Category Archives: Insider Threat

Why Biometrics Should be Used?

Biometrics is a way of making sure that the user is who he or she claims to be, thus eliminating unauthorized access to information and safeguarding it from internal threats. With data breaches becoming more complicated and impacting all sectors, organizations are gradually complementing traditional authentication techniques, especially passwords, with biometric technology. To fully understand the potential that biometrics offers towards enhancing data security, let us first understand what biometric identifies are, how they can be deployed and advantages that the technology offers.

Biometric Identifiers

The term “Biometrics” is coined with two words “bio” and “metric” meaning life and measure respectively. The underlying meaning is that every human is unique and can be recognized/ identified by his or her intrinsic physical or behavioral traits.

Fingerprints, face, retina, voice, ear features, typing rhythm, gait and gestures constitute as biometric identifiers. For security, a single or a composition of multiple identifiers can be used. Research and development is actively underway to encompass brainwave signals, electronic tattoos and microchips under biometric identifiers.

Biometrics Deployment

Fingerprint scanners, face recognition software and biometric hand reader are some of the platforms that are based on biometric technologies. Adoption of biometrics at various access points and endpoints is greatly beneficial in preventing unauthorized access and hence data loss either accidently or on purpose.

A study by ABI Research states that consumer and enterprise spending on biometrics is growing at a rate of 29% per year, with market size expected to reach $36.8 billion by 2020. Retail and banking sectors are leading in the adoption of biometric technologies because of the sheer volume of sensitive data they process.

Biometrics Advantages

While biometrics is gradually becoming a part of our daily lives – common examples being checks at international airports and fingerprint recognition on mobile devices – a number of organizations are yet to fully realize the capability that the technology offers. There are many advantages of deploying biometric technologies. These are:

  • Biometrics are extremely accurate, though not 100%, as the identifiers are unique to each user.
  • While passwords can be replicated making the system vulnerable to unauthorized users, biometric identifiers are difficult to break and thus offer very reliable data security mechanism.
  • Automated biometric verification is a very quick process.
  • Biometrics do not require multi-layer authentication. They are user friendly and lift up the burden from the user to remember various complex passwords. This saves time without compromising the security of sensitive data.


Organizations can enhance traditional authentication methods that they use by introducing biometrics – an additional security layer that answers “Who I am”. While barriers to adoption remain high, mainly being cost and privacy, the number of real-word applications for biometrics has been increasing. It remains to be seen if biometrics will emerge as the answer to most data theft problems or if it will only continue to act as an additional assurance to prevent data loss.

Best Practices for Enhancing Mobile Data Security

Data loss, whether intentional or unintentional, not only leads to financial loss but also leaves a lasting impact on goodwill of the organization. With increased enterprise mobility, organizations need to implement strict regulations and safeguard confidential resources from falling into wrong hands.

BYOD, the key driver for enterprise mobility, has increased productivity and reduced costs as employees can now access corporate emails, messages, text and work files from their own personal device. They can be virtually anywhere while still being productive.

The stereotype work culture of commuting to the office or working from one fixed desktop is already a thing of the past. According to Fliplet, worldwide more than 1.3 billion workers use various mobile devices for work. Studies have also shown that usage of smart phones by mobile workforce results in increased productivity of work – a six weeks’ worth equivalent to almost 240 more hours per employee annually. BYOD is therefore here to stay and is being recognized as a megatrend impacting small and big enterprises.

However, the flip side to it is that it has also resulted in increased vulnerability of mobile data. Towards this, Zecurion recommends 10 best practices to enhance mobile data security.

  1. Classify, Tag and Analyze Data

Classifying and digitally tagging data will prevent data loss in case it falls into wrong hands. Classification of data is compulsory in order to correctly deploy the tool to thwart the loss.  Once classification of data is completed by a team of experts – comprising business process managers, legal and compliance specialists – it is easier to choose a DLP tool that best suits the need. These tools are essentially automated controls protecting data at rest, data in transit and data in use.

  1. Integrate with Mobile Device Management

Mobile Device Management (MDM), a content- aware solution, simply lets the administrator define roles and authorizations for users. This way only selected users have access to all the information and DLP can be better managed. MDM also offers jailbreaking/ rooting detection feature. Until the device is deemed safe, the mobile device will not be able to access anything on the company’s server. MDM can also block specified applications.

