Data Loss Prevention Strategies

Data is the lifeblood of your business. How do you protect it?

Data Loss Prevention

What is Data Loss Prevention (DLP)?

With information security theft on the rise, enterprises must find effective ways to protect their data, and many such enterprises are turning to data loss prevention (DLP) implementations to secure their networks. Data loss is a serious issue for any business of any size. Losing files means losing time and money to restore or recover information that is essential to your business. Data loss occurs when data is accidentally deleted, stolen, or corrupted. Viruses, physical damage to memory devices or formatting errors can render data unreadable by either humans or software. Losing files and documents often have a lasting impact on your company’s financial health.

Some data is recoverable, but this process can require the assistance of IT professionals and will cost time and resources the business could apply elsewhere. In some instances, lost files and information cannot be recovered, making data loss prevention even more essential. You can minimize your business’s potential for data loss by understanding what leads to data loss.

DLP is also a policy issue.

Identify where the existing data resides and how this data is classified. Examine controls and data stores currently in place. Focus on first protecting the most sensitive category of data. In a large enterprise, it is advisable to start with a small segment of the network, rather than tackle the network as a whole. Only when the most sensitive category of data has been protected throughout the enterprise is it safe to move to the next tier.

The focus of DLP is to prevent confidential information from leaving the organization and from being accessed by unapproved recipients. At the very least, DLP should be able to detect when such an event occurs. This is assuming that the organization has boundaries; with the implementation of a document classification matrix and with strong policies in effect, confidential data is likely to be segmented into secure data stores (rather than being copied to the cloud), thereby implementing boundaries.

Effects of Data Loss on Businesses

Data loss is a major inconvenience that disrupts the day-to-day function of any business. When important files and documents are lost, your business must spend time and resources recreating or recovering these files to fill the gaps left by loss. While you may be able to locate hard copies of information, these may not be as up-to-date as the digital copies that were lost. Data loss caused by corruption or viruses poses particular problems as the extent of data loss caused can sometimes be difficult to determine. It can be costly for your business to weed out and repair damaged files.

Data Loss Prevention Strategies

With information security theft on the rise, enterprises must find effective ways to protect their data, and many such enterprises are turning to DLP implementations to secure their networks. Data Loss Prevention strategies have been evolving for several years. Successful implementation of DLP requires that it be approached as part of an overall program, rather than as a technology solution. DLP protection is limited to documents within the perimeter of the enterprise, or those documents stored on enterprise-managed hardware.

Since data is everywhere in the Enterprise there is no one tool by itself that can fully protect your data. To implement an effective Data Loss Prevention solution multiple layers of policy, procedures, and toolsets are required. Many of these seem like common sense, and most are basic to normal operations of a functioning Enterprise. The trick is to make sure that they all overlap with no holes for data to leak thru. Since data can only be fully protected and controlled by maintaining the location of your data; behind your firewall with all of the multiple layers of data protection that you can provide.

Operational Integrity

  • Monthly Computer Hygiene: Defrag HD, Delete duplicate/unnecessary files, run anti-virus/anti-malware
  • Patch Management
  • Software Upgrades
  • Endpoint protection: Anti-Virus/Anti-Malware-keep them updated
  • Monthly Server Maintenance
  • Server/workstation Backup: 3 backups-2 different mediums-1 offsite (all encrypted) monthly back-up testing

Layered Cybersecurity

Antivirus Software

Cybersecurity technology starts with antivirus software. Antivirus is designed to detect, block, and remove viruses and malware. Use products that are also designed to detect other threats, such as malicious URLs, phishing attacks, social engineering techniques, identity theft, and distributed denial of service (DDoS) attacks.

Firewalls

Firewalls are designed to monitor incoming and outgoing network traffic based on a set of configurable rules—separating your secure internal network from the Internet. Minimizing the number of open ports Firewalls are deployed as an appliance on the network and may offer additional functionality, of virtual private network (VPN) for remote workers.

Patch Management

Criminals design their attacks around vulnerabilities in software products such as Microsoft Office or Adobe Flash Player. As vulnerabilities are exploited, software vendors issue updates to address them. Using outdated versions of software products will expose your business to security risks.

Password Management

Weak passwords are at the heart of the rise in cyber theft, causing 76% of data breaches. Adopt strong passwords, 8 + alphanumeric characters.

Data Protection Technologies

These data loss prevention measures protect against a wide array of cyber-attacks. However, because threats like ransomware are always evolving, security solutions are just one part of an effective defense strategy. You also need solutions in place that enable you to return to operations quickly if you do suffer a cyber-attack. Data protection technologies are an essential second layer of defense against cybercrime.

