Data Loss Prevention Strategies

Data is the life blood of your business, how do you protect it?Data Loss Prevention

Data Loss Prevention (DLP)

With information security theft on the rise, enterprises must find effective ways to protect their data, and many such enterprises are turning to data loss prevention (DLP) implementations to secure their networks. Data loss is a serious issue for any business of any size. Losing files means losing time and money to restore or recover information that is essential to your business. Data loss occurs when data is accidentally deleted, stolen, or corrupted. Viruses, physical damage to memory devices or formatting errors can render data unreadable by either humans or software. Losing files and documents often has a lasting impact on your company’s financial health.

Some data is recoverable, but this process can require the assistance of IT professionals and will cost time and resources the business could apply elsewhere. In some instances, lost files and information cannot be recovered, making data loss prevention even more essential. You can minimize your business’s potential for data loss by understanding what leads to data loss.

Data loss prevention is not just a technology issue, it is also a policy and policy management issue. Identify where the existing data resides and how this data is classified. Examine controls and data stores currently in place. Focus on first protecting the most sensitive category of data. In a large enterprise, it is advisable to start with a small segment of the network, rather than tackle the network as a whole. Only when the most sensitive category of data has been protected throughout the enterprise is it safe to move to the next tier.

The focus of DLP is to prevent confidential information from leaving the organization and from being accessed by unapproved recipients. At the very least, DLP should be able to detect when such an event occurs. This is assuming that the organization has boundaries; with the implementation of a document classification matrix and with strong policies in effect, confidential data is likely to be segmented into secure data stores (rather than being copied to the cloud), thereby implementing boundaries.

 

Effects of Data Loss on Businesses

Data loss is a major inconvenience that disrupts the day-to-day function of any business. When important files and documents are lost, your business must spend time and resources recreating or recovering these files to fill the gaps left by loss. While you may be able to locate hard copies of information, these may not be as up-to-date as the digital copies that were lost. Data loss caused by corruption or viruses poses particular problems as the extent of data loss caused can sometimes be difficult to determine. It can be costly for your business to weed out and repair damaged files.

With information security theft on the rise, enterprises must find effective ways to protect their data, and many such enterprises are turning to DLP implementations to secure their networks. Data Loss Prevention strategies have been evolving for several years. Successful implementation of DLP requires that it be approached as part of an overall program, rather than as a technology solution. DLP protection is limited to documents within the perimeter of the enterprise, or those documents stored on enterprise-managed hardware.

Since data is everywhere in the Enterprise there is no one tool by itself that can fully protect your data. To implement an effective Data Loss Prevention solution multiple layers of policy, procedures and toolsets are required. Many of these seem like common-sense, most are basic to normal operations of a functioning Enterprise. The trick is to make sure that they all overlap with no holes for data to leak thru. Since data can only be fully protected and controlled by maintaining the location of your data; behind your firewall with all of the multiple layers of data protection that you can provide.

Operational Integrity

  • Monthly Computer Hygiene: Defrag HD, Delete duplicate/unnecessary files, run anti-virus/anti-malware
  • Patch Management
  • Software Upgrades
  • Endpoint protection: Anti-Virus/Anti-Malware-keep them updated
  • Monthly Server Maintenance
  • Server/workstation Backup: 3 backups-2 different mediums-1 offsite (all encrypted) monthly back-up testing

Layered Cybersecurity

  • Antivirus Software
    Cybersecurity technology starts with antivirus software. Antivirus, is designed to detect, block, and remove viruses and malware. Use products that are also designed to detect other threats, such as malicious URLs, phishing attacks, social engineering techniques, identity theft, and distributed denial of service (DDoS) attacks.
  • Firewalls

Firewalls are designed to monitor incoming and outgoing network traffic based on a set of configurable rules—separating your secure internal network from the Internet. Minimize number of open ports Firewalls are deployed as an appliance on the network and may offer additional functionality, of virtual private network (VPN) for remote workers.

  • Patch Management
    Criminals design their attacks around vulnerabilities in software products such as Microsoft Office or Adobe Flash Player. As vulnerabilities are exploited, software vendors issue updates to address them. Using outdated versions of software products will expose your business to security risks.
  • Password Management
    Weak passwords are at the heart of the rise in cyber theft, causing 76% of data breaches. Adopt strong passwords, 8 + alphanumeric characters.

