Last week, I covered some of the reasons data breaches happen. Let's shift gears now and look at what can be done to reduce their impact. To be perfectly clear, there’s no magic bullet for security. There are, however, a few small things that can make a big difference in every organization.

• Encrypt everything
  This may sound difficult, inconvenient and expensive, but it’s really not. In fact, once implemented, most encryption solutions are so turn-key that you’re likely to forget they’re running in the background. Plus, can you really put a price on the protection of your corporate and customer data?
  
  At a minimum, you should encrypt anything you believe to be sensitive data, regardless of whether a federal mandate requires it. In the healthcare example I referenced earlier, if the data on those lost or stolen devices was encrypted, the organizations responsible for it wouldn’t have had to report the thefts, saving millions of dollars in fines, not to mention public embarrassment and brand damage.
  
  Encryption is not about preventing data breaches, but rather mitigating the damage a breach can cause. Encrypted data is essentially useless data if you heed the advice below.

• Take good care of your keys
  You know those people who claim to be vegetarians but admit that they also “eat chicken and fish?” They're not really vegetarians. In much the same way, someone can claim they take data security seriously, but if they don’t have a sound key management strategy, then they’re only fooling themselves. If you take data security seriously, then you need to take key management seriously as well.
  
  Good key management starts with knowing what keys, tokens, certificates and other security-related objects are loosely floating around your environment. Once you’ve found them, you need to secure and manage them. Organizations should consider a centralized management system for these objects provides security and storage, and enforces a broad range of policies for object authorization, access, expiration, revocation, retrieval limits and more.
  
  Centralizing key management ensures that there’s always a single, trusted source of truth governing access to your important security objects. To prevent unauthorized access to your keys (and thus, your data), it’s important to ensure this centralized key store is accessed only through approved, automated processes, rather than specific individual users.

• Require multifactor authentication, especially in the cloud
  Two-factor authentication can significantly reduce the likelihood of an account being compromised or access being granted to an unauthorized party. And it works really well on shared systems where multiple users might login at different points in the day.
  
  But the cloud is an entirely different animal, and traditional two-factor authentication that requires a user to have direct, physical access to a device in use, simply doesn't work. For example, you cannot use a smart card or fingerprint reader to access a device in Amazon's cloud.
  
  For cloud-friendly multifactor authentication, look for a solution that alerts third parties when access to a certain application, file or SSH session is being requested. This ensures someone, or something, other than the original requestor, signs off on the request before access is granted.

The suggestions above are fairly quick and easy to implement either on premises or in the cloud and can immediately boost your security posture. Protecting your data means protecting your intellectual property, your customers’ privacy, your competitive advantage and your reputation. That should be reason enough to act, shouldn’t it?

One of the dirty little secrets about security: there is simply no way to make your company impervious to a data breach. It’s almost a statistical certainty that you will, at some point or another, be hit with a security scenario that you’re not prepared for. That’s why security today is as much about damage control as it is about breach avoidance. 

Consider the following: 

·      Most breaches aren’t that hard to execute

Attacks on corporate networks and data occur at alarming frequency. You might think that’s because attackers have become more sophisticated, but that's not necessarily the case. In fact, the most recent Verizon Security Breach study suggests a hacker with fairly rudimentary skills could’ve pulled off the majority of attacks in 2012.

And these attacks aren’t isolated to large banks and government entities – they’re pervasive across all industries. The bottom line is, if you have important data, chances are someone else thinks it’s important too -- and will do whatever it takes to get to it.

·      Compliance mandates are limited and vague

U.S. compliance guidelines for data and cybersecurity are noticeably vague, leaving it up to corporations to determine best practices for maintaining the privacy and confidentiality of sensitive data. As a result, organizations typically do just enough to achieve compliance, when in fact, compliance with HIPAA, FERPA, FISMA, PCI and others, should actually be the low bar.

