anti-virus software, and updated patches for all hardware and software. Criminals usually try to exploit sensitive data such as Personally Identifiable Information (PIT), business trade secrets, financial data and other critical company information. Organizations must have restrictions in place for allowing only the least number of employees having access to sensitive information, especially financial or that related to security. Strict compliance must be ensured and employees must be trained and updated about it. This will help reduce incidents of data loss/ theft. Access to all storage, computing and online-based media like servers and databases must be restricted to only a few trusted employees.
  • Establish a culture of security by training and informing employees about accessing unsafe websites while at work that may result in major breaches. Companies may also resort to block access to certain sites for security reasons.
  • Conduct periodic testing to keep a check on vulnerabilities. The frequency of testing must depend on functional criticality and size of the company. With smartphones being used as devices for transfer of data, companies must ensure that these devices also fall under the purview of DLP policies and practices. Mobile devices must have anti-virus software installed and be up-to-date.
  • Get finance teams/ CTOs involved to understand the risks involved and get a holistic view of what can be done to mitigate these risks at the base level – without incurring too much cost.
  • Implement two-factor authentication along with strong password policy. Two-factor authentication requires use of a password plus a code or a biometric marker to access data. The additional layer of security makes access to sensitive data more difficult.
  • Set aside a small budget specifically for continuous monitoring or security-related loopholes to help ward off any attacks and threats. If utilizing the services of third party vendors for securely managing data, have a Service Level Agreement (SLA) which details security expectations and gives the right to thoroughly audit the vendor to confirm and ensure compliance with policies.

In essence, by just implementing and following certain basic tenets of security, most organizations can secure their sensitive data with bare minimum costs.

Why Biometrics Should be Used?

Biometrics is a way of making sure that the user is who he or she claims to be, thus eliminating unauthorized access to information and safeguarding it from internal threats. With data breaches becoming more complicated and impacting all sectors, organizations are gradually complementing traditional authentication techniques, especially passwords, with biometric technology. To fully understand the potential that biometrics offers towards enhancing data security, let us first understand what biometric identifies are, how they can be deployed and advantages that the technology offers.

Biometric Identifiers

The term “Biometrics” is coined with two words “bio” and “metric” meaning life and measure respectively. The underlying meaning is that every human is unique and can be recognized/ identified by his or her intrinsic physical or behavioral traits.

Fingerprints, face, retina, voice, ear features, typing rhythm, gait and gestures constitute as biometric identifiers. For security, a single or a composition of multiple identifiers can be used. Research and development is actively underway to encompass brainwave signals, electronic tattoos and microchips under biometric identifiers.

Biometrics Deployment

Fingerprint scanners, face recognition software and biometric hand reader are some of the platforms that are based on biometric technologies. Adoption of biometrics at various access points and endpoints is greatly beneficial in preventing unauthorized access and hence data loss either accidently or on purpose.

A study by ABI Research states that consumer and enterprise spending on biometrics is growing at a rate of 29% per year, with market size expected to reach $36.8 billion by 2020. Retail and banking sectors are leading in the adoption of biometric technologies because of the sheer volume of sensitive data they process.

Biometrics Advantages

While biometrics is gradually becoming a part of our daily lives – common examples being checks at international airports and fingerprint recognition on mobile devices – a number of organizations are yet to fully realize the capability that the technology offers. There are many advantages of deploying biometric technologies. These are:

  • Biometrics are extremely accurate, though not 100%, as the identifiers are unique to each user.
  • While passwords can be replicated making the system vulnerable to unauthorized users, biometric identifiers are difficult to break and thus offer very reliable data security mechanism.
  • Automated biometric verification is a very quick process.
  • Biometrics do not require multi-layer authentication. They are user friendly and lift up the burden from the user to remember various complex passwords. This saves time without compromising the security of sensitive data.

Conclusion

Organizations can enhance traditional authentication methods that they use by introducing biometrics – an additional security layer that answers “Who I am”. While barriers to adoption remain high, mainly being cost and privacy, the number of real-word applications for biometrics has been increasing. It remains to be seen if biometrics will emerge as the answer to most data theft problems or if it will only continue to act as an additional assurance to prevent data loss.

