[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
And so, now the news
* Are Data Breaches Becoming More Common?
* Time to scale up cyber security to meet emerging threats: Deputy Governor, RBI
* Don’t use a VPN in United Arab Emirates – unless you wanna risk jail and a $545,000 fine
* Becoming a Global Chief Security Executive Officer
* The SEC Audit Trail – Several Industry Groups See Problems as Currently Proposed
* ISF Updates Security Standard, While Encouraging Accountability
Are Data Breaches Becoming More Common?
According to data from one breach notification site, that perception may be right.
Listings on Vigilante.pw, a site that provides an archive of consumer-focused hacks stretching back to 2007, suggest that data breaches have become more frequent over the past few years.
According to Keen, the pseudonymous owner of Vigilante.pw, there were 64 dumps in 2011, followed by 71 in 2012, 107 in 2013, and 158 in 2014.
But the following year, the number of breaches nearly doubled to 317.
This year, there have been 183 breaches so far.
Of course, Vigilante.pw’s data is not complete.
It’s very likely other data breaches haven’t been picked up by the site, or perhaps any sort of breach notification service.
Indeed, the years-old hack of Myspace only just surfaced in May.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=316aab92ed&e=20056c7556
Time to scale up cyber security to meet emerging threats: Deputy Governor, RBI
NEW DELHI: Banks need to put in place preventive measures such as appropriate controls framework around the systems, reconciliation of transactions in on real / near real time basis, controls over the message creation and transmission, applying timely security patches to the interfaces, if any, close monitoring of transactions and disabling USB, and Internet access on the connected nodes, said R.
Gandhi, Deputy Governor RBI at an ASSOCHAM event.
NEW DELHI: Banks need to put in place preventive measures such as appropriate controls framework around the systems, reconciliation of transactions in on real / near real time basis, controls over the message creation and transmission, applying timely security patches to the interfaces, if any, close monitoring of transactions and disabling USB, and Internet access on the connected nodes, said R.
Gandhi, Deputy Governor RBI at an ASSOCHAM event.
“Information dissemination is a key facilitator in combating the menace of cyber related incidents.
While the Reserve Bank obtains information from banks on cyber incidents, including those which did not fructify into loss of money or information, such information is also shared amongst the banks along with suggestions aimed at best practices,” he added.
The Institute for Development and Research in Banking Technology (IDRBT) also has a system to collate such information and share the generic aspects amongst the CISOs of banks.
All these, I am sure will help the banks in further enhancing their cyber security related capabilities, said RBI Deputy Governor.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=562fd1e3f2&e=20056c7556
Don’t use a VPN in United Arab Emirates – unless you wanna risk jail and a $545,000 fine
A royal edict from the president of the United Arab Emirates (UAE) may have effectively made it illegal for anyone in the country to use a VPN or secure proxy service.
The tweaked law now reads as follows:
Whoever uses a fraudulent computer network protocol address (IP address) by using a false address or a third-party address by any other means for the purpose of committing a crime or preventing its discovery, shall be punished by temporary imprisonment and a fine of no less than Dhs 500,000 and not exceeding Dhs 2,000,000, or either of these two penalties.
In the meantime, if you’re visiting the UAE, using a VPN or proxy server may be problematic.
The new law is now in effect, and you may get a knock on the door by the police if you try using one of those services.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6d6b0205c9&e=20056c7556
Becoming a Global Chief Security Executive Officer
In this excerpt of Becoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders, author Roland Cloutier discusses the primary role of the chief security officer.
No matter how the position of the CSO develops, there are some basic fundamental concepts and requirements of which each senior security executive should be aware.
This section of the chapter touches on some of these critical concepts to create a baseline expectation to be used when thinking about how you lead, how you manage, and how you drive your own organization.
These expectations are not just assumed practitioner requirements; they are the expectations of your business in how you carry out and assume these responsibilities, which determine the success you have within your position.
To Protect
As a chief security executive, your primary duty is to protect.
Certainly, one can argue that your job has many more functions — as it most certainly does — and will continue to grow in the future.
But that word “protect,” that duty of care, the fundamental necessity to protect from harm, is by definition the primary goal of your position.
