Tag Archives: data loss

Unique Data Loss Risks Faced by the Hospitality Industry

Data collection, data mining and big data, in general, have the ability to transform how industries, such as the hospitality industry, provide their services. The ability to access information about an individual, from basic contact information, to payment information, to behavioral information, means that benefits that consumers have come to expect – such as ease and personalization – can be easily employed.

The data captured by the hospitality industry, particularly hotels and restaurants, is often very comprehensive and sensitive, meaning it has serious ramifications if that data is lost. A person staying in a hotel will be handing over contact and payment details, using hotel wi-fi for business and personal use, and ordering services for their own personal comfort. Research indicates that the  hospitality industry accounts for nearly 14 percent of all breaches, second only to the retail industry. Here are some of the unique data loss risks the hospitality industry is facing:

  1. Large numbers of SMEs and SMBs

From the huge boutique hotel industry that’s booming, to owner-operated restaurants and bars, a great deal of the hospitality industry is made up of SMEs. Often, even when these businesses are part of a wider syndicate, there won’t necessarily be standardized rules for data security.

So, what’s the big deal with SMEs? Due to their size, SMEs and SMBs often don’t have any thorough data loss protection strategy in place. Cost, time and lack of knowledge are the general contributing factors here. However, DLP plans are now much more affordable and easy to implement, so it really comes down to the industry getting itself up to speed by educating that DLP implementation is essential and possible to do.

  1. Paper still rules the roost

Hotels, especially, still rely heavily on paper to conduct their day-to-day business. It’s common-place for services rendered and paid for to be carried out on paper throughout the whole transaction. Physical loss is one of the easiest ways for data to escape internally, either on purpose or by accident. Either way, due to the lack of digital footprint, it’s incredibly difficult to track where the leak came from.

Add to this, that according to Shred-it’s 2017 Security Tracker, less than half (49 percent) of small businesses shred all documents, including non-confidential ones, it’s clear that the hospitality industry needs to address this as part of their DLP strategy.

  1. Employee training is outward focused

Hospitality is a wholly customer-focused service industry. Huge amounts of resource are poured into staff training to ensure that customer’s needs and desires are being met and align with the kind of service the company is trying to provide.

The reality of this is that very little attention is focused towards internal processes. There are many statistics that suggest that roughly half of all data losses occur because of internal threats – people maliciously or unintentionally leaking sensitive data. This means that hospitality companies need to distribute their resource more efficiently and start focusing on creating internal DLP processes that work and that prevent the leakage of data.

While the potential for data to improve the services of the hospitality industry is huge, it brings with it large amounts of sensitive data that are not currently being properly protected with adequate data loss protection strategies. The high numbers of small to medium businesses, combined with the fact that the largely paper-based hospitality industry has an outward focus, means that there is plenty of work to do to ensure that the data of customer’s is protected from potential internal data loss threats.

Healthcare Industry Data Loss Problems – And Their Easy Solutions

According to a report by the Ponemon Institute, nearly 90% of healthcare organizations suffer data breaches. Internal threats such as mistakes—unintentional employee actions, stolen computing devices—account for nearly half of the data breaches. This statistic certainly serves to show the staggering problems around data loss in the healthcare industry. While the scale of the problem, and therefore the solutions to it, may seem incredibly vast, there are actually strategies healthcare organizations should be implementing in order to combat this high-risk situation.

Why is theft, or loss with malicious intent, so high?

Firstly, medical records can fetch up to 50 times that of credit card records on the black market. While that may seem far-fetched, it’s surprisingly not, given the amount of credibility medical records hold when it comes to identification. Criminals can easily use medical records to fraudulently bill insurance companies, obtain prescription medicine, in addition to other identity theft practices.

The move to digital and the losses that come with it

The digitization of medical records has been seen as a long overdue step by the medical community to reduce mounting hospital administration and provide patients with more reliable diagnoses and care. Proper due diligence isn’t being paid when it comes to data loss protection for a variety of reasons, budgeting, outdated technology and lack of knowledge among them. As a result, breaches into healthcare systems are becoming more and more commonplace, particularly as online criminals become more skillful, as well as hospital staff accidentally releasing sensitive patient information.