  1. Encryption of Data

Encryption should be a rule of thumb for any wireless mobile communication – be it cloud-based or over virtual private network. To access the encrypted data, an encryption key is required. An unauthorized interceptor can therefore not access data without this key.

  1. Authenticate Identity of the User

Multiple forms of authentication, a.k.a. biometrics, should be used for mobile devices. These include fingerprint, facial, retina and voice recognition. Biometrics is a way of making sure that the user is who he or she claims to be, thus eliminating chances of unauthorized access and preventing data loss.

  1. Test for Vulnerability of Mobile Data Periodically

Penetration testing on mobile devices must be undertaken on a regular basis. Accordingly, organizations must come up with mitigation plans in case of a breach.

  1. Train Staff Regularly

Conduct periodic training on mobile DLP to educate corporate mobile users about access policies and usage behavior.

  1. Deploy Endpoint Security

Implementing endpoint security just as in other non-mobile environments. With endpoint protection, unauthorized users or devices that do not comply with the security program cannot access, copy, share or store confidential information either accidentally or on purpose.

  1. Implement COPE – Company Owned Personally Enabled Mobile Devices

Depending on the nature of business, organizations should implement COPE – antidote to vulnerabilities arising from BYOD. COPE enables the IT department to maintain control on devices connected to enterprise networks while offering work flexibility to employees. Also in case the device is stolen or lost, the organization will have the ability to wipe out the entire data remotely. Further, COPE allows IT to control the installation of third party software and prevent any malicious software from being installed on mobile devices.

  1. Monitor Outflow and Inflow of Mobile Data

Install mobile DLP solution that successfully monitors the data that the mobile device accesses or downloads from the organization’s server. Personal and business emails can easily be bifurcated and chances of sensitive information being leaked from mobile devices are drastically reduced.

  1. Destroy Obsolete Hardware

Make sure that unused or discarded mobile devices are wiped clean of any sensitive data. Have strict well defined policies in place for proper disposal of mobile devices. Installing customized firewalls will give limited access to organization’s data to mobile users and prevent sensitive data loss.

How Zecurion Can Help

Zecurion offers Mobile DLP which is a full data prevention solution that offers content analysis for Android devices and contains all the necessary functionality for data protection. It provides complete monitoring of corporate information on employees’ mobile devices, preventing data leaks at various stages of information processing, storage, and transfer.

Zecurion Mobile DLP can help ensure data traveling between mobile devices is not compromised and provides monitoring of connecting mobile devices to computers and other devices. Zecurion Mobile DLP finds copies of confidential documents on users’ mobile devices and blocks their transfer via unsecured open networks. All traffic is channeled through a protected corporate network. In the event of theft or loss, the device can be blocked by a security officer. The solution also stores shadow copies of SMS and MMS, as well as monitors the running of applications. Its key features include file scan, application control, monitoring, SMS/ MMS logging, allow / disable certain Wi-Fi networks, remote blocking /cleaning of the device and logging of geo location.

Insider Threat is a Growing Problem in Government: Are We Overlooking?

Cybersecurity has become a top priority for government, yet research shows that “Government” is one of the most vulnerable sectors when it comes to insider threats. Often action comes quite late and signs remain unreported for years either due to unwillingness or inability of colleagues to accept any such possibility.

A 2015 survey by Symantec revealed that If IT administrators in government organizations do not terminate network access quickly enough, the results could be disastrous. The survey reported that nearly 45% of federal departments were targeted by insider threats over the year, with 29% losing data as a result.

Over the years, even though data loss prevention has become a more sophisticated technology, aimed at preventing data breaches, insider threat has continued to evolve into a more complex problem. This is because technology adoption in government is not just slow and tedious, but also requires considerable amount of training for successful enforcement.

There are 4 key challenges that government organizations need to address for better management of their data security strategies.

1.Infrastructure is Under-Equipped

The budget allotted to government IT departments has always been frugal in comparison to other sectors. The IT systems that are operational are thus neither modern nor updated. Budget constraints often result in usage of old, obsolete hardware and software that are not equipped to handle the more complicated data breaches.

2.Technology Purchase is a Slow Process

Process of purchasing technology is often slow and lengthy. Various factors such as RFP, bidding, political environment, preferred vendor etc. influence the purchase decision and by the time the purchase gets approved, the ordered technology itself becomes out dated.

3.Stealth IT is Creeping in

Easy availability of cloud offerings and bring-your-own-device (BYOD) have resulted in shadow/ stealth IT coming into practice. Employees often resolve to solutions that they think would be the best, resulting in sporadic practices where data might not be properly managed or protected. This results in exposure to unauthorized people.