 

These measures protect against a wide array of cyber-attacks. However, because threats like ransomware are always evolving, security solutions are just one part of an effective defense strategy. You also need solutions in place that enable you to return to operations quickly if you do suffer a cyber-attack. Data protection technologies are an essential second layer of defense against cybercrime.

Controlled Access to Data

Ensure that only the authorized user has access to data on your Network. Use Multi-factor Authentication (MFA) and Single-Sign On (SSO) tools in conjunction with Data Leak Prevention to limit external access, add watermarks and prevent printing or clipboard access.

When accessing corporate data remotely ensure data is encrypted when in motion and at rest. There are multiple technology’s that will achieve these results, the key is to choose the one that is the securest, easiest to implement and maintain, and the most economical for your needs.

Occam’s razor essentially states that simpler solutions are more likely to be correct than complex ones. Applying these theory to Cybersecurity, it would state, “The easiest technology to use will be the one most used and thus the most effective”.

VPNs are complex and expensive to maintain and are frequently ignored when the user is stressed and pressed for time (ever been in an airport?). The next level in expense and complexity for remote file access is the virtual desktop technology.  Deploying virtual desktops is a costly and difficult solution requiring extensive hardware and software investment. Supporting this technology requires dedicated engineering support and significant training for your end-users and support staff.   Research, research, research; measure twice buy once.   To avoid complex VPN’s and remote desktop support companies are employing web based file management software to enable secure file access with DLP features built in avoiding the complexity and expense of VPN software.

 

Sources: Exabeam, Digital Guardian, NSS Labs

Managed File Transfer (MFT)

Data in Motion-Moving at the speed of Business

Managed File Transfer (MFT)MFT

 

Managed file transfer (MFT), refers to a set of computer programs that provides for the “managed-secure-controlled” transferring of data.

  • Managed: in the context of this article, means transferred in a controlled way.
  • Secure: refers to the areas of auditing, authentication, and encryption.
  • Controlled: means scheduled, protected, logged, measured, automated, and clearly defined.

For modern organizations, unstructured data — in the form of documents, presentations, spreadsheets, email, text messages, notes, images, audio, video, and so on — continues to be the foundation for business-critical enterprise initiatives, including collaboration and integration.

  • COLLABORATION

Collaboration between people, throughout the extended enterprise. Enterprise collaboration refers to capabilities that make it easier for users in the extended enterprise to create, organize, find, share, communicate, and transact with one another — using productivity tools.

  • INTEGRATION

Integration of business processes and workflows, between both people and systems.

Collectively, unstructured data in all its forms can also be referred to as simply files, or content. Given the ubiquity and utility of these types of data, it comes as no surprise that virtually every organization is actively leveraging its shared files, using one or more of a variety of mechanisms.

 

MFT is a technology platform that uses administrative controls, security support protocols (i.e. HTTPS, SFTP, FTPS), and automation capabilities to securely share various types of data, including compliance-protected as well as high-volume data.

Purpose of Managed File Transfer

A MTF service helps a business accomplish multiple data-related objectives involving shared files.

  1. Security / Compliance

Concerns about security, privacy, and compliance remain, especially working with data that is valuable (e.g., intellectual property, confidential information) or regulated (e.g., personally identifiable information, personal health information, cardholder data), (GDPR), (HIPAA), (HITECH), (PCI DSS), (SOX)

  1. Platforms

Movement from tactical tools, to proactive platforms

  1. Multiple System Usage

Increasing need to choreograph file movements through multiple systems; the use of APIs

  1. GREATER COMPLEXITY

Significantly greater complexity: diversity of users, endpoints, deployment models

WHY YOU NEED MANAGED FILE TRANSFER

According to Aberdeen, most organizations are actively leveraging their shared files, using one or more of a variety of mechanisms.

  • SYSTEM-TO-HUMAN 63%

A business process or application generates and sends file(s) to one or more specific users (e.g., personalization and distribution of records and reports).

  • FILE SYNC 54%

A user transfer’s file(s) to a central repository, to be synchronized and accessed by themselves from one or more devices.