The problem areas

Data loss is considered to be one of the most commonplace ways for healthcare organizations to lose a patient’s medical files. The main problem areas include criminal attack, a stolen computing device, unintentional employee action and technical glitches in the system.

The root problem

At the root of these problems are outdated legacy systems and medical devices and poor training in data loss protection. Healthcare organizations have an extremely unique set of challenges when it comes to digitized information. Particularly for hospitals, the scale at which they work, is huge. The number of individuals who have files stored on their systems, as well as the number of medical professionals who are not highly skilled in computer literacy, is vast. Combine this with computer systems that need updating and a lack of budget to do so, and it is easy to see why data loss is so prevalent in the healthcare industry.

The solution

The solution to the problem can be simplified into two parts – update computer systems so that strong security measures can be put in place, and implement a data loss prevention strategy across the organization. The first solution requires budget, but it is imperative that this is prioritized. Ransomware and malware are becoming an increasingly prevalent, malicious, and ruthless way of obtaining data. Trends suggest that it will become even more of an issue in coming years and the only way to combat it is through state of the art security measures.

A data loss prevention strategy, while still costly, especially if implementing on a large scale, is more of an upfront cost and a slow burn investment. For healthcare organizations, a data loss prevention strategy is an incredibly cost-effective way to protect against data loss as much of it involves staff onboarding and communication in order to make it work. Of course, software systems need to be installed to protect files, but much of the hard work comes from ensuring that all staff understand what they need to be doing in order to avoid the inadvertent leakage of sensitive information.

With just a quick online search, you can see the mounting concern about protecting patient data in the healthcare industry, and the ever-growing and alarming statistics about how much data is currently being compromised. Healthcare organizations need to reprioritize budget in order to implement easy and effective solutions like state-of-the-art security, and a data loss prevention strategy that has buy-in from staff working both in hospitals and medical centers on network devices, and remotely on mobile.

Why Biometrics Should be Used?

Biometrics is a way of making sure that the user is who he or she claims to be, thus eliminating unauthorized access to information and safeguarding it from internal threats. With data breaches becoming more complicated and impacting all sectors, organizations are gradually complementing traditional authentication techniques, especially passwords, with biometric technology. To fully understand the potential that biometrics offers towards enhancing data security, let us first understand what biometric identifies are, how they can be deployed and advantages that the technology offers.

Biometric Identifiers

The term “Biometrics” is coined with two words “bio” and “metric” meaning life and measure respectively. The underlying meaning is that every human is unique and can be recognized/ identified by his or her intrinsic physical or behavioral traits.

Fingerprints, face, retina, voice, ear features, typing rhythm, gait and gestures constitute as biometric identifiers. For security, a single or a composition of multiple identifiers can be used. Research and development is actively underway to encompass brainwave signals, electronic tattoos and microchips under biometric identifiers.

Biometrics Deployment

Fingerprint scanners, face recognition software and biometric hand reader are some of the platforms that are based on biometric technologies. Adoption of biometrics at various access points and endpoints is greatly beneficial in preventing unauthorized access and hence data loss either accidently or on purpose.

A study by ABI Research states that consumer and enterprise spending on biometrics is growing at a rate of 29% per year, with market size expected to reach $36.8 billion by 2020. Retail and banking sectors are leading in the adoption of biometric technologies because of the sheer volume of sensitive data they process.

Biometrics Advantages

While biometrics is gradually becoming a part of our daily lives – common examples being checks at international airports and fingerprint recognition on mobile devices – a number of organizations are yet to fully realize the capability that the technology offers. There are many advantages of deploying biometric technologies. These are:

  • Biometrics are extremely accurate, though not 100%, as the identifiers are unique to each user.
  • While passwords can be replicated making the system vulnerable to unauthorized users, biometric identifiers are difficult to break and thus offer very reliable data security mechanism.
  • Automated biometric verification is a very quick process.
  • Biometrics do not require multi-layer authentication. They are user friendly and lift up the burden from the user to remember various complex passwords. This saves time without compromising the security of sensitive data.