Best Practices for Enhancing Mobile Data Security

Data loss, whether intentional or unintentional, not only leads to financial loss but also leaves a lasting impact on goodwill of the organization. With increased enterprise mobility, organizations need to implement strict regulations and safeguard confidential resources from falling into wrong hands.

BYOD, the key driver for enterprise mobility, has increased productivity and reduced costs as employees can now access corporate emails, messages, text and work files from their own personal device. They can be virtually anywhere while still being productive.

The stereotype work culture of commuting to the office or working from one fixed desktop is already a thing of the past. According to Fliplet, worldwide more than 1.3 billion workers use various mobile devices for work. Studies have also shown that usage of smart phones by mobile workforce results in increased productivity of work – a six weeks’ worth equivalent to almost 240 more hours per employee annually. BYOD is therefore here to stay and is being recognized as a megatrend impacting small and big enterprises.

However, the flip side to it is that it has also resulted in increased vulnerability of mobile data. Towards this, Zecurion recommends 10 best practices to enhance mobile data security.

  1. Classify, Tag and Analyze Data

Classifying and digitally tagging data will prevent data loss in case it falls into wrong hands. Classification of data is compulsory in order to correctly deploy the tool to thwart the loss.  Once classification of data is completed by a team of experts – comprising business process managers, legal and compliance specialists – it is easier to choose a DLP tool that best suits the need. These tools are essentially automated controls protecting data at rest, data in transit and data in use.

  1. Integrate with Mobile Device Management

Mobile Device Management (MDM), a content- aware solution, simply lets the administrator define roles and authorizations for users. This way only selected users have access to all the information and DLP can be better managed. MDM also offers jailbreaking/ rooting detection feature. Until the device is deemed safe, the mobile device will not be able to access anything on the company’s server. MDM can also block specified applications.

  1. Encryption of Data

Encryption should be a rule of thumb for any wireless mobile communication – be it cloud-based or over virtual private network. To access the encrypted data, an encryption key is required. An unauthorized interceptor can therefore not access data without this key.

  1. Authenticate Identity of the User

Multiple forms of authentication, a.k.a. biometrics, should be used for mobile devices. These include fingerprint, facial, retina and voice recognition. Biometrics is a way of making sure that the user is who he or she claims to be, thus eliminating chances of unauthorized access and preventing data loss.

  1. Test for Vulnerability of Mobile Data Periodically

Penetration testing on mobile devices must be undertaken on a regular basis. Accordingly, organizations must come up with mitigation plans in case of a breach.

  1. Train Staff Regularly

Conduct periodic training on mobile DLP to educate corporate mobile users about access policies and usage behavior.

  1. Deploy Endpoint Security

Implementing endpoint security just as in other non-mobile environments. With endpoint protection, unauthorized users or devices that do not comply with the security program cannot access, copy, share or store confidential information either accidentally or on purpose.

  1. Implement COPE – Company Owned Personally Enabled Mobile Devices

Depending on the nature of business, organizations should implement COPE – antidote to vulnerabilities arising from BYOD. COPE enables the IT department to maintain control on devices connected to enterprise networks while offering work flexibility to employees. Also in case the device is stolen or lost, the organization will have the ability to wipe out the entire data remotely. Further, COPE allows IT to control the installation of third party software and prevent any malicious software from being installed on mobile devices.

  1. Monitor Outflow and Inflow of Mobile Data

Install mobile DLP solution that successfully monitors the data that the mobile device accesses or downloads from the organization’s server. Personal and business emails can easily be bifurcated and chances of sensitive information being leaked from mobile devices are drastically reduced.

  1. Destroy Obsolete Hardware

Make sure that unused or discarded mobile devices are wiped clean of any sensitive data. Have strict well defined policies in place for proper disposal of mobile devices. Installing customized firewalls will give limited access to organization’s data to mobile users and prevent sensitive data loss.

How Zecurion Can Help

Zecurion offers Mobile DLP which is a full data prevention solution that offers content analysis for Android devices and contains all the necessary functionality for data protection. It provides complete monitoring of corporate information on employees’ mobile devices, preventing data leaks at various stages of information processing, storage, and transfer.