  • HUMAN-TO-HUMAN 66%

A user sends file(s) to one or more specific receivers.

  • HUMAN-TO-SYSTEM 66%

A user submits file(s) into a business process or application (e.g., as a manual step in an established workflow).

  • SYSTEM-TO-SYSTEM 70%

A business process or application programmatically initiates file transfers to be received by another process or application (e.g., as an automated step in an established workflow).

  • FILE SYNC 70%

A user transfer’s file(s) to a central repository, to be synchronized and accessed by themselves from one or more devices.

 

Protecting data in today’s highly regulated and growing data landscape requires a proactive approach. It means evaluating your business’s existing security policies and procedures, systems of data management to ensure that they meet current and future compliance regulations and mandates. It also means that you must reduce or eliminate system vulnerabilities that are often the result of complex or inadequate security practices and system inefficiencies.

MFT can be beneficial if your business:

  • Has concerns about security, privacy and compliance
  • Is redesigning traditional business processes and workflows
  • Is eliminating manual processes with automated migrations, consolidations and upgrades
  • Is experiencing significantly greater complexity, and diversity of users
  • Wants to improved operational efficiency and decision-making with visibility and analytics
  • Is communicating and engaging with standard protocols: Secure FTP, FTPS, HTTP, HTTPS, AS2, and SFTP

Organizations need the accessibility, transferability, and the secure storage of their data. The negative effects of a data breach or of an unresponsive network can cause reduction in efficiency across every line of business. When this happens, business stops while IT works to fix the problem. Leading organizations are implementing MFT solutions for a wide range of data management issues.

Data security and productivity measures are far more successful and effective when they are proactive and preemptive, which is why MFT solutions are an excellent data management tool for IT managers, especially those in heavily regulated industries such as healthcare and financial services.

Maintaining security and compliance go hand in hand. While not every compliance measure is related to a security standard, there are still many compliance mandates that work well with keeping a network secure. MFT solutions have real-time monitoring and validation of security policies and controls to answer to compliance standards for handling sensitive data. Some of these standards are mandated by GDPR, HIPAA, HITECH, SOX and PCI. They can contribute to security by following these standards:

  • Track and audit user activity and file movement (Control)
  • Monitor and alert in real-time on potential violations of security standards(Security)
  • Capture compensating controls and generate reports on compliance status (Managed)
  • Meet requirements for data wiping and sanitization (No data left behind)
  • Protect data in transit or at rest (Encryption)

 

Data is the life-blood of your business and ensuring that it moves efficiently and securely (both in and outside of your organization) is critical. Yet, for something so important, many organizations are littered with non-compliant and rogue data exchange solutions, making their network ripe for security breaches and failed data transactions. The use of unsanctioned devices and applications, known as shadow IT, causes a wide range of problems for organizations, including insecure data transmission and lack of visibility and control, putting your business data at risk.

The security capabilities of a MFT solution extend beyond the process of moving or storing data. A MFT solution supports overall network security:

  • Operational visibility helps IT managers see problems before they happen
  • Automation improves efficiency and saves time, eliminating the need for manual processes, which indirectly improves security because IT professionals can redirect their efforts
  • Compliance standards bring an additional layer of security by regulating the security policies and practices that ensures that organizations are handling sensitive data securely
  • User-friendly ad hoc capabilities ensure that shadow IT practices aren’t being used to skirt IT policies

 

Automate Data Exchange across Systems and Applications
Manual data transfer processes are vulnerable to manpower limitations and subject to human error, making them inefficient and often unreliable. Automating your data transfers can reduce or eliminate the need for manual file exchanges and free up your resources for more innovative endeavors.

5 Features that support GDPR Success

Primary features of MFT solutions:

  1. Encryption for all files on the platform; using encrypted transmission protocols like HTTPS with file integrity checks. A combination of these three processes will protect documents and files which contain personal data against unauthorized access, modification and disclosure.
  2. Strong access controls and internal user databases with strong passwords, used in combination with multi-factor authentication and single sign on. This reduces the risk of unauthorized access and insures the recipient of the personal data is indeed the intended user.
  3. Tamper-evident logging and auditing, recording each event with the MFT transfer solution where every file or document transferred is logged in a format that cannot be modified or removed without alerting the system administrator.
  4. Integrating with existing security solutions and enforcing existing security policies. For example, integrating an anti-virus scanner with anti-malware; or utilizing a DLP (Data Leakage Prevention) solution to look for instances of sensitive data being shared.
  5. Analytics used in conjunction with reporting gives a current and historical overview of all document and file transfer activities. Logging and reporting information is available in the MFT reporting console and can be exported to business intelligence tools or centralized logging solutions where further analysis and reporting can be performed.