4.Compliance is Becoming Complex

Government organizations need to meet major compliance regulations such as FISMA, NIST 800-53, FIPs (up to level 3) and Common Criteria. Depending on the sector they operate in, compliance with HIPAA-HITECH and PCI DSS is also required. Regular training and education is essential for organizations to meet these complex compliance requirements.

Keeping in mind the above stated challenges, Zecurion has identified some best practices to minimize the risk of internal threats. These are:

1.Early Detection through Proactive Monitoring

Having efficient algorithms and rules for the network helps detect early if personally identifiable information (PII) is being accessed without proper authorization. Many automated tools are available today that can discover any such breach at the initial stage itself. And early detection can thwart data loss incidents.

2.Comply with FedRAMP for Secure Cloud Adoptio

Old, redundant legacy systems being used are primitive. And IT budgets are limited. Therefore implementing cloud solutions that have enhanced security features will be both cost effective and agile. Government organizations that adopt cloud need to comply with FedRAMP.

3.Encryption is a Must-Have

Government organizations are mandated to have encryption. Solutions that encrypt information on hard drives, disk arrays and SAN storage through sophisticated cryptographic techniques, protect sensitive information whenever physical control of the media is impossible.

4.Multilayer Security Authentication

Multilayer security authentication is a must. Options for finger print, retina test or scanning of a smart card should be added to regular password options to establish identity of the actual user. User role needs to be identified comprehensively, and accordingly the extent of authorization should be granted.

5.Update Security Patches Frequently

Antivirus and firewalls should not be outdated or obsolete. The software should be current and running 24/7 365 days without failure. Still just deploying antivirus is not enough. Securing the endpoints is equally important to prevent data loss.

6.Set Up Dedicated Risk Assessment Team

The executive team should have a formal dedicated risk assessment team to look into various techniques, procedures, and access points from where the PII leaves the system. The team may pose as insider threat actors and hackers, play bad cop and come up with customized solutions and risk mitigation plans to protect against breaches.

7.Implement Incident Response Plan

Drawing up an efficient incident response plan helps in mitigating and containing the aftermath. This is very important for the reputation of the organization. When reputation is at stake, having a robust plan that streamlines what needs to be done, when and how, saves time, money and credibility.

12 Million Records Breached by May 2016

*The ITRC tracks seven categories of data loss methods:Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information:Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

Since our last report in February on statistical data, 327 data breaches affecting 10 million+ records have been reported.

Zecurion offers deeper insight into selected incidents caused either by accidental or intentional data breaches. With all such incidents, the common elements describing the impact of this growing problem are financial loss, compromised intellectual property and dwindling customer confidence. Let us see how some sectors have been impacted between February and May 2016. The excerpts below only provide a glimpse of some of these incidents – the list goes on.


11 April, 2016 – FDIC, Washington, DC notified that 44,000 records of customers were exposed when an authorized employee unknowingly downloaded the classified information of the affected people on a personal portable device. FDIC uses technology to track downloads to portable devices. On being detected, the employee was contacted, who in turn, immediately returned the device and signed an affidavit stating that the information was not used for any purpose.

Source: Washington Post


February 2, 2016 – Hawaii Medical Service Association (HMSA) disclosed that they accidentally sent 10,800 letters to wrong addresses instead of the rightful owners. Luckily, the letters did not have any sensitive data but only information about how these patients can better manage the ailment they are suffering from. The affected members were contacted telling them of the mistake and answering any questions they might have.



March 15, 2016 – Laborers Funds Administrative Office of Northern California, reported that an undisclosed number of records had been compromised due to a computer error. Classified information of not only members but also their dependents was accidentally emailed to a fund member instead of the IRS. The office does not believe that the information has been misused but they have offered a one year free credit monitoring to all the affected people.

Source: California Attorney General

March 7, 2016 – Turner Construction, San Diego, California, stated that an undisclosed number of records with classified information were breached as an email containing sensitive information was accidentally sent out to an unauthorized party. The company has since taken many steps to mitigate the threat. Kroll, an ID monitoring service, has been engaged to provide free monitoring to all the affected people for ten years. The services include Credit Monitoring, Web Watcher, Public Persona, Quick Cash Scan, $1 Million Identity Theft Insurance, Identity Consultation, and Identity Restoration.