Zecurion Mobile DLP can help ensure data traveling between mobile devices is not compromised and provides monitoring of connecting mobile devices to computers and other devices. Zecurion Mobile DLP finds copies of confidential documents on users’ mobile devices and blocks their transfer via unsecured open networks. All traffic is channeled through a protected corporate network. In the event of theft or loss, the device can be blocked by a security officer. The solution also stores shadow copies of SMS and MMS, as well as monitors the running of applications. Its key features include file scan, application control, monitoring, SMS/ MMS logging, allow / disable certain Wi-Fi networks, remote blocking /cleaning of the device and logging of geo location.

Insider Threat is a Growing Problem in Government: Are We Overlooking?

Cybersecurity has become a top priority for government, yet research shows that “Government” is one of the most vulnerable sectors when it comes to insider threats. Often action comes quite late and signs remain unreported for years either due to unwillingness or inability of colleagues to accept any such possibility.

A 2015 survey by Symantec revealed that If IT administrators in government organizations do not terminate network access quickly enough, the results could be disastrous. The survey reported that nearly 45% of federal departments were targeted by insider threats over the year, with 29% losing data as a result.

Over the years, even though data loss prevention has become a more sophisticated technology, aimed at preventing data breaches, insider threat has continued to evolve into a more complex problem. This is because technology adoption in government is not just slow and tedious, but also requires considerable amount of training for successful enforcement.

There are 4 key challenges that government organizations need to address for better management of their data security strategies.

1.Infrastructure is Under-Equipped

The budget allotted to government IT departments has always been frugal in comparison to other sectors. The IT systems that are operational are thus neither modern nor updated. Budget constraints often result in usage of old, obsolete hardware and software that are not equipped to handle the more complicated data breaches.

2.Technology Purchase is a Slow Process

Process of purchasing technology is often slow and lengthy. Various factors such as RFP, bidding, political environment, preferred vendor etc. influence the purchase decision and by the time the purchase gets approved, the ordered technology itself becomes out dated.

3.Stealth IT is Creeping in

Easy availability of cloud offerings and bring-your-own-device (BYOD) have resulted in shadow/ stealth IT coming into practice. Employees often resolve to solutions that they think would be the best, resulting in sporadic practices where data might not be properly managed or protected. This results in exposure to unauthorized people.

4.Compliance is Becoming Complex

Government organizations need to meet major compliance regulations such as FISMA, NIST 800-53, FIPs (up to level 3) and Common Criteria. Depending on the sector they operate in, compliance with HIPAA-HITECH and PCI DSS is also required. Regular training and education is essential for organizations to meet these complex compliance requirements.

Keeping in mind the above stated challenges, Zecurion has identified some best practices to minimize the risk of internal threats. These are:

1.Early Detection through Proactive Monitoring

Having efficient algorithms and rules for the network helps detect early if personally identifiable information (PII) is being accessed without proper authorization. Many automated tools are available today that can discover any such breach at the initial stage itself. And early detection can thwart data loss incidents.

2.Comply with FedRAMP for Secure Cloud Adoptio

Old, redundant legacy systems being used are primitive. And IT budgets are limited. Therefore implementing cloud solutions that have enhanced security features will be both cost effective and agile. Government organizations that adopt cloud need to comply with FedRAMP.

3.Encryption is a Must-Have

Government organizations are mandated to have encryption. Solutions that encrypt information on hard drives, disk arrays and SAN storage through sophisticated cryptographic techniques, protect sensitive information whenever physical control of the media is impossible.

4.Multilayer Security Authentication

Multilayer security authentication is a must. Options for finger print, retina test or scanning of a smart card should be added to regular password options to establish identity of the actual user. User role needs to be identified comprehensively, and accordingly the extent of authorization should be granted.

5.Update Security Patches Frequently

Antivirus and firewalls should not be outdated or obsolete. The software should be current and running 24/7 365 days without failure. Still just deploying antivirus is not enough. Securing the endpoints is equally important to prevent data loss.

6.Set Up Dedicated Risk Assessment Team

The executive team should have a formal dedicated risk assessment team to look into various techniques, procedures, and access points from where the PII leaves the system. The team may pose as insider threat actors and hackers, play bad cop and come up with customized solutions and risk mitigation plans to protect against breaches.