Prevention of negative impact events against people, businesses, economies, technologies, and markets is why our jobs were created.
Before you get all charged up and start running out to protect, you need to think about what you are protecting.
When I asked some new CSOs what they thought they were protecting, I was surprised by the wide variety of answers I got but was encouraged by not only the inward look but the outward look of what they understood was at stake if they did not do their job.
To Respond
n the pure sense of the word, not everything you will respond to will be a crisis.
In the eyes of those you serve, however, every issue will be a crisis.
Taking away labels, frameworks, and everything else associated with business resiliency and crisis response, the point here is that you need to be (and will be expected to be) the rock of any type of crisis at your business.
During critical times, businesses need an authoritative anchor to help sort out the process of responding, remediating, and moving forward.
Don’t mistake knowing how to manage a crisis with knowing how to fix everything or know everything about everything.
The secret of crisis management is knowing the practitionership of crisis handling.
Inevitably, to call in a crisis, you need a 911 operator; rest assured that is you as well.
Part of your crisis preparation must be understanding how to qualify issues, route issues, and escalate them as needed.
There are three basic things to consider when preparing to be that 911 operator:
1) Methods to Report:
2) Notification and Escalation Mechanisms
3) Issue Classification and Handling Index
The Business Principals
The next critical attribute for the next-generation security leader is business acumen.
As a business operations protection executive, you are required to understand how your business works and how it makes money, and be able to articulate how you support that business and enable it to meet its goals.
A crucial part of business knowledge is understanding profit.
Another aspect of basic business principles required for the next-generation security executive is to understand the concept of risk versus reward.
The final component of basic business principles for security executives is the concept that their job is actually to protect the business and not just provide security.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5b3f666e41&e=20056c7556
The SEC Audit Trail – Several Industry Groups See Problems as Currently Proposed
Last week, several securities industry groups filed critical responses to the SEC’s plan for an audit trail.
While most groups that commented on the SEC’s proposed regulation supported implementing the proposal, several had concerns regarding the cost for investors and firms, and the protection of private data.
The SEC audit trail, approved for public comment on April 27, 2016, is a proposed national market system plan to create a single, comprehensive database that would enable regulators to efficiently track all trading activity in the United States equity and options market.
The SEC’s proposed audit trail details the methods by which self-regulatory organizations and broker-dealers would record and report information, including the identity of the customer, that would provide a complete lifecycle of all orders and transactions in the U.S. equity and options markets.
Will the SEC revise its audit trail plan.
The SEC has 120 days from July 18 to approve the plan, but it appears that further revisions might be necessary before approval is granted.
With several recent cybersecurity threats and hacks, it will be vital that the repository for the audit trail has the highly advanced security measures to protect the markets’ information.
It will also be important for the plan to detail who will bear the burden of the costs.
The SEC and other regulators should bear some of that burden since it will be a useful tool for them, but the plan fails to delineate such as currently constructed.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b603bf2145&e=20056c7556
ISF Updates Security Standard, While Encouraging Accountability
The Information Security Forum, a not-for-profit association that offers research-based security guidance to a global membership of enterprises, on July 27 issued a major update to its Standard of Good Practice, a guide for meeting the objectives set out by the U.S.
National Institute of Standards and Technology.
The updated guide has been restructured into 17 categories and makes it easier to more systematically address four information security life cycles: employment, information (electronic, printed and spoken), hardware and system development.
From a vertical perspective it’s also changing.
While inherently security-centric verticals once dominated—banking used to represent one-third of membership, but is now one-fourth—membership from verticals such as transportation, manufacturing, retail and utilities is increasing.
Which Durbin says points to how “mainstream” security is, now that everything is cyber-enabled.
From a vertical perspective it’s also changing.
While inherently security-centric verticals once dominated—banking used to represent one-third of membership, but is now one-fourth—membership from verticals such as transportation, manufacturing, retail and utilities is increasing.
Which Durbin says points to how “mainstream” security is, now that everything is cyber-enabled.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7167ce4c3b&e=20056c7556
* Best practices in cyber vulnerability assessment
* Are Healthcare CISOs Suffering from Cybersecurity Solution Fatigue? An Expert Probes Some of the Issues
* Will Faster Payments Mean Faster Fraud?
