Home » The Art of Data Protection
2016 marks the 25th anniversary of RSA Conference. This year’s conference theme “Connect to Protect” is very appropriate as the RSA Conference continues to bring thousands of cybersecurity professionals together to learn about new approaches to info security, discover the latest technology and interact with top security leaders and pioneers.
With mega breaches such as Anthem, the IRS, and Sony littering the headlines in 2015, it is vital for today’s IT security professionals to stay up to date on security trends and what better way to stay up to date then attending the largest cybersecurity conference in North America.
If you will be at the RSA Conference at the Moscone Center in San Francisco, CA from February 29th – March 4th, make sure to stop by the Gemalto booth, #4108, in North Hall to learn about how we can help your organization Secure the Breach in three steps – encrypting your sensitive data, managing your encryption keys, and regulating access to your data and applications.
Also at the booth, make sure to see live presentations and demos of our industry leading data protection solutions! Security solutions were not always as cutting edge as they are today. Here about the evolution of encryption technologies and take a photo with one of the original enigma machines used in the early to mid-twentieth century to protect communications.
We’ll also be announcing an RSA Conference photo contest to win prizes including conference t-shirts, phone chargers, and American Express gift cards, so keep your eyes out for a follow-up blog post with all the details.
Rather attend a session? Gemalto’s Vice President of Business Development, David Etue will be presenting on Tuesday, March 1st from 11:10 – 11:40 a.m. in the North Hall briefing center to “Explore the Security of IoT: Trust Comes First”. Make sure you add it your personal agenda.
We hope to see you in San Francisco! Until then, connect with us @GemaltoSecurity on Twitter.
SECURE THE BREACH INTRO:
I checked my inbox history today to see how many help desk tickets I’ve opened in the last year. It came out to be 14 tickets which I suspect to be a pretty low number. You see, I am not the typical end user. Relying on my technical background and obviously Google to guide me in the right direction, I try to resolve technical challenges by myself. Only when faced with restrictions such as account permissions, is when I reluctantly default to a help desk ticket.
The wait period from when I get the email stating my request has been received till the oh so anticipated “your service request has been closed” email, can sometimes feel like “forever”. All I want is that the issue will be resolved so I can get on with my work. I suspect I am not alone on that one.
If we examine the IT perspective for a minute, one can only imagine that the team is facing copious amounts of help desk tickets on a daily basis. With “Mobile Everything” trending and BYOD becoming a standard, it seems common help desk issues have to do with access restrictions i.e. “authentication denied” or “login failed”. The causes for these failures can vary from strong authentication password complexity constraints, proliferation of passwords and end users’ struggle to use the assigned authentication token properly.
Here are three suggestions to help resolve common help desk issues:
- Self Service Everything – Having a self-service portal can empower end users to be self-sufficient and resolve their own access restriction issues. Operations such as resetting passwords and/or token pins, reporting lost tokens as well as token activation will eliminate those unnecessary help desk tickets.
- Automate Now! – Complementing the self-service point made above, IT can reduce the operational daily management tasks associated with many of those help desk tickets and reduce the time it takes to close a ticket. The way to do that is to leverage policy based automation workflows when possible. For example: New employees joined the company? Welcome! Why wait for the new employees to reach out to IT and open a help desk ticket for requesting a token? With the right automation policy in place, all it takes is to add those users in active directory and the workflow will do the heavy lifting from that point forward. The result, added users receive an email containing a link to activate their newly (automatically) provisioned token by themselves.
- KISS (Keep It Simple Stupid) – There is always a fine line between improving security measures to ease of use. Sure, IT can provide Fort Knox like measures but what good will it do if the end users can’t access those resources? This is why IT should think of their end users and try to keep things as simple as possible while still achieving the right assurance level. One way is to provide easy to use and friendly authentication options such as leveraging end-users’ personal mobile devices or pattern based authentication options. Another technique is to offer easy to follow training options covering the security measures in place and how to work with them. Short illustrated user guides or training videos are proven to be very useful.
To learn more on how Gemalto can help you manage help desk workflow and relieve end user frustration in the process, visit http://www2.gemalto.com/sas/
Jennifer DeanJanuary 14, 2016, 10:00 am EST
As we settle into the New Year, many of us have already broken some of those resolutions we promised to keep in 2016. But if you’re one of Facebook’s 1.55 million users, here’s a resolution you should heed if you want to keep yourself and your friends safe: Be less gullible. As, we learned, Mark Zuckerberg is not giving away part of his fortune to “people like you and me,” nor is Netflix giving away a free year for simply clicking a link. In fact, you’re more likely to get a virus than be rewarded for clicking through to any of these so-called offers.