7.Implement Incident Response Plan

Drawing up an efficient incident response plan helps in mitigating and containing the aftermath. This is very important for the reputation of the organization. When reputation is at stake, having a robust plan that streamlines what needs to be done, when and how, saves time, money and credibility.

12 Million Records Breached by May 2016

*The ITRC tracks seven categories of data loss methods:Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information:Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

Since our last report in February on statistical data, 327 data breaches affecting 10 million+ records have been reported.

Zecurion offers deeper insight into selected incidents caused either by accidental or intentional data breaches. With all such incidents, the common elements describing the impact of this growing problem are financial loss, compromised intellectual property and dwindling customer confidence. Let us see how some sectors have been impacted between February and May 2016. The excerpts below only provide a glimpse of some of these incidents – the list goes on.

Government

11 April, 2016 – FDIC, Washington, DC notified that 44,000 records of customers were exposed when an authorized employee unknowingly downloaded the classified information of the affected people on a personal portable device. FDIC uses technology to track downloads to portable devices. On being detected, the employee was contacted, who in turn, immediately returned the device and signed an affidavit stating that the information was not used for any purpose.

Source: Washington Post

Healthcare

February 2, 2016 – Hawaii Medical Service Association (HMSA) disclosed that they accidentally sent 10,800 letters to wrong addresses instead of the rightful owners. Luckily, the letters did not have any sensitive data but only information about how these patients can better manage the ailment they are suffering from. The affected members were contacted telling them of the mistake and answering any questions they might have.

Source: Databreaches.net

Business

March 15, 2016 – Laborers Funds Administrative Office of Northern California, reported that an undisclosed number of records had been compromised due to a computer error. Classified information of not only members but also their dependents was accidentally emailed to a fund member instead of the IRS. The office does not believe that the information has been misused but they have offered a one year free credit monitoring to all the affected people.

Source: California Attorney General

March 7, 2016 – Turner Construction, San Diego, California, stated that an undisclosed number of records with classified information were breached as an email containing sensitive information was accidentally sent out to an unauthorized party. The company has since taken many steps to mitigate the threat. Kroll, an ID monitoring service, has been engaged to provide free monitoring to all the affected people for ten years. The services include Credit Monitoring, Web Watcher, Public Persona, Quick Cash Scan, $1 Million Identity Theft Insurance, Identity Consultation, and Identity Restoration.

Source: Maryland Attorney General

Education

16 May, 2016 – Poway Unified School, California inadvertently released data of about 36,444 students and their parents to one parent who had requested information related to her name only. The information included children’s names, nicknames, addresses, phone numbers, hearing and vision exam results, dates of birth, language fluency, academic test results and occupation of parents. It did not list the social security numbers. The exposed data falls under protected information under the Family Educational Rights and Privacy Act and the school could risk losing federal funding. The data contained information of about 70,000 people.

Source: San Diego Union Tribune

25 January, 2016 – California Virtual Academies (CAVA), California informed its registered users on December 9, 2015 that their data storage system is prone to data breach. CAVA, within hours, was able to locate the vulnerability and contain it by securing the system. Since then, it has been established that unauthorized access was limited to the data security researcher who had initially notified CAVA. Users have been urged to check their personal accounts, change security settings online and read information provided on credit and identity protection.

Source: California Attorney General

Top Breaches in Retail in 2015 -2016

This week, we will continue with the topic of data breaches in retail.

Study Findings

A study on data breaches in retail, conducted by Vormetric, revealed the following key findings:

  1. 93% retailers believe that their organization is susceptible to insider threats.
  2. 48% retailers have either had a data breach or did not meet compliance audit in the last one year.
  3. 77% retailers said that “diligently following up on compliance requirements and making implementation of those requirements mandatory” can easily thwart insider threats.

Examples

In order to emphasize on the vulnerability of retail to data loss, let us look at four examples where sensitive information was compromised because of a breach (caused by external and/or internal factors).