 

MyWorkDrive Version 5.2 Released to Preview

We are pleased to announce version 5.2 of MyWorkDrive server, Mobile and Windows client is now available for preview download.  This release includes a major update that now supports logging in using ADFS/SAML from any device when connecting to server version 5.2.  With this update secure remote access using Windows and Mobile Apps from any SAML provider with two factor authentication is now possible.   An example would be Azure AD integration with MFA enabled – When enabled in MyWorkDrive and ADFS/SAML is set to required, users can access MyWorkDrive shares with Windows Mapped Drive and Mobile clients using MFA Two Factor as part of Azure AD.

Version 5.2 also includes a major overhaul to our mobile app that includes support for iOS files provider, Image previews (5.2 server required) and new offline capabilities.   With iOS file provider enhancements user’s can access, upload, download and edit files stored on MWD shares from any app.  See our updated mobile user guide here.

MyWorkDrive CEO Dan Gordon says, “We are very excited to these major enhancements for secure access from any device or authentication provider.   With these speed and functionality improvements, now more then ever, our customers can eliminate file share VPN costs and security concerns while enabling their users to work from anywhere without VPN or remote desktop login headaches.”

 

Register for the 5.2 Launch Webinar on Feb 28th

Webinar Registration Link

New Version 5.2 features

Mobile Apps

  • Login using ADFS/SAML provider
  • Prevent password saving policy support
  • iOS files provider support for accessing files in any app

Web Browser Client

  • User favorites to folder locations
  • Alternative viewer for large text files
  • Improved support for ADFS and SAML SSO providers

Windows Mapped Drive

  • Login using ADFS/SAML provider
  • New command line options for unattended setup
  • Improved login/logout performance
  • Improved handing of custom branding
  • Numerous other enhancements and fixes – Release notes are here.

Server

  • Administrative Alerts for file downloads, delete or modify
  • Simplified SAML setup for Okta and OneLogin
  • Export/Import of settings for easy backup/restore
  • Azure AD single logout support
  • Numerous other enhancements and fixes – Release notes are here.

Register for the 5.2 Launch Webinar on Feb 28th
Webinar Registration Link

 

*Upgrade note: Existing customers can upgrade for free in place.

Questions? Need a trial extension? Email us at sales@myworkdrive.com or Phone: 877-705-4997

 

California Consumer Privacy Act of 2018 (CACPA), Who, What, When, Where and Why?

CaCPA

Who Does the CaCPA Protect? Who must comply?

Any consumer, defined as a “natural person who is a California resident.” This is further defined as:

  • Any individual is in the state for any purpose that is not transitory or temporary
  • Any individual who lives in the state but currently or occasionally is outside the state for a temporary or transitory purpose

Meaning consumers traveling to or with partial residence in other states would be protected, as long as their home is California.  This also means that the law applies to “business-to-consumer” (B2C) companies and to “business-to-business” (B2B).

A covered “business” is defined as a for-profit entity that meets 1 of the 3 following conditions.

  1. Earns $25 million or more in annual revenue.
  2. Holds the personal data of at least 50,000 people, households, or devices.
  3. Obtains at least half of its revenue selling personal data. Selling, is not just trading data for cash. Merely disclosing data to a third party if it results in financial gain, is subject to the law.

CaCPA states that that they must also meet the following 4 conditions.

  1. Be a legal business entity that is organized and operated for profit.
  2. Collects consumers’ personal information, or has someone collect it on its behalf.
  3. Determines the purposes and means of the processing of consumers’ personal information.
  4. Does business in California

Any “for profit business” passing this test will be subject to the law, regardless of its geographic location. According to iapp it is estimated the law will apply to more than 500,000 U.S. companies, most of which are small- to medium-sized. It will also impact businesses outside the U.S., as long as they do any of their business in California.