* Accenture : Data theft, malware infection big threat to digital businesses
* Ponemon Institute: External Cyber Attacks Cost Enterprises $3.5M/year, 79% of Businesses Lack Comprehensive Strategies to Manage these Risks
* 2016 Malware Levels Now Stand at Nearly Four Times 2015 Totals
* Twitter Hacking and Social Media’s Risk to Executive Security
* Beyond Data: Why CISOs Must Pay Attention To Physical Security
* $2.7 Million HIPAA Penalty for Two Smaller Breaches
* Using compliance as a tool for change
* In the Breach War, File Protection Is Just as Important as Data
* Data security and breach notification in Finland
* ISO compliance in the cloud: Why should you care, and what do you need to know?
* Federal Privacy Commissioner Provides Submission on New Data Breach Notification and Reporting Regulations
* Breach notification reporting can be complicated without proper skills, tools
* Banks must do better on cyber security: KPMG
* Australia gets one-quarter of a minister for national infosec
* The Case for Continuous Security Monitoring
* Arbor Networks Releases Global DDoS Attack Data for 1H 2016
* 5 Best Practices for Outsourcing Cybersecurity
* Most CISOs and CIOs need better resources to mitigate threats
Best practices in cyber vulnerability assessment
Here are the best practices for cyber vulnerability assessment.
First and foremost you should have a very clear understanding of why you need a cyber vulnerability assessment.
Research other companies in your industry.
To know exactly which parts of your business structure need an assessment, you need to research your company’s processes with a focus on the systems that are critical to keeping your business running.
Once you’ve identified the systems that need an assessment, you should rank them according to both their importance to your overall business model and to the sensitivity of the information they contain.
Now that you know exactly which systems and software need an assessment and how they rank in terms of priority, you should make sure you’re aware of the security systems you already have in place.
f you’ve completely mapped out both your vulnerabilities and your already-in-place security, and your inter-departmental security task force is in agreement on what’s needed, you’re ready to perform your vulnerability scans.
f you did your homework on what you needed to assess and also on the vulnerability assessment tool you chose, then you should fully trust the results of your cyber vulnerability assessment and act on them.
Don’t wait.
Don’t second guess.
The assessment will produce recommendations for remediation that you should act on right now.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2be92933fb&e=20056c7556
Are Healthcare CISOs Suffering from Cybersecurity Solution Fatigue? An Expert Probes Some of the Issues
A recent Institute for Critical Infrastructure Technology report provided some intriguing thoughts about the pressure facing chief information security officers (CISOs) to keep their organizations secure and how they are combating information and vendor solution overload.
“Due to the plague of APTs, malware, ransomware and other malicious initiatives by invisible adversaries, few C-level executive positions are as critical as the CISO,” Scott writes.
In a recent report, James Scott, a senior fellow at the Institute for Critical Infrastructure Technology (ICIT), a Washington, D.C.-based cybersecurity think tank, points out that a well-informed CISO can improve the engagement of the C-suite and improve the cyber posture of the organization.
While the report offers a cross-industry perspective of the CISO role and the challenge of vendor solution overload, the report author does spend moments focusing on healthcare organizations, specifically in a section detailing how CISOs can assess the return on investment of cybersecurity solutions.
The report provides an interesting perspective about the need for CISOs to ignore the hype surrounding “silver bullet” solutions in order find the most effective cybersecurity solutions and strategies for their particular organizations, but at the same time, the report author also highlights the part that the vendor community plays in this problem.
“In many cases, CISOs operate under the unrealistic expectation that they should be able to prevent every breach with a finite budget.
They are expected to have enough technical expertise to develop a strategy to protect the business and enough business acumen to convince the board to adopt that strategy because it aligns with the goals of the organization,” he writes.
And, he asserts that modern CISOs tend to function more as Chief Information Risk Officers, managing the risk to data and technology.
According to the ICIT report, there is rapid burnout among CISOs, as the average turnover rate is 17 months.
“Vendor attempts to offer silver bullet solutions undermine the community at large and poisons the vendor-customer relationship.