Conclusion

Organizations can enhance traditional authentication methods that they use by introducing biometrics – an additional security layer that answers “Who I am”. While barriers to adoption remain high, mainly being cost and privacy, the number of real-word applications for biometrics has been increasing. It remains to be seen if biometrics will emerge as the answer to most data theft problems or if it will only continue to act as an additional assurance to prevent data loss.

Major Insider Data Breaches in Government Sector in 2015-16

In our last post, we talked about insider threats being faced by government organizations.

Today, we are sharing examples of data loss incidents that have affected government sector because of insiders. Though sporadic in nature, they give a deeper insight on how vulnerable the government is.

  • In June 2016, The Washington State Liquor and Cannabis Board stated that the personal information of marijuana license applicants was released in response to a public record request. The exposed information included social security numbers, tax and financial information, attorney-client privileged information for an unknown number of records. The License Control Board had accidentally sent in the PII along with the requested information.
  • Virginia State Corporation Commission suspects that a former contractor made copies of PII for an unknown number of people whose license had either expired or lapsed between 1979 and 2004. This came into light in June 2016.
  • In April 2016, the FDIC, Washington, DC notified that 44,000 records of customers were exposed when an authorized employee unknowingly downloaded the classified information of affected people on a personal portable device. When the breach was detected, the employee was contacted, who immediately returned the device and signed an affidavit stating that the information was not used for any purpose.
  • In February 2016, Washington State Health Authority (HCA) notified that 91,000 records of Apple Health (Medicaid) clients were accessed without proper authorization by an employee. Social security numbers, dates of birth, Apple health client ID numbers and private health information was passed to another state agency’s employee. After internal investigation, it has been established that the classified information did not get beyond these two employees but as a precaution, free year-long credit monitoring has been offered to the affected people. Both the employees have been fired since the incident happened.
  • County of San Diego confirmed in January 2016 that the classified records of all employees were sent to Wells Fargo as opposed to only those records who were set up for health savings accounts, HSA. Consequently, the bank set up HAS for all the employees. The county and Wells Fargo are working together to delete unwanted records. A free year-long credit monitoring has been offered to the affected people. The breach is being deemed as an accidental error due to incorrect program code for data transfer by Hewlett- Packard Enterprise Services.
  • In October 2015, the Vacaville Housing Authority (VHA) notified affected individuals that one of their employees unintentionally sent an email to a person with an attachment containing their names and social security numbers. The receiver immediately informed VHA about the lapse and they deleted the email from the person’s computer. As a precaution, VHA has offered free credit monitoring service to affected customers for 12 months.

A 2016 U.S. Government Cybersecurity Report by SecurityScorecard reported the following:

  • Government sector has the lowest security score as compared to retail, transportation, healthcare and other sectors
  • NASA is at the bottom of 600 government organizations, followed by US Department of State, IT systems of Connecticut, Pennsylvania, and Washington.
  • Three areas where government organizations struggle with security are – Malware Infections, Network Security and Software Patching

While government organizations are enhancing their cyber security strategies, there are still many risks that they need to address. A wholistic view of their strengths and weaknesses will enable them to implement the right solution and take proactive measures aimed at addressing the risks posed by internal threats.

Higher Education: Prevent Data Loss, Act Now

In our previous post, we saw why higher education is highly susceptible to data beaches. The sector is a significant source of Personally Identifiable Information (PII), which can easily be breached given lack of uniform regulations and proper cybersecurity measures. One of the largest breaches in higher education has been at the University of Maryland in 2015, when 300,000 records with sensitive data including social security numbers were exposed.

In this blog, we have used research findings from some prominent studies to illuminate the fact that data loss is a big threat in higher education.

The Ponemon Institute, an independent research company on data security, has determined that the average cost of a cybercrime in education is $3.89 million annually; And the number of records exposed due to breaches is nearly 316,000 for year till date!