Source: Maryland Attorney General


16 May, 2016 – Poway Unified School, California inadvertently released data of about 36,444 students and their parents to one parent who had requested information related to her name only. The information included children’s names, nicknames, addresses, phone numbers, hearing and vision exam results, dates of birth, language fluency, academic test results and occupation of parents. It did not list the social security numbers. The exposed data falls under protected information under the Family Educational Rights and Privacy Act and the school could risk losing federal funding. The data contained information of about 70,000 people.

Source: San Diego Union Tribune

25 January, 2016 – California Virtual Academies (CAVA), California informed its registered users on December 9, 2015 that their data storage system is prone to data breach. CAVA, within hours, was able to locate the vulnerability and contain it by securing the system. Since then, it has been established that unauthorized access was limited to the data security researcher who had initially notified CAVA. Users have been urged to check their personal accounts, change security settings online and read information provided on credit and identity protection.

Source: California Attorney General

Top Breaches in Retail in 2015 -2016

This week, we will continue with the topic of data breaches in retail.

Study Findings

A study on data breaches in retail, conducted by Vormetric, revealed the following key findings:

  1. 93% retailers believe that their organization is susceptible to insider threats.
  2. 48% retailers have either had a data breach or did not meet compliance audit in the last one year.
  3. 77% retailers said that “diligently following up on compliance requirements and making implementation of those requirements mandatory” can easily thwart insider threats.


In order to emphasize on the vulnerability of retail to data loss, let us look at four examples where sensitive information was compromised because of a breach (caused by external and/or internal factors).

  1. Target – Although this incident impacted Target retail stores in November-December 2014, it is worth mentioning as it has been deemed as one of the most expensive breaches in the history of retail industry. Almost 70 million customers had their personal and payment card information stolen. The hackers had installed malware software on POS terminals. The breach cost Target more than US$ 3.6 billion.
  1. CVS/ Walgreens – July 2015 saw a credit card breach where CVS, Walgreens came into the grip of malicious hackers. The pharmacies had to halt their online photo service in the wake of credit card theft.
  1. CVS – In July 2015, a pharmacy technician passed about 100 customer records between May 2013 and April 2015 to her property manager, who in turn, used this unauthorized information to apply for loans and credit cards.
  1. Bed, Bath and Beyond – In September 2015, the retailer reported that an employee had stolen some customers’ credit card information with the intention to misuse it.

Reasons Why Retail is Different

There are many reasons that make retail different from other sectors, which also results in the need to implement a unique vertical-specific solution rather than a cookie-cutter solution.

  1. Volume of Credit Card Transactions

In retail, majority of payments are conducted using credit cards, making the sector highly vulnerable to breaches.

  1. High Employee Turnover

Retail has a very high employee turnover. Employees fall into various categories – part time, full time, seasonal – and keep on moving quickly between departments, locations and across other employers. This makes employee training and monitoring very challenging, resulting in higher risk of breaches by insiders intentionally or accidentally.

  1. Physical Security of Payment Endpoints

Access to payment endpoints is easy, whether it is POS at stores or gas pumps. There are devices available that can be used on these payment terminals to capture sensitive credit card data.

  1. Multiple Locations

Large retailers have stores across various locations. More the number of locations, higher is the cost of implementing security measures.

  1. Speed of Responsiveness

In retail, a key measure of customer satisfaction is speed of responsiveness. Retailers face a very tough competition and are always on their toes to provide a very fast and satisfying service. Any kind of online authentication can easily slow down the process, tempting customers to cross the bridge to other retailers.

  1. Working with Third Parties

Retailers work with a number of third parties. A lot of these third parties manage sensitive data after uploading it to their own network. This raises the risk of data breach.


It is essential that retailers be cautious and take proactive measures to safeguard sensitive customer data stored on their or third party networks. Loyal customer relationships are built on trust. Implementing best practices that enhance this trust will go a long way in customer satisfaction and retention.

Retail Data Breaches – Lessons Learnt

For the past couple of months we have been talking about data breaches across different sectors, their implications and best practices that can be implemented. In this blog, we will talk about retail.

Enhanced Digital Experience Drives Need for Enhanced Data Security

While the percentage of breaches in retail is low as compared to other sectors (as per Verizon, 1 in every 13 breaches is in retail), the cost of breach per record is very high. This is because a standalone breach in retail can account for thousands of accounts being comprised.