The culture promoting these inadequate solutions distracts CISOs, technical personnel and solution developers from the risks and threats in the threat landscape and it distracts them from designing the right solutions to address the market needs.”
In the report, the author offers strategic recommendations for calculating a cybersecurity solution’s ROI and uses a healthcare organization as an example.
The ROI of security solutions can be equated to the fiscal component of the impact that the organization would assume if an adversary exploited the vulnerability that the solution addresses, the author writes.
The report concludes with statistics sourced from the Economist Intelligence Unit that indicates proactive CISO-led strategies can cut the success rate of cyber-breaches by more than 50 percent, hacking successes by 60 percent and ransomware infections by 47 percent.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f6139b0ad7&e=20056c7556
Will Faster Payments Mean Faster Fraud?
Crowe contends that to ensure global payments interoperability, faster payments are a necessity.
The U.S. will soon be at a competitive disadvantage if it does not enable faster payments, she argues.
Parry says the most fundamental risk to payments is poor identity management.
And it’s a legitimate concern.
After all, poor identity management apparently enabled hackers to steal $81 million from the central bank of Bangladesh in February, as part of a fraudulent transaction that was approved by the Federal Reserve Bank of New York.
And in a real-time or near-real-time environment, once the money is gone, it’s gone.
Unlike in the United Kingdom, Australia and other economically advanced parts of the world, faster payments are not the norm in the U.S.
Crowe declined to touch the interchange issue. “Cost is not the No. 1 worry for the Fed when it comes to faster payments,” she noted during the summit.
The top concern, she says, is “a faster process that is still secure for business.”
The Secure Payments Task Force’s goals differ from the goals of the Faster Payments Task Force.
And the Secure Payments Task Force has identified four areas that must be addressed to ensure the ongoing security of the payments system in the U.S. going forward.
Faster payments will be part of that, but not all.”
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d263a9cb23&e=20056c7556
Accenture : Data theft, malware infection big threat to digital businesses
The new report from Accenture and HfS Research say that 69 percent of respondents experienced an attempted or successful theft or corruption of data by insiders during the prior 12 months, with media and technology organizations reporting the highest rate (77 percent).
This insider risk will continue to be an issue, with security professionals’ concerns over insider theft of corporate information alone rising by nearly two-thirds over the coming 12 to 18 months.
The survey, “The State of Cyber security and Digital Trust 2016′”, was conducted by HfS Research on behalf of Accenture.
More than 200 C-level security executives and other IT professionals were polled across a range of geographies and vertical industry sectors.
The survey examined the current and future state of cyber security within the enterprise and the recommended steps to enable digital trust throughout the extended ecosystem.
The findings indicate that there are significant gaps between talent supply and demand, a disconnect between security teams and management expectations, and considerable disparity between budget needs and actual budget realities.
Despite having advanced technology solutions, nearly half of all respondents (48 percent) indicate they are either strongly or critically concerned about insider data theft and malware infections (42 percent) in the next 12 to 18 months.
When asked about current funding and staffing levels some42 percent of respondents said they need more budget for hiring cyber security professionals and for training.
More than half (54 percent) of respondents also indicated that their current employees are underprepared to prevent security breaches and the numbers are only slightly better when it comes to detecting (47 percent) and responding (45 percent) to incidents.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=503e4c03e0&e=20056c7556
Ponemon Institute: External Cyber Attacks Cost Enterprises $3.5M/year, 79% of Businesses Lack Comprehensive Strategies to Manage these Risks
TORONTO–(BUSINESS WIRE)–Despite acute awareness of the millions of dollars in annual costs, and the business risks posed by external internet threats, security leaders highlight the lack of staff expertise and technology as a key reason that these attacks are unchecked, according to results from a new Ponemon Institute study sponsored by BrandProtect.
Seventy-nine percent of the IT and IT security practitioners polled indicated their defensive infrastructure to identify and mitigate those threats are either non-existent, ad hoc or inconsistently applied throughout the enterprise.
The findings reveal that the companies represented in this research averaged more than one cyber attack per month and incurred annual costs of approximately $3.5 million because of these attacks.
The report “Security Beyond the Traditional Perimeter,” sponsored by internet risk detection and mitigation expert BrandProtect, examined the threats, costs and responses of companies to external internet cyber attacks.