When it comes to sensitive data, you can never be too safe. Let’s say an email list gets breached. This isn’t regulated data. You’re not going to get fined for non-compliance, but PII is still compromised. This represents a significant failure on the part of the responsible corporation, one that ultimately leads to loss of customer trust. 

·      Big data is big business 

It’s hard to have a conversation about technology where the phrase, “big data” doesn’t come up. For all the advantages associated with capturing large volumes of diverse data at high speeds, there’s an inherent risk in securing lots of sensitive data in massively distributed databases in the cloud. Each node -- and big data can have hundreds or even thousands – represents a point of failure where data can be accessed without authorization. 

·      Don’t forget about BYOD

Earlier this month, Google Chairman, Eric Schmidt announced there are 500 million Android devices worldwide, with 1.3 million new activations daily. There are about 365 million iOS devices in play right now, and a large percentage of those devices are infiltrating the workplace. In fact, 36% of all email is now being opened on a phone or tablet, many of which are accessing data inside your firewall. 

Each of these phones, tablets and mobile devices represent potential security vulnerabilities. According to a site maintained by the US Department of Health and Human Services, 72% of data breaches dating back to 2009 stem from stolen, lost or improperly disposed of devices representing a total of 15.6 million individual health records. Device theft is pervasive, and the influx of mobile devices just presents more opportunity for sensitive regulatory and PII data to go missing.  

·      Security keys are being mismanaged

Another concern is around the management of cryptographic keys, SSL certificates and other “opaque” objects. With the trend toward IT hybridization, organizations are being buried by a virtual avalanche of encryption keys, data tokens, SSL certificates, passwords and more. 

If any of these security objects fell into the wrong hands, there’s almost nothing in your corporate environment that wouldn’t be at risk. Surprisingly, not a lot of forethought goes into the security, management, provisioning and revocation of these keys. In fact, we often hear stories about systems administrators storing keys in boot files or easily accessible spreadsheets on their hard drives. Think about it this way: You wouldn't lock your car and leave the keys in the driver’s side door, would you? 

The issues above only scratch the surface. There are still lingering questions and concerns about cloud security, authentication and ownership of data in SaaS applications to name a few more. On Wednesday, we'll look at some small things you can do that will have a profound impact on your data security profile. Stay tuned. 

It's Tax-Free Weekend in Texas which to me means three things:

1. It's still 108 degrees outside
2. I should stay far away from all department stores
3. School is about to be back in session

There are a few absolutes when it comes to school. First, lunches will always be terrible. Second, your locker will be too small to fit your oversized textbooks. Finally, there's a high likelihood that some of your student data will be stored in the cloud.   

This student data includes demographic information, test results, transcripts, email exchanges, grades, attendance history, contact information and more. It's a sensitive mix of detail that, if exposed, could prove damaging to the affected students and the educational institution. According to privacyrights.org, more than 1.8 million student records have been breached in the last 18 months. In one frightening incident earlier this year at the University of Tampa, a breach exposed the social security numbers, photo IDs and dates of birth of thousands of students and faculty members. 

Keeping sensitive data firewalled in your on-premises data center doesn't eliminate the threat of exposure. Consider that tens of thousands of student records are breached each year because someone lost a laptop, smart phone or thumb drive containing information. Device theft is especially common in the healthcare industry. 

Here are a few tips to help you secure student data in the cloud or your on-premises datacenter:

• Backup your data - If you're storing data in the cloud, make sure you have a copy of the data stored locally or in another cloud. This won't prevent data theft or breach obviously, but it will ensure data integrity in the case of a loss. 
• Require multi factor authentication - While not an absolute failsafe, requiring an extra step in the authentication process is a good way to keep password theft from resulting in a full scale attack. Multifactor auth requires a user to provide something they know (a password for example) with something they have (a smart card, security token or third-party authorization via email).  
• Use FERPA as your starting point - The Family Educational Rights and Privacy Act states that any identifiable student data should be properly collected, maintained and safe from improper disclosure. This is a fairly vague policy and should be looked at as the minimum an institution should do when it comes to security. 
• Encrypt your data at rest and in transmission - FERPA actually recommends using encrypted email to transfer student data, but true data security must go a step further to cover data on disk. Think of encryption as your last line of defense; the free safeties on your high school football team that prevent a running back, who's already broken through your first and second protection layers, from getting into the end zone. Encrypted data is absolutely useless to someone with malicious intent, just as long as you follow this last tip.
• Secure your keys - In the same way you don't store the keys to your car in the ignition, you should never keep your encryption keys on the server along with your encrypted data. Instead, keep them in a separate server on premises or in the cloud, and set up access policies that control who (or in some cases, what) can access those keys. 

Securing student data means adding multiple layers of protection. If you're using the cloud, be sure to understand your provider's security policies, and ask tough questions. 

Following the above guidelines can help you maintain the privacy and confidentiality of student data, but it won't solve all your problems. You're still going to be stuck with Mystery Meat Monday.

Please click here to read the full article.

In 2005, Shop.org originally coined the term Cyber Monday for a marketing event to jumpstart online holiday sales. Initially, that Monday was known as the begining of the holiday spending season, but has since become “the single largest onlineshopping day in history” in the US. In 2005 Americans spent roughly $484 million shopping online on Cyber Monday, and in the five years since, this number has more than doubled to surpass $1 billion on single-day expenditures. While the goal is obviously to attract shoppers, Cyber Monday also attracts cyber criminals. For this reason, it is absolutely crucial for businesses to take the necessary precautions in order to adequately protect the Personally Identifiable Information (PII) of their customers, by staying compliant with federal PCI standards. PCI regulation calls for basic measures to be taken by companies to protect the payment card information of customers, ensuring a secure transaction as well as keeping that information stored safely.

One of the easiest and most cost-efficient ways to accomplish this task is to secure your customer data with Gazzang’s ezNcrypt. While in-house security solutions can take multiple months and salaries, Gazzang can have your private company data secured in hours, with plenty of time to spare before this year’s Black Friday. While the cost of a single data breach is approaching all-time highs, averaging $7.2 million per data breach event, you can hardly afford not to protect your data.

In a 2011 study conducted by Javelin Strategy & Research, the Identity Fraud Survey Report found that 40% of all identity theft victims had their information compromised while making an online purchase. The best way for businesses to ensure a happy holiday season for everyone is to encrypt consumer credit card data. It not only builds confidence in your brand with consumers, but it also protects you if your data is stolen – thieves get away with nothing more than useless gibberish.

While responsibility lies with businesses that collect credit card information online, consumers should also be mindful when making online purchases. Here are a couple of tips for online shoppers:

First off all, it is extremely important that you make sure you are only shopping on secure sites. Most big-name retailers are likely trustworthy, but it never hurts to make sure, and check that the website you are submitting your credit card information to has a URL with ‘https’ or ‘s-http’ prefixing the web address. The added “s” to the standard ‘http’ indicates an encrypted communication channel, thus ensuring the privacy of your information.

Additionally, when shopping online it is best to use a credit card, as opposed to your debit card. A one-time use credit card would be ideal, but credit cards have better protections built in as well as a strict federally-regulated limit on consumer liability for fraudulent charges. Read more here about differences in credit and debit safety.

http://eon.businesswire.com/news/eon/20111110006172/en/cyber-monday/IdentityHawk/ITRC
http://www.msnbc.msn.com/id/40451449/ns/business-holiday_retail/t/cyber-monday-sales-top-billion-first-time/
http://www.forbes.com/sites/ciocentral/2011/11/11/the-grinch-goes-digital-why-cyber-monday-is-hacker-heaven/
http://www.comscoredatamine.com/2010/11/cyber-monday-e-commerce-sales-2005-2009/
http://www.pcworld.com/article/154458/a_cyber_monday_tech_shopping_primer.html