Retail is at the forefront of implementing customer-facing digital applications. As retailers create a seamless customer experience through an omni-channel strategy, the threat to data loss either because of employee error or malicious intent, or because of external factors such as hacker, malware etc. is also increasing. Another type of breach that retailers face is Denial of Service (DoS), which can heavily harm goodwill of the company. In this kind of breach, hackers overload the server and explicitly force the website to go down due to overloading.

While regulatory requirements have been set up to ensure organizations that process sensitive personal or financial information are in compliance, the threat from newer sources and methods is always there. According to IBM, the cost of breach per record in retail is US$ 165. Retailers not only have to pay a heavy price for these breaches in terms of penalties, but they also face the imminent threat of losing their loyal customers to competitors.

Best Practices in Retail for Proactive Data Loss Prevention

Zecurion recommends the following best practices that retailers should implement to thwart data loss threats from their endpoints, servers and networks:

  • Invest and install comprehensive data loss prevention solutions, developed from the ground up, rather than piecemeal solutions. The former provide more robust security features against internal and external threats of data loss
  • Involve end-users of technology in purchase decisions. Getting their feedback on issues they face helps identifying the right need and the right security solution that users are more willing to adopt
  • Educate the staff and conduct regular training sessions on data access policies. Make sure employees are aware of roles, restrictions and permissions assigned
  • Keep firewalls, anti-virus up to date. Make sure that there is no obsolete software running and all updates are current
  • Encryption should be the rule of thumb when exchanging any classified information. Two factor authentication comes very handy in high data volume environments
  • Secure the connection between networks and monitor endpoints regularly
  • Follow strict regulations and policies for Bring Your Own Devices (BYOD)
  • Generate awareness about POS RAM scrappers. These scrappers are used to steal data from infected POS machines. They can be easily installed remotely and the payment card data can then be reproduced within minutes, paving way for fraudulent transactions
  • Implement policies around safe removal of POS machines so no data can be misused
  • Set up regular checkup of POS machines to ensure there are no skimming devices that have been installed to get the payment card information
  • Implement and test a robust post-attack mitigation plan in case a breach does happen

It is worth mentioning here that the National Retail Federation has been actively campaigning for “Chip and Pin” cards. Payment cards have all the sensitive data stored in a microchip, with nothing embossed on the card. A “Chip and Pin” card will require a secret number to get approved instead of a signature. The requirement of having a pin number will aid in countering a lot of breaches, especially in case of stolen cards.

The “Chip and Pin” cards are in practice in other countries but are still not available in the US. While the initial set up cost for these kind of cards may be high, the security benefits offered will still outweigh the risk of a large data breach.

Top Breaches in Healthcare in 2015-16


Last week, we read about top breaches in the higher education sector. In this blog, we have identified for you top breaches in the healthcare sector.

  1. Anthem – February 2015 saw the largest healthcare breach of all times, with nearly 80 million records, containing sensitive data, getting affected.
  2. Premera Blue Cross – In March 2015, the Washington-based organization found that its 11 million records were hacked and both medical as well as financial data was breached. FBI investigation concluded that Chinese hackers were involved as in the case of Anthem breach. The organization provided two years of free credit monitoring to individuals affected by this incident.
  3. Excellus Blue Cross Blue Shield has been the third largest breach where in more than 10 million records were exposed.
  4. UCLA Health, based in Los Angeles, had 4.5 million records exposed in May 2015, as unauthorized user gained access to classified information.
  5. In Indiana, Medical Informatics Engineering, stated that 3.9 million records with Personal Health Information (PHI) fell into the hands of hackers in May 2015. Two years of free credit monitoring has been provided to individuals affected by this incident.
  6. In November, 2015, Maine General found that data from its system had been uploaded on an external website. Though the site did not have any sensitive information, it still exposed the vulnerability of healthcare to insider and external threats.
  7. In another incident, Washington State Health Care Authority (HCA) notified that 91,000 Medicaid patient files got mishandled. In this case, and HCA employee was helping an employee of Apple Health, a free healthcare service for low income individuals, with an Excel problem when the information got exchanged inappropriately, which is a clear violation of HIPPA regulation. Though the exposed information was not misused, yet both the employees were relieved from their jobs and one year of free monitoring was provided.

It is worth mentioning that the Department of Health and Human Services is becoming very vigilant in connection to HIPPA violations. The department is determined and is making sure that healthcare organizations are complying with HIPPA. If in non-compliance, the organizations have to pay hefty fines. Below are some examples of organizations that had to pay heavy fees as a result of non-compliance.