  1. Target – Although this incident impacted Target retail stores in November-December 2014, it is worth mentioning as it has been deemed as one of the most expensive breaches in the history of retail industry. Almost 70 million customers had their personal and payment card information stolen. The hackers had installed malware software on POS terminals. The breach cost Target more than US$ 3.6 billion.
  1. CVS/ Walgreens – July 2015 saw a credit card breach where CVS, Walgreens came into the grip of malicious hackers. The pharmacies had to halt their online photo service in the wake of credit card theft.
  1. CVS – In July 2015, a pharmacy technician passed about 100 customer records between May 2013 and April 2015 to her property manager, who in turn, used this unauthorized information to apply for loans and credit cards.
  1. Bed, Bath and Beyond – In September 2015, the retailer reported that an employee had stolen some customers’ credit card information with the intention to misuse it.

Reasons Why Retail is Different

There are many reasons that make retail different from other sectors, which also results in the need to implement a unique vertical-specific solution rather than a cookie-cutter solution.

  1. Volume of Credit Card Transactions

In retail, majority of payments are conducted using credit cards, making the sector highly vulnerable to breaches.

  1. High Employee Turnover

Retail has a very high employee turnover. Employees fall into various categories – part time, full time, seasonal – and keep on moving quickly between departments, locations and across other employers. This makes employee training and monitoring very challenging, resulting in higher risk of breaches by insiders intentionally or accidentally.

  1. Physical Security of Payment Endpoints

Access to payment endpoints is easy, whether it is POS at stores or gas pumps. There are devices available that can be used on these payment terminals to capture sensitive credit card data.

  1. Multiple Locations

Large retailers have stores across various locations. More the number of locations, higher is the cost of implementing security measures.

  1. Speed of Responsiveness

In retail, a key measure of customer satisfaction is speed of responsiveness. Retailers face a very tough competition and are always on their toes to provide a very fast and satisfying service. Any kind of online authentication can easily slow down the process, tempting customers to cross the bridge to other retailers.

  1. Working with Third Parties

Retailers work with a number of third parties. A lot of these third parties manage sensitive data after uploading it to their own network. This raises the risk of data breach.

Conclusion

It is essential that retailers be cautious and take proactive measures to safeguard sensitive customer data stored on their or third party networks. Loyal customer relationships are built on trust. Implementing best practices that enhance this trust will go a long way in customer satisfaction and retention.

Retail Data Breaches – Lessons Learnt


For the past couple of months we have been talking about data breaches across different sectors, their implications and best practices that can be implemented. In this blog, we will talk about retail.

Enhanced Digital Experience Drives Need for Enhanced Data Security

While the percentage of breaches in retail is low as compared to other sectors (as per Verizon, 1 in every 13 breaches is in retail), the cost of breach per record is very high. This is because a standalone breach in retail can account for thousands of accounts being comprised.

Retail is at the forefront of implementing customer-facing digital applications. As retailers create a seamless customer experience through an omni-channel strategy, the threat to data loss either because of employee error or malicious intent, or because of external factors such as hacker, malware etc. is also increasing. Another type of breach that retailers face is Denial of Service (DoS), which can heavily harm goodwill of the company. In this kind of breach, hackers overload the server and explicitly force the website to go down due to overloading.

While regulatory requirements have been set up to ensure organizations that process sensitive personal or financial information are in compliance, the threat from newer sources and methods is always there. According to IBM, the cost of breach per record in retail is US$ 165. Retailers not only have to pay a heavy price for these breaches in terms of penalties, but they also face the imminent threat of losing their loyal customers to competitors.

Best Practices in Retail for Proactive Data Loss Prevention

Zecurion recommends the following best practices that retailers should implement to thwart data loss threats from their endpoints, servers and networks:

  • Invest and install comprehensive data loss prevention solutions, developed from the ground up, rather than piecemeal solutions. The former provide more robust security features against internal and external threats of data loss
  • Involve end-users of technology in purchase decisions. Getting their feedback on issues they face helps identifying the right need and the right security solution that users are more willing to adopt
  • Educate the staff and conduct regular training sessions on data access policies. Make sure employees are aware of roles, restrictions and permissions assigned
  • Keep firewalls, anti-virus up to date. Make sure that there is no obsolete software running and all updates are current
  • Encryption should be the rule of thumb when exchanging any classified information. Two factor authentication comes very handy in high data volume environments
  • Secure the connection between networks and monitor endpoints regularly
  • Follow strict regulations and policies for Bring Your Own Devices (BYOD)
  • Generate awareness about POS RAM scrappers. These scrappers are used to steal data from infected POS machines. They can be easily installed remotely and the payment card data can then be reproduced within minutes, paving way for fraudulent transactions
  • Implement policies around safe removal of POS machines so no data can be misused
  • Set up regular checkup of POS machines to ensure there are no skimming devices that have been installed to get the payment card information
  • Implement and test a robust post-attack mitigation plan in case a breach does happen