While the healthcare industry is currently in the middle of investing billions of dollars into EHR (Electronic Health Record) systems, the alarmingly high number of data breaches associated with Healthcare IT has become a growing industry concern in regards to patient privacy and trust. According to virtual security watchdog, Privacy Rights Clearinghouse, since 2010 there have been “355 medical data related breaches,” compromising more than 10 million health records. In fact just last week, a Sutter Medical Foundation desktop computer was stolen resulting in the compromise of the PII (Personally Identifiable Information) of nearly 4 million patients. Perhaps the most unfortunate aspect of this particular incident is the fact that they were in the middle of an encryption roll out when the hardware was stolen.

This instance, however unfortunate, perfectly illustrates two common misconceptions associated with data security. First, while hacking incidents are more flashy news stories, often times data breaches are simply the result of physically stolen information. This is important to note because, in regards to your privacy, while physical and electronic health records can both just as easily be stolen, only electronic health records can be encrypted. Secondly, it is a far too common of a misconception that encryption ‘rolllouts’ must be pricey and exhausting endeavors. While encryption has emerged as sufficiently acceptable means to meet HIPAA compliance standards, only Gazzang provides you with a no-hardware, no-performance –loss, downloadable encryption solution that has your private data secured in a few hours as opposed to a few days or even weeks. In short, as the industry rapidly adopts Electronic Health Records, we urge you to make sure that you take the necessary steps to protect your patient’s privacy by making them Gazzang Encrypted Health Records – learn more here.

SEO: EHR (Electronic Health Records), Data Breach, HIPAA, HealthcareIT

On Tuesday, NextGov.com reported that 40 different rural healthcare networks across the nation will receive nearly $12 million in federal funding to assist in covering the costs associated with the acquisition of more advanced healthcare IT and electronic health record systems. Department of Health and Human Services Secretary Kathleen Sebelius stressed the importance of this funding in order to “bring our healthcare system into the 21st century,” and furthermore that the procurement of state-of-the-art healthcare IT would help to “ensure the delivery of quality care to some of the most remote areas of our country.”

But yesterday, a more alarming report from the same news source, NextGov.com, raised some extremely disconcerting questions regarding the very real and ever-present threat of cybercrime and data breaches in the healthcare industry. This article illustrated the main findings of a report also from the Department of Health and Human Services where they found, in a study of a recent 15-month period that “more than 7.8 million people had their medical information compromised by 252 major security breaches.” These numbers are alarmingly high and further highlight the need for healthcare organizations to secure private client data.

While $12 million may sound like a fairly large amount of funding, it is unfortunate, but extremely likely, that it will stretch rather thin due to the high costs of advanced medical equipment. Once you factor in the average costs of protecting private patient information from such risks as found in the HHS report, the challenge to make significant improvements in IT infrastructure becomes even greater. In order for these healthcare networks to extend real benefits of their federal grant funding, it is imperative for them to adequately secure their sensitive patient information by complying with HIPAA regulations, all the while keeping security costs low.

There is an answer to this challenge. Gazzang ezNcrypt enables healthcare organizations that leverage any application, database or files running on a Linux operating system to encrypt, decrypt and access their data in real time. Out of the box, this platform-as-a-service product leverages transparent data encryption and a patent-pending key storage system which meets all of the requirements for HIPAA compliance. Additionally, ezNcrypt requires no expensive changes to existing applications or databases and can be up and running in a day (no consulting costs).

There are many data security products on the market today and it’s difficult to know who is real and transparent and who is going to leave you in a lurch – cleaning up a data breach mess. For this reason, we offer a demo of ezNcrypt to show you how it's done. Check it out here.

To read more on the Healthcare funding:
http://healthitupdate.nextgov.com/2011/09/forty_rural_health_networks_nationwide.php

OR, to read more on the health care data breaches:
http://healthitupdate.nextgov.com/2011/09/protected_medical_information_including_patient.php