What Is the Penalty for Noncompliance?

For intentional violations not addressed within 30 days, the fine is from $2,500 to $7,500 per violation (e.g., per record in the database). Unintentional violations not addressed within 30 days, Consumers are able to recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

Twenty percent of the penalties collected by the State will be allocated to a new “Consumer Privacy Fund”. Any funds in excess of Court and collection costs may be placed in the CA State General Fund.

Where Did This Law Come From?

The CaCPA was rushed through Legislation in just 7 days’ time and was signed just hours before the closing of the 2017-18 California legislative session. Speedy for a Law with such widespread ramifications.

This rush was in response to a much stricter ballot initiative proposed by San Francisco real estate developer Alistair Mactaggart.  Mactaggart spent $3.5 million of his own money to fund initiative measure No. 17-0039 which received more than 629,000 signatures, more than enough needed to put the issue on the November 2018 ballot.

How Does the CaCPA Define “Personal Information?”

CaCPA’s definition of personal information is much more extensive than the definition of PII, it does align more closely with the broader list in the GDPR. It’s defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In addition to the information typically included under PII, it also includes:

  • Geolocation data
  • Education information
  • Audio, electronic, visual, thermal, or similar information
  • Professional and employment information
  • IP addresses
  • Internet activity (i.e., browsing and search history, web tracking data)
  • Aliases
  • Characteristics of protected classifications under California or federal law
  • Commercial information (i.e., personal property records, purchasing history)
  • Inferences drawn from any of the information contained in the definition

Why CaCPA

Just days before Mactaggart could certify the signatures, California Democrats agreed to push a compromise bill in exchange for dropping the initiative. The tech industry lobbyists believe that they will have a much better chance of controlling the narrative and the ultimate impact of the CaCPA. Industry Lobbyists agreed not to oppose the bill since the much less favorable ballot initiative had a good shot of passing later in the year.

What did they get for their compliance?

  • 18 months’ time to lobby on how to rewrite the details of the bill.
  • CA legislature can modify the CaCPA with a simple majority instead of a 70% super majority required by the CA Consumer Privacy Act of 2018.
  • CaCPA makes it more difficult for consumers to sue noncompliant businesses, giving most of the enforcement control to the CA state Attorney General.
  • CaCPA affects more companies, as it lowered the threshold by half to businesses with only $25 million annual revenue.

 

“Data regulation policy are complex and impacts every sector of the economy, including the internet industry,” the Internet Association lobbying group said. “That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning. It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.”

The winners and losers of this bit of legislation (10,660 words), have yet to be determined, due to the massive rewriting of the details going on right now. It is very likely that the new and improved CaCPA will apply mainly to the Small to Medium Business, the ones that can’t afford the high priced Lobbyists and their massive expenses. This bill hastily written and barely reviewed by anyone other than its writers with its many typo’s and poorly written text was approved by Governor Brown on June 28th 2018. On Aug. 24th just 57 days later the first 45 amendments came. These amendments were primarily to adjust technical errors. Get prepared.

Sources: Assembly Bill No. 375, iapp The Privacy Advisor, New York Times, FairWarning

 

GDPR Fines: Blood in the water. Who’s first?

The (CNIL), France’s data protection authority (DPA), has levied a €50 million ($57 million) fine against Google for violating the GDPR’s transparency, information, and consent requirements in deploying targeted advertisements. The largest fine by GDPR to date and the first involving a U.S. technology company was issued on January 21, 2019.GDPR Compliance

The CNIL’s investigation was triggered by complaints from two advocacy groups, None of Your Business and La Quadrature du Net, filed immediately on the GDPR’s May 25, 2018 effective date. The complaints alleged “forced consent,” by which users of Android-powered mobile devices, had to agree to Google’s entire privacy policy and terms of service before using the Android device. Google lacks a legal basis to process users’ personal data as it relates to ad personalization.

Why so much?

The CNIL relied on four factors in issuing its €50 million fine.