These threats include executive impersonations, social engineering exploits, and branded attacks arising outside a company’s traditional security perimeter.
Security professionals cited an acute need for expertise, technology, and external services to address their growing concerns about these external threats.
Some of the key findings include:
– Fifty-nine percent of respondents say the protection of intellectual property from external threats is essential or very important to the sustainability of their companies.
– External internet attacks are frequent and the financial costs of these attacks are significant.
Respondents in this study report they experienced an average of 32 material cyber attacks or slightly more than one per month, costing their companies an average $3.5 million annually.
– Seventy-nine percent of respondents described their security processes for internet and social media monitoring as non-existent (38 percent), ad hoc (23 percent) or inconsistently applied throughout the enterprise (18 percent).
– Sixty-four percent of security leaders (directors or higher) feel that they lack the tools and resources they need to monitor, sixty-two percent lack the tools and resources they need to analyze and understand, and sixty-eight percent lack the tools and resources they need to mitigate external threats.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=53f9c760ec&e=20056c7556
2016 Malware Levels Now Stand at Nearly Four Times 2015 Totals
GULF BREEZE, Fla., July 19, 2016 (GLOBE NEWSWIRE) — via PRWEB – Necurs is back with a vengeance, according to the security research team at AppRiver.
In its Q2 Global Security Report, the company notes that the infamous botnet’s return was one of the major reasons behind the escalation in malware activity–which clocked in at 4.2 billion malicious emails and 3.35 billion spam emails between April 1, 2016, and June 30, 2016.
For the first time, the report also includes metrics from Web-borne threats, reporting an average of 43 million unique threats daily throughout the second quarter.
AppRiver’s security analyst team quarantined 4.2 billion emails containing malware in Q2, pointing to a continued increase in malware traffic this year and resulting in total of 6.6 billion emails quarantined during the first half of 2016.
For comparison, analysts observed 1.7 billion emails containing malware during all of 2015.
Ransomware levels, as predicted in the Q1 Global Security Report, have increased this quarter–and arguably pose the greatest threat to netizens.
AppRiver’s security researches predict that the massive volume of malware isn’t likely to subside anytime soon.
With the likes of Locky and Zepto kidnapping users’ files until they pay a ransom, malware–especially ransomware–has become a business of its own.
The popular channels that malware, like ransomware, travel through include obfuscated JavaScript, malicious macros, and OLEs (Object Linking and Embedding).
Fifty-five percent of spam and malware traffic originated in North America, with Europe coming in second place.
Additionally, AppRiver’s SecureSurf™ Web filtering detected a spike in phishing attempts in June.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b6a3fa644f&e=20056c7556
Twitter Hacking and Social Media’s Risk to Executive Security
The use of social media as a means for targeting victims – whether through phishing or social engineering scams – is nothing new.
However, in the past month or so we’ve seen a new trend in threat actors’ tactics: hacking high-profile executives’ social media accounts with the purpose of publishing embarrassing and controversial posts.
This was recently seen in the Twitter hacks of Twitter co-founder Jack Dorsey, Yahoo CEO Marissa Mayer, Google CEO Sundar Pichai, and Oculus CEO Brendan Iribe.
Executives can do a number of things to help minimize the risk of exploitation, including:
– Invest in a Monitoring Service
– Use Multi-Factor Authentication
– Remove Geo-Location Data
– Limit Personal Information Disclosure
– Verify Online Content
– Do Not Reuse Passwords
– Create Official and Verified Accounts
– Use Separate Accounts
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7e3e14abf8&e=20056c7556
Beyond Data: Why CISOs Must Pay Attention To Physical Security
IT and InfoSec tend to think in terms of networks, endpoints and outside attacks, but they risk missing the big picture if they think of vulnerabilities and threats only in terms of wider internet threats.
IT departments often consider the security of a physical building as a separate domain, but it is becoming increasingly difficult to delineate physical security from data security.
Technology professionals needs to get back to basics.
While it’s important to focus on vulnerability mitigation, the Open Systems Interconnection (OSI) model begins with the physical layer.
Security must be considered at every step, even when no networked communication is taking place.