Controlled Access to Data

Ensure that only the authorized user has access to data on your Network. Use Multi-factor Authentication (MFA) and Single-Sign On (SSO) tools in conjunction with Data Leak Prevention to limit external access, add watermarks and prevent printing or clipboard access.

When accessing corporate data remotely ensure data is encrypted when in motion and at rest. There are multiple technologies that will achieve these results, the key is to choose the one that is the securest, easiest to implement and maintain, and the most economical for your needs.

Occam’s razor essentially states that simpler solutions are more likely to be correct than complex ones. Applying this theory to Cybersecurity, it would state, “The easiest technology to use will be the one most used and thus the most effective”.

VPNs are complex and expensive to maintain and are frequently ignored when the user is stressed and pressed for time (ever been in an airport?). The next level in expense and complexity for remote file access is the virtual desktop technology.  Deploying virtual desktops is a costly and difficult solution requiring extensive hardware and software investment. Supporting this technology requires dedicated engineering support and significant training for your end-users and support staff.   Research, research, research; measure twice buy once.   To avoid complex VPN’s and remote desktop support companies are employing web based file management software to enable secure file access with DLP features built-in avoiding the complexity and expense of VPN software.

Sources: Exabeam, Digital Guardian, NSS Labs

MyWorkDrive Version 5.2 Released to Preview

We are pleased to announce version 5.2 of MyWorkDrive server, Mobile and Windows client is now available for preview download.  This release includes a major update that now supports logging in using ADFS/SAML from any device when connecting to server version 5.2.  With this update secure remote access using Windows and Mobile Apps from any SAML provider with two factor authentication is now possible.   An example would be Azure AD integration with MFA enabled – When enabled in MyWorkDrive and ADFS/SAML is set to required, users can access MyWorkDrive shares with Windows Mapped Drive and Mobile clients using MFA Two Factor as part of Azure AD.

Version 5.2 also includes a major overhaul to our mobile app that includes support for iOS files provider, Image previews (5.2 server required) and new offline capabilities.   With iOS file provider enhancements user’s can access, upload, download and edit files stored on MWD shares from any app.  See our updated mobile user guide here.

MyWorkDrive CEO Dan Gordon says, “We are very excited to these major enhancements for secure access from any device or authentication provider.   With these speed and functionality improvements, now more then ever, our customers can eliminate file share VPN costs and security concerns while enabling their users to work from anywhere without VPN or remote desktop login headaches.”

 

Register for the 5.2 Launch Webinar on Feb 28th

Webinar Registration Link

New Version 5.2 features

Mobile Apps

  • Login using ADFS/SAML provider
  • Prevent password saving policy support
  • iOS files provider support for accessing files in any app

Web Browser Client

  • User favorites to folder locations
  • Alternative viewer for large text files
  • Improved support for ADFS and SAML SSO providers

Windows Mapped Drive

  • Login using ADFS/SAML provider
  • New command line options for unattended setup
  • Improved login/logout performance
  • Improved handing of custom branding
  • Numerous other enhancements and fixes – Release notes are here.

Server

  • Administrative Alerts for file downloads, delete or modify
  • Simplified SAML setup for Okta and OneLogin
  • Export/Import of settings for easy backup/restore
  • Azure AD single logout support
  • Numerous other enhancements and fixes – Release notes are here.

Register for the 5.2 Launch Webinar on Feb 28th
Webinar Registration Link

 

*Upgrade note: Existing customers can upgrade for free in place.

Questions? Need a trial extension? Email us at [email protected] or Phone: 877-705-4997

 

California Consumer Privacy Act of 2018 (CACPA), Who, What, When, Where and Why?

CaCPA

Who Does the CaCPA Protect? Who must comply?

Any consumer, defined as a “natural person who is a California resident.” This is further defined as:

  • Any individual is in the state for any purpose that is not transitory or temporary
  • Any individual who lives in the state but currently or occasionally is outside the state for a temporary or transitory purpose

Meaning consumers traveling to or with partial residence in other states would be protected, as long as their home is California.  This also means that the law applies to “business-to-consumer” (B2C) companies and to “business-to-business” (B2B).

A covered “business” is defined as a for-profit entity that meets 1 of the 3 following conditions.

  1. Earns $25 million or more in annual revenue.
  2. Holds the personal data of at least 50,000 people, households, or devices.
  3. Obtains at least half of its revenue selling personal data. Selling, is not just trading data for cash. Merely disclosing data to a third party if it results in financial gain, is subject to the law.