  1. Nature of the infringements relating to lawfulness (Art. 6) and transparency (Arts. 12 and 13), both of which are core principles of the GDPR and listed as triggering the highest fining threshold (of 4% of International Revenue) in the GDPR (Art. 83.5).
  2. Because the infringements were continuous and ongoing after the GDPR’s effective date.
  3. The processing purposes, their scope, and the number of individuals concerned.
    1. CNIL’s investigation focused on users who created a Google account while setting up their Android device, they noted that this is very large number of individuals.
    2. They contend that due to Android’s dominant market share in the French smartphone market and the number of smartphone users in France the processing is vast.
    3. Also given the number of Google services involved (more than twenty).
      1.  The variety and type of data involved
      2.  The multiple technological processes that enable Google to combine and analyze data from various services, applications, or external sources.
      3. These processes undeniably have a “multiplying effect” on the knowledge the company has about its users.
      4. The company has means for potentially unlimited combinations enabling a massive and intrusive use of consumer’s data.
  1. When viewing the infringements from the perspective of Googles economic model,
        1. The processing of user data for advertising purposes via Android.
        2. Advantages Google obtains from that processing,
        3. CNIL found that Google must be extra cautious about its responsibilities under the GDPR.

 

CNIL does not say how it got to the amount of €50 million. CNIL indicates these infringements would be subject to the GDPR’s 4% maximum fine. Fine was based on Google’s 2017 global revenue of €96 billion. It’s clear that the CNIL did not impose the maximum fine. However, other than saying the fine of €50 million was “justified”. CNIL provides no reasoning for this starting amount or how the factors referred to above influenced the amount.

This case represents the CNIL’s first published enforcement action, explicitly under the GDPR and the largest fine it has ever imposed. It also highlights the CNIL’s scrutiny of notice and consent in online advertising, which had been building up in the past months, as evidenced by other recent CNIL decisions.

This fine comes 1 month after Italy’s DPA fined Facebook €10m for misleading its own users over data practices. The watchdog said Facebook wrongly emphasized the free nature of the service without informing users of the fact that their data would be used to generate a profit for the company.

 

 

Google was not the first GDPR fine just the largest to date.

The first fine was issued in Austria in October 2018, and although it is not strictly related to personal data processing. A betting shop received a €4,800 fine for a security camera that was recording part of the pavement outside, since large scale monitoring of public spaces is not permitted under the GDPR.

At the end of October the Comissão Nacional de Protecção de Dados (National Data Protection Commission) in Portugal imposed three fines on the Hospital do Barreiro: These are the first fines related to the processing and storage of personal data.  Two €150,000 sanctions and another of €100,000. For a total cost of €400,000 for the hospital. The first two fines of €150,000 were for violation of the principle of data integrity and confidentiality, and violation of the principle of data minimization, which in theory prevents indiscriminate access to data. 985 physicians had active accounts on the system giving them access to clinical files, while the hospital had only 296 active doctors on the date of the inspection.  

The third fine was related to the inability of the Hospital as data controller to ensure the confidentiality and integrity of the data of its clients and patients.

In Germany in the middle of November a German social network, Knuddels.de, received a €20,000 fine after a hack that caused 808,000 email addresses to be leaked, along with over 1.8 million usernames and passwords. This information was then published online with no encryption.

The social network reacted by saying that once the leak had been discovered, it immediately improved its security measures. After the incident, it was discovered that the website had no kind of protection on its sensitive information.

According to LfDI Baden-Württemberg, the German data protection agency handling this case, one of the reasons that the website received a “relatively low” fine was that it acted with transparency, and quickly implemented security improvements.

2019 is bringing much higher fines.

The economic sanctions so far are clearly conservative compared to the maximum possible penalties allowed, but with the recent spate of high profile data leaks from Marriott, British Airways, and Quora it won’t be long before larger, harsher fines start to appear.

What can you do to avoid a fine of millions of Euros or Dollars? The most important thing to bear in mind is that prevention is better than a cure. By having appropriate data leak protection in place for the personal data your company manages, you can avoid sanctions and fines.

    • Start by determining if online storage or on prim is the right solution for your needs
    • Controlling who has access to it
    • Realize that if you use Sync and Share instead of a private cloud file sharing solution you have just doubled the amount of data you have, and also doubled the # of locations that you need to defend. Plus one of these locations you have no control over.
    • Complexity reduces security. The more complex a solution is the less it will be used.