  1. Cancer Care Group, Indianapolis, paid $750,000 as HIPPA settlement.
  2. Lahey paid an exorbitant $850K to DHHS.
  3. Triple-S Management Corporation, however, tops the list by defaulting and paying a fine of $3.5 million.

According to the Office of Civil Rights, there were 253 healthcare breaches in 2015, with a combined loss of over 112 million records. To reinforce the importance of implementing data loss prevention, we have put together a few statistics from Ponemon, an independent researcher, on how vulnerable healthcare is to data breaches.

  1. At least 91% of the healthcare organizations have had one breach.
  2. 39% of the healthcare organizations have faced 2 – 5 breaches.
  3. 40% of the healthcare industries have been exposed to breaches more than 5 times.
  4. Data breaches in healthcare cost nearly $6 billion annually.
  5. Most important of all, non-malicious employee error is the leading reason for the breaches.


In conclusion, we can see how vulnerable our healthcare industry is to data breaches. The need to have robust and agile data loss protection solutions is strong and immediate. Those that are proactive and take adequate measures are bracing themselves for an imminent risk, while others are left behind. Data loss is no more new; it is there and it can strike anytime. Prepare and act now.

Top Breaches in Higher Education in 2015 -2016

In continuation to our series on data loss in higher education sector, this article identifies the top breaches that have taken place in institutes all around the country. These incidents are noteworthy because they spiked up awareness about higher education being a soft target for data breaches.

April 2015 saw one of the biggest breaches at Auburn University where about 360,000 people had their social security numbers exposed online publicly. These people were not even registered/ enrolled students of the university but were either applicants or prospective students.

In May of 2015, when the breach was discovered at Penn State University, it had already affected 18,000 records. It was found that the unauthorized access had started way back in 2012 at the College of Engineering and had gone unnoticed till 2015. The alarming issue here is that it took 3 years to detect the breach and the network had to be disabled for 3 full days, significantly affecting continuity of work.

June of 2015 saw another breach at Penn State University. This time, the College of Liberal Arts, came under attack for unlawful access.

A similar breach took place at University of Connecticut in July 2015. The servers were hacked by unauthorized users from China beginning 2013. About 1,800 user credentials were exposed though it was never confirmed if any intellectual data was compromised. During the investigation, malicious hardware was found on the servers.

University of Virginia notified in August 2015 that there was a cyber attack originating from China, resulting in the University reinforcing protection of its network against future breaches. Although no PII was stolen, people quickly became aware of the inherent risk that large institutes face because of lack of adequate data loss prevention measures.

In September 2015, at least 80,000 records of students enrolled in an online course at Cal State got hacked. Sensitive information was compromised because of this. The cause was attributed to malware in third party applications offered by a vendor administering the online course. While the PII was not exposed, user IDs and passwords, college emails, gender, and race were made public.

In another incident, California Virtual Academies (CAVA) informed its registered users in December 2015 that their data storage system was exposed as a result of data breach. CAVA, within hours, was able to locate the vulnerability and contain it by securing the system. Users were still urged to check their personal accounts, change security settings online and familiarize themselves with information provided on credit and identity protection.

In January 2016, Southern New Hampshire University (SNHU) confirmed that due to a configuration error on part of a third party vendor, a database containing names, email addresses, IDs, course details, scores etc. had been exposed. About 140,000 students had been affected due to the breach. Since SNHU claimed to have 70,000 enrollments, it was understood that the records either had been duplicated or both former as well as current students had been affected. The investigation is still ongoing.

In February 2016, University of Florida reported that as many as 63,000 records with PII were exposed to hackers. The records belonged to former and current students as well as staff members. The management also notified that credit card information, other financial data and health records were not comprised.


The above-mentioned incidents reinforce the vulnerability of the higher education sector. Tighter regulations and comprehensive data loss prevention solutions are thus deemed as a necessity in this sector.

Higher Education in the Hit List for Data Breaches

The perception that education institutes are less likely to fall prey to expensive data breaches is very much misleading. Higher education is one of the most susceptible segments, accounting for 35% of all breaches in education. In 2015, many leading universities such as Pennsylvania State University (PSU), Washington State University, Harvard University, Johns Hopkins University, the University of Virginia (UVA) and the University of Connecticut faced cyberattacks that were considerably damaging.