CaCPA states that that they must also meet the following 4 conditions.

  1. Be a legal business entity that is organized and operated for profit.
  2. Collects consumers’ personal information, or has someone collect it on its behalf.
  3. Determines the purposes and means of the processing of consumers’ personal information.
  4. Does business in California

Any “for profit business” passing this test will be subject to the law, regardless of its geographic location. According to iapp it is estimated the law will apply to more than 500,000 U.S. companies, most of which are small- to medium-sized. It will also impact businesses outside the U.S., as long as they do any of their business in California.

What Is the Penalty for Noncompliance?

For intentional violations not addressed within 30 days, the fine is from $2,500 to $7,500 per violation (e.g., per record in the database). Unintentional violations not addressed within 30 days, Consumers are able to recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

Twenty percent of the penalties collected by the State will be allocated to a new “Consumer Privacy Fund”. Any funds in excess of Court and collection costs may be placed in the CA State General Fund.

Where Did This Law Come From?

The CaCPA was rushed through Legislation in just 7 days’ time and was signed just hours before the closing of the 2017-18 California legislative session. Speedy for a Law with such widespread ramifications.

This rush was in response to a much stricter ballot initiative proposed by San Francisco real estate developer Alistair Mactaggart.  Mactaggart spent $3.5 million of his own money to fund initiative measure No. 17-0039 which received more than 629,000 signatures, more than enough needed to put the issue on the November 2018 ballot.

How Does the CaCPA Define “Personal Information?”

CaCPA’s definition of personal information is much more extensive than the definition of PII, it does align more closely with the broader list in the GDPR. It’s defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In addition to the information typically included under PII, it also includes:

  • Geolocation data
  • Education information
  • Audio, electronic, visual, thermal, or similar information
  • Professional and employment information
  • IP addresses
  • Internet activity (i.e., browsing and search history, web tracking data)
  • Aliases
  • Characteristics of protected classifications under California or federal law
  • Commercial information (i.e., personal property records, purchasing history)
  • Inferences drawn from any of the information contained in the definition

Why CaCPA

Just days before Mactaggart could certify the signatures, California Democrats agreed to push a compromise bill in exchange for dropping the initiative. The tech industry lobbyists believe that they will have a much better chance of controlling the narrative and the ultimate impact of the CaCPA. Industry Lobbyists agreed not to oppose the bill since the much less favorable ballot initiative had a good shot of passing later in the year.

What did they get for their compliance?

  • 18 months’ time to lobby on how to rewrite the details of the bill.
  • CA legislature can modify the CaCPA with a simple majority instead of a 70% super majority required by the CA Consumer Privacy Act of 2018.
  • CaCPA makes it more difficult for consumers to sue noncompliant businesses, giving most of the enforcement control to the CA state Attorney General.
  • CaCPA affects more companies, as it lowered the threshold by half to businesses with only $25 million annual revenue.

 

“Data regulation policy are complex and impacts every sector of the economy, including the internet industry,” the Internet Association lobbying group said. “That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning. It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.”

The winners and losers of this bit of legislation (10,660 words), have yet to be determined, due to the massive rewriting of the details going on right now. It is very likely that the new and improved CaCPA will apply mainly to the Small to Medium Business, the ones that can’t afford the high priced Lobbyists and their massive expenses. This bill hastily written and barely reviewed by anyone other than its writers with its many typo’s and poorly written text was approved by Governor Brown on June 28th 2018. On Aug. 24th just 57 days later the first 45 amendments came. These amendments were primarily to adjust technical errors. Get prepared.

Sources: Assembly Bill No. 375, iapp The Privacy Advisor, New York Times, FairWarning

 

NextCloud Alternative

GDPR Fines: Blood in the water. Who’s first?

GDPR Fines Against Google

The (CNIL), France’s data protection authority (DPA), has levied a €50 million ($57 million) fine against Google for violating the GDPR’s transparency, information, and consent requirements in deploying targeted advertisements. The largest fine by GDPR to date and the first involving a U.S. technology company was issued on January 21, 2019.GDPR Compliance

The CNIL’s investigation was triggered by complaints from two advocacy groups, None of Your Business and La Quadrature du Net, filed immediately on the GDPR’s May 25, 2018 effective date. The complaints alleged “forced consent,” by which users of Android-powered mobile devices, had to agree to Google’s entire privacy policy and terms of service before using the Android device. Google lacks a legal basis to process users’ personal data as it relates to ad personalization.

Why a €50 Million Fine?