Despite a rapidly evolving cybersecurity landscape, malicious actors possess only a limited number of physical entry points, and IT departments must ensure reasonable precautions are taken to deny unauthorized access.
Organizations should establish multiple lines of physical defense (mirroring best practices for data security), placing several obstacles in the path of an intruder.
By unifying both physical and data security, IT departments are better equipped to defend against the multi-front attacks that threaten organizations today.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=07c56dadde&e=20056c7556
$2.7 Million HIPAA Penalty for Two Smaller Breaches
In the wake of two 2013 breaches that affected a total of 7,066 individuals, Oregon Health & Science University says it will pay $2.7 million in a HIPAA settlement with federal regulators that includes a three-year corrective action plan.
The first incident, which impacted 4,022 individuals, involved an unencrypted laptop that was stolen from a surgeon’s vacation rental home in Hawaii in February 2013 (see Stolen Laptops Lead Breach Roundup).
The second 2013 breach, which affected 3,044 individuals, involved OHSU’s use of a cloud-based storage service without a business associate agreement, OHSU says.
So far in 2016, two other HIPAA settlements also focused on the absence of business associate agreements.
Those include a $1.55 million settlement in March with North Memorial Health Care and a $750,000 settlement in April with Raleigh Orthopaedic Clinic, P.A. of North Carolina.
Also, since 2008, OCR has issued several resolution agreements with covered entities related to breach investigations stemming from the theft or loss of unencrypted mobile computing devices and storage media.
One of the largest such settlements was a $1.7 million OCR resolution agreement with Alaska Department of Health and Human Services in 2012 over a 2009 breach involving a stolen USB drive containing protected health information of only 501 people.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=51ba4f9dd7&e=20056c7556
Using compliance as a tool for change
One of my guiding principles is that compliance does not equal security.
Compliance isn’t a true representation of how well companies use security to protect themselves.
It can be little more than checking all the boxes and telling the auditors what they want to hear.
After all, many compromised banks were PCI-compliant, and several breached healthcare organizations were compliant with HIPAA.
Using compliance shortfalls to upgrade our security practices isn’t unusual.
Last year, I was able to use compliance to justify several initiatives, including signing up for a service and buying associated tools that will allow us to establish baseline security configurations for technology assets such as Linux, Windows, Apache, Oracle and firewalls.
And relying on findings from our PCI audit related to encryption, I was able to deploy Bitlocker for Windows PCs and File Vault for Apple Macs.
PCI regulations state that all credit card information that is stored must be encrypted, and such information can show up anywhere in our company, since many of our employees assist customers, who often provide credit card and other sensitive data even though we advise against it.
So now we’re enforcing encryption for 100% of our company-owned PCs.
Such widespread use of encryption has a beneficial side effect, since many states now provide a “safe harbor,” meaning that a company that has been breached might not have to notify customers and provide breach remediation services if all the data involved was encrypted.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f0466b1bde&e=20056c7556
In the Breach War, File Protection Is Just as Important as Data
Earlier this year, the Federal Deposit Insurance Corp. (FDIC) narrowly avoided disaster when sensitive information for 44,000 agency customers was stored without proper security measures…on a personal storage device.
In what was coined an ‘inadvertent data breach,’ a former staffer left the agency with the device, and lucky for the FDIC, returned it without incident three days later.
Not all financial services organizations or payment companies would fare so well.
According to the 2015 State of File Collaboration Security report by Enterprise Management Associates, 75% of IT and infosec professionals at mid-tier enterprises expressed a high or very high level of concern about sensitive, regulated or confidential data leakage due to inappropriate file sharing or unauthorized access.
Fully half said there were frequent instances of inappropriately shared documents or unauthorized access to files containing sensitive, confidential, or regulated information.
A whopping 84% had a moderate or total lack of confidence in their organization’s file security monitoring, reporting and policy enforcement capabilities.
Emerging file security solutions aimed at reducing file mishandling and collaboration data leakage risks address this gap with strong file encryption and usage controls that, once applied, persist for the life of the file, including after it traverses to various networks, recipients and devices.
Past information rights management (IRM) solutions were costly, often tied to specific applications or required specific infrastructure to fu