This post explores 7 key factors that have resulted in higher education becoming a hot bed for data breaches.

  1. Enrollment of high numbers of students every semester. While this is a very positive trend, it also means that there is a very high volume of data moving around electronically. Institutes that do not have adequate security measures in place or lack proper risk mitigation plans are welcome grounds for data breaches.
  1. Unlimited exchange of data between departments. At times, complete bio-demographic details of students are released instead of providing just the required amount of information. It is therefore vital that institutes have policies in place that define who has access over what kind of information and in what formats can that information be released.
  1. High usage of mobile devices. According to a study by Pearson, nearly 86% of college students use smartphones regularly. The devices are used for storing anything from personal information to research data. With unrestricted exchange of information on mobile devices, college campuses are breeding grounds for intentional as well as unintentional data beaches.
  1. Higher institutes store the brainpower behind costly technical know-hows and inventions. Universities support extensive research subjects in the areas of Sciences and Engineering. Students, professors and research fellows receive millions of unsolicited requests for sensitive information. Theft of expensive technical know-how, hiring of people within the education system for espionage, intrusion of student immigration program for disruptive purposes – are all growing concerns. Breaching of firewalls by hackers, insiders, as well as foreign infiltrators is simple, if adequate data loss prevention measures are not in place.
  1. Lack of access policies and faculty training. Institutes that lack proper rules or regulations related to exchange of data are at higher risk. It is vital that IT leaders emphasize on the need for end-to-end encryption and faculty training, so access-based policies can be implemented.
  1. Lack of awareness. Students are often unaware of phishing attacks and other data breaches that they may partake in unintentionally. Workshops around these issues can minimize the loss of data through their smartphones and tablets.
  1. Reluctance to report breaches. Reluctance by universities to report breaches results in failure to take proper action on time. A pro-active plan – tested and implemented – to deal with post-incident situations can go a long way in reducing losses in the event of an actual breach.

The higher education sector presents unlimited threats related to data breaches. Without proper security implementation, the threat could spiral out of control, turning an actual incident into a very expensive and stressful aftermath cleaning process.

Proactive Measures Go a Long Way in Timely Prevention of Data Loss

The challenges to prevent data loss are tremendous but it is imperative to improve our methods to mitigate and avert the theft of sensitive data by an insider. With technological advancement, vulnerabilities to sensitive data are on the rise. Therefore, accordingly one has to come up with efficient and effective solutions to stop data loss. With increasing incidents of data breaches, it is even more essential to adopt the latest solutions and methods for data loss prevention.

Data loss prevention (DLP) solutions are essentially automated controls that protect sensitive data at rest, in transit and in use. Just like any other loss mitigation solution, an effective DLP solution considers the what, where and how of data sets to determine what access controls need to be in place and how.

Determining What Data Needs to be Protected

Classification of data is compulsory in order to correctly deploy the solution and thwart the loss. Once classification of data is completed as per the business rules by a team of experts, comprising business process managers, IT managers, legal and compliance specialists, policies can be defined determine what data is critical and hence needs to be protected. Data classification also helps determine policies on role-based access and how data can be accessed.

Determining Points Where Data Needs to be Protected

The next step is to determine points where sensitive data resides. The access points for data loss are usually the endpoints such as servers, workstations, storage or network access points. Depending on the need either endpoint protection or network protection may be required. In certain instances, both may have to be protected.

Endpoint protection is usually the first level of security that organizations implement to protect sensitive data from leaving the endpoints of a network. With endpoint protection, unauthorized users or devices, that do not comply with the security policies, are denied access. This prevents copying, sharing or storing of confidential information either accidentally or intentionally to a third party outside the organization. Only upon verifying the credentials the user is allowed to have access to the data.

The end-point security solutions are available in various formats and as piecemeal or part of a larger solution – but the underlying objective is the same i.e. to monitor and control the information that is being accessed and eventually take actions against any malicious threats.

Zlock – Control Device

Zecurion, a pioneer in DLP products, offers Zlock which is designed to protect against leaks of confidential information at the end-points of the network. Zlock allows organizations to control the use of devices connected to ports and internal devices – including built-in network cards, modems, Bluetooth, etc. as well as local and network printers. Using Zlock, a user can make or print copies of only those files that do not have any sensitive information. With Zlock, administrators can configure access policies for maximum flexibility. ZLock saves a copy of all documents printed or stored in external drives, thus maintaining a solid trail in case any investigation is needed in future.