The CNIL relied on four factors in issuing its €50 million fine.

  1. Nature of the infringements relating to lawfulness (Art. 6) and transparency (Arts. 12 and 13), both of which are core principles of the GDPR and listed as triggering the highest fining threshold (of 4% of International Revenue) in the GDPR (Art. 83.5).
  2. Because the infringements were continuous and ongoing after the GDPR’s effective date.
  3. The processing purposes, their scope, and the number of individuals concerned.
    • CNIL’s investigation focused on users who created a Google account while setting up their Android device and noted that this is a very large number of individuals.
    • They contend that due to Android’s dominant market share in the French smartphone market and the number of smartphone users in France, the processing is vast.
    • Also given the number of Google services involved (more than twenty).
      •  The variety and type of data involved
      •  The multiple technological processes that enable Google to combine and analyze data from various services, applications, or external sources.
      • These processes undeniably have a “multiplying effect” on the knowledge the company has about its users.
      • The company has the means for potentially unlimited combinations enabling a massive and intrusive use of consumer’s data.
  4. When viewing the infringements from the perspective of Google’s economic model,
    • The processing of user data for advertising purposes via Android.
    • Advantages Google obtains from that processing,
    • CNIL found that Google must be extra cautious about its responsibilities under the GDPR.

CNIL does not say how it got to the amount of €50 million, but indicates these infringements would be subject to the GDPR’s 4% maximum fine. Fine was based on Google’s 2017 global revenue of €96 billion. It’s clear that the CNIL did not impose the maximum fine. However, other than saying the fine of €50 million was “justified”. CNIL provides no reasoning for this starting amount or how the factors referred to above influenced the amount.

2018 Decisions & Fines

This case against Google represents the CNIL’s first published enforcement action, explicitly under the GDPR and the largest fine it has ever imposed. It also highlights the CNIL’s scrutiny of notice and consent in online advertising, which had been building up in the past months, as evidenced by other recent CNIL decisions.

This fine comes 1 month after Italy’s DPA fined Facebook €10m for misleading its own users over data practices. The watchdog said Facebook wrongly emphasized the free nature of the service without informing users of the fact that their data would be used to generate a profit for the company.

Google was not the first GDPR fine just the largest to date.

The first fine was issued in Austria in October 2018, although it is not strictly related to personal data processing. A betting shop received a €4,800 fine for a security camera that was recording part of the pavement outside since large scale monitoring of public spaces is not permitted under the GDPR.

At the end of October, the Comissão Nacional de Protecção de Dados (National Data Protection Commission) in Portugal imposed three fines on the Hospital do Barreiro: These are the first fines related to the processing and storage of personal data.  Two €150,000 sanctions and another of €100,000. For a total cost of €400,000 for the hospital. The first two fines of €150,000 were for violation of the principle of data integrity and confidentiality, and violation of the principle of data minimization, which in theory prevents indiscriminate access to data. 985 physicians had active accounts on the system giving them access to clinical files, while the hospital had only 296 active doctors on the date of the inspection.  

The third fine was related to the inability of the Hospital as data controller to ensure the confidentiality and integrity of the data of its clients and patients.

In the middle of November, a social network in Germany, Knuddels.de, received a €20,000 fine after a hack that caused 808,000 email addresses to be leaked, along with over 1.8 million usernames and passwords. This information was then published online with no encryption. The social network reacted by saying that once the leak had been discovered, it immediately improved its security measures.

After the incident, it was discovered that the website had no kind of protection on its sensitive information. According to LfDI Baden-Württemberg, the German data protection agency handling this case, one of the reasons that the website received a “relatively low” fine was that it acted with transparency, and quickly implemented security improvements.

Higher Fines Expected in 2019

The economic sanctions so far are clearly conservative compared to the maximum possible penalties allowed, but with the recent spate of high profile data leaks from Marriott, British Airways, and Quora it won’t be long before larger, harsher fines start to appear.

How Can You Avoid GDPR Fines?

What can you do to avoid a fine of millions of Euros or Dollars? The most important thing to bear in mind is that prevention is better than a cure. By having appropriate data leak protection in place for the personal data your company manages, you can avoid sanctions and fines.

  • Start by determining if online storage or on prim is the right solution for your needs
  • Controlling who has access to it
  • Realize that if you use Sync and Share instead of a private cloud file sharing solution, you have just doubled the amount of data you have, and you have also doubled the # of locations that you need to defend. Plus one of these locations you have no control over.
  • Complexity reduces security. The more complex a solution is the less it will be used.