It is worth mentioning here that the National Retail Federation has been actively campaigning for “Chip and Pin” cards. Payment cards have all the sensitive data stored in a microchip, with nothing embossed on the card. A “Chip and Pin” card will require a secret number to get approved instead of a signature. The requirement of having a pin number will aid in countering a lot of breaches, especially in case of stolen cards.

The “Chip and Pin” cards are in practice in other countries but are still not available in the US. While the initial set up cost for these kind of cards may be high, the security benefits offered will still outweigh the risk of a large data breach.

Top Breaches in Healthcare in 2015-16

 

Last week, we read about top breaches in the higher education sector. In this blog, we have identified for you top breaches in the healthcare sector.

  1. Anthem – February 2015 saw the largest healthcare breach of all times, with nearly 80 million records, containing sensitive data, getting affected.
  2. Premera Blue Cross – In March 2015, the Washington-based organization found that its 11 million records were hacked and both medical as well as financial data was breached. FBI investigation concluded that Chinese hackers were involved as in the case of Anthem breach. The organization provided two years of free credit monitoring to individuals affected by this incident.
  3. Excellus Blue Cross Blue Shield has been the third largest breach where in more than 10 million records were exposed.
  4. UCLA Health, based in Los Angeles, had 4.5 million records exposed in May 2015, as unauthorized user gained access to classified information.
  5. In Indiana, Medical Informatics Engineering, stated that 3.9 million records with Personal Health Information (PHI) fell into the hands of hackers in May 2015. Two years of free credit monitoring has been provided to individuals affected by this incident.
  6. In November, 2015, Maine General found that data from its system had been uploaded on an external website. Though the site did not have any sensitive information, it still exposed the vulnerability of healthcare to insider and external threats.
  7. In another incident, Washington State Health Care Authority (HCA) notified that 91,000 Medicaid patient files got mishandled. In this case, and HCA employee was helping an employee of Apple Health, a free healthcare service for low income individuals, with an Excel problem when the information got exchanged inappropriately, which is a clear violation of HIPPA regulation. Though the exposed information was not misused, yet both the employees were relieved from their jobs and one year of free monitoring was provided.

It is worth mentioning that the Department of Health and Human Services is becoming very vigilant in connection to HIPPA violations. The department is determined and is making sure that healthcare organizations are complying with HIPPA. If in non-compliance, the organizations have to pay hefty fines. Below are some examples of organizations that had to pay heavy fees as a result of non-compliance.

  1. Cancer Care Group, Indianapolis, paid $750,000 as HIPPA settlement.
  2. Lahey paid an exorbitant $850K to DHHS.
  3. Triple-S Management Corporation, however, tops the list by defaulting and paying a fine of $3.5 million.

According to the Office of Civil Rights, there were 253 healthcare breaches in 2015, with a combined loss of over 112 million records. To reinforce the importance of implementing data loss prevention, we have put together a few statistics from Ponemon, an independent researcher, on how vulnerable healthcare is to data breaches.

  1. At least 91% of the healthcare organizations have had one breach.
  2. 39% of the healthcare organizations have faced 2 – 5 breaches.
  3. 40% of the healthcare industries have been exposed to breaches more than 5 times.
  4. Data breaches in healthcare cost nearly $6 billion annually.
  5. Most important of all, non-malicious employee error is the leading reason for the breaches.

Conclusion

In conclusion, we can see how vulnerable our healthcare industry is to data breaches. The need to have robust and agile data loss protection solutions is strong and immediate. Those that are proactive and take adequate measures are bracing themselves for an imminent risk, while others are left behind. Data loss is no more new; it is there and it can strike anytime. Prepare and act now.