In a recent study conducted by the Center for Digital Education, the key concerns of IT leaders in higher education were analyzed and the following conclusions were derived:

  • 72% said that they were concerned about rampant data breaches
  • 73% said that cybersecurity is a high priority
  • 70% said that spam and phishing will be the main threats for data loss

Recently, education institutes have started implementing a number of measures to thwart the rising threat of data breaches. Some best practices being followed in this sector are summarized as follows:

  • Tactics, Techniques, and Procedures (TTP) Analysis

Studying the tactics, techniques and procedures used by hackers gives a great insight into the world of unauthorized access and helps understand the 4 Ws – who are these people, why are they hacking, what are they after and what procedures they are deploying to harness the information.

  • Willingness to Report Incident

Willingness to come forward and share the breach incident with other institutes helps in reducing the incidents.  The EDUCAUSE Center for Analysis and Research (ECAR) has come up with studies to prove that alerting higher education leaders and IT professionals about an incident lowers the risk of a repeat incident at same or another location. IT leaders at these institutes can collectively come up with methods to prevent similar future breaches.

  • Incident Response Plan Implementation

Drawing up an efficient incident response plan helps in mitigating and containing the aftermath is a best practice. This is very important for the reputation of the institute. Having a robust plan, in sync with what needs to be done, specifying the roles, whom to contact, what to expect is a smart countermeasure.

 Conferences for Knowledge Sharing

Many institutes like Dartmouth conduct annual conferences where peers discuss best practices being followed for data loss prevention. In the process, institutes mutually gain the knowledge to avoid and deal with data loss incidents. Dartmouth has implemented both knowledge-based authentication (KBA) and two-factor authentication (2FA) that sets an example of cybersecurity measures other institutes could follow.

Safeguarding the “present” of our students will lead the way to a secure future for them. Act now, else face the threat of data loss.

Higher Education in the Hit List for Data Breaches

The perception that education institutes are less likely to fall prey to expensive data breaches is very much misleading. Higher education is one of the most susceptible segments, accounting for 35% of all breaches in education. In 2015, many leading universities such as Pennsylvania State University (PSU), Washington State University, Harvard University, Johns Hopkins University, the University of Virginia (UVA) and the University of Connecticut faced cyberattacks that were considerably damaging.

This post explores 7 key factors that have resulted in higher education becoming a hot bed for data breaches.

  1. Enrollment of high numbers of students every semester. While this is a very positive trend, it also means that there is a very high volume of data moving around electronically. Institutes that do not have adequate security measures in place or lack proper risk mitigation plans are welcome grounds for data breaches.
  1. Unlimited exchange of data between departments. At times, complete bio-demographic details of students are released instead of providing just the required amount of information. It is therefore vital that institutes have policies in place that define who has access over what kind of information and in what formats can that information be released.
  1. High usage of mobile devices. According to a study by Pearson, nearly 86% of college students use smartphones regularly. The devices are used for storing anything from personal information to research data. With unrestricted exchange of information on mobile devices, college campuses are breeding grounds for intentional as well as unintentional data beaches.
  1. Higher institutes store the brainpower behind costly technical know-hows and inventions. Universities support extensive research subjects in the areas of Sciences and Engineering. Students, professors and research fellows receive millions of unsolicited requests for sensitive information. Theft of expensive technical know-how, hiring of people within the education system for espionage, intrusion of student immigration program for disruptive purposes – are all growing concerns. Breaching of firewalls by hackers, insiders, as well as foreign infiltrators is simple, if adequate data loss prevention measures are not in place.
  1. Lack of access policies and faculty training. Institutes that lack proper rules or regulations related to exchange of data are at higher risk. It is vital that IT leaders emphasize on the need for end-to-end encryption and faculty training, so access-based policies can be implemented.
  1. Lack of awareness. Students are often unaware of phishing attacks and other data breaches that they may partake in unintentionally. Workshops around these issues can minimize the loss of data through their smartphones and tablets.
  1. Reluctance to report breaches. Reluctance by universities to report breaches results in failure to take proper action on time. A pro-active plan – tested and implemented – to deal with post-incident situations can go a long way in reducing losses in the event of an actual breach.

The higher education sector presents unlimited threats related to data breaches. Without proper security implementation, the threat could spiral out of control, turning an actual incident into a very expensive and stressful aftermath cleaning process.