I had no less than 20 friends post the Zuckerberg hoax, looking for their share of the $45 billion in Facebook stock. Fortunately, the Zuckerberg post was not designed to try and scam people out of money or phish them onto an alternate site, but there have been many scams that are not as benign. One particular nasty hoax invited users to get the much anticipated “dislike” feature (Facebook has announced plans to release this feature in the future). The post was titled “Get newly introduced Facebook dislike button on your profile.” Clicking through took users to a malicious website where they would be prompted to enter personal and account information.
It’s not uncommon for these types of hoaxes to show up in the workplace. The online activities of employees can introduce malware which would not only threaten the individual, but the entire organization. Security savvy organizations use two-factor authentication to protect their networks, validate employee logins and secure corporate data. This ensures activity forbidden by company policy can’t be performed while on the network.
With so many fake news stories, too good to be true offers, and bogus charities floating around on social media, it’s understandable that some of your friends may fall prey to a hoax. So how can you stay safe out there? Here are a few tips to spot a scam from a million miles away.
Take a close look at post itself—is the post in all capital letters? Is the grammar poor? Are there misspellings? If so, that’s a red flag and should be avoided.
Mind the source—this is especially true for questionable news stories and posts asking for charitable contributions. Take a look at the link to the source. Does it lead to a reputable, trustworthy site? If you’re questioning the validity of a news story, Google it. If it’s true, reputable news sources will show.
Beware the share—hoax posts will often ask you to share before you can complete the task, such as viewing a video or entering the contest. Hackers know your friends are more likely to also fall for the scam if the post came from a friend.
Stay with the pack—as with the case of the pre-release dislike button, offers that promise you can do things differently (like change the color) in Facebook are false. These posts usually prompt users to download an app, which will lead to an increase in your spam or possibly worse.
There are security sites, such as Facecrooks.com and ThatsNonsense.com that are dedicated to warning you about Facebook scams. The Snopes Facebook page will keep you up-to-date with the latest hoaxes. Like their page to be the first to know.
As for your gullible friends, there is not much you can do to change their trusting nature, but you can try to prevent them from falling for future hoaxes. If your friend shares or posts something you know to be untrue, politely let them know it’s a hoax and provide a link to a reputable source with the proof.
Failure to secure corporate data leads to data breaches. Read more on how they impact consumer trust: Customer Loyalty, Trust and Data Breaches. http://www.safenet-inc.com/resources/data-protection/customer-loyalty-data-breaches-infographic/
Mor AhuviaJanuary 7, 2016, 10:00 am EST
On December 15, 2015, the 28 EU Member states finalized the language of the new General Data Protection Regulation, meaning that a single set of information security rules will be enforced in the EU starting around 2018—providing organizations a two-year period to become compliant.
The new law will apply to both organizations based within the EU, as well as organizations based outside the continent that offer services to EU users.
So what good tidings does the new regulation bring to the New Year? Here are several:
Uniform EU-wide enforcement
Whereas the regulation’s predecessor, the EU General Data Protection Directive, served as a legal basis that was individually interpreted and enforced by each member state, the newly completed Regulation will be uniformly interpreted and enforced, eliminating ambiguity and diverse levels of enforcement.
Privacy by design
Data protection and data privacy solutions, procedures and processes must be built into business products. At any given time, a company will be required to have visibility into the data it processes and stores, and be able to answer the five W’s (the Who/Where/What/When/Why) of personal data under its control to ensure that appropriate mitigation measures have been implemented.
Hefty fines for non-compliance
Significant fines will be imposed on companies for non-compliance, the upper limit of which will be the higher sum among €20 million or 4% of global revenue.
Compulsory data breach notification
In the event of a data breach, companies will be obliged to notify affected users without undue delay. Exceptions include instances where the risk associated with the leaked data is inconsequential, as well as cases in which the compromised data is rendered unintelligible for hackers. For example, data scrambled through the use of encryption or tokenization solutions would be rendered useless to hackers, and leaked passwords would be equally unusable if coupled with multi-factor authentication (e.g. strong authentication that leverages PKI security or OTP authentication).
Mandatory Data Protection Officer
Organizations that are public authorities or publicly traded companies will be required to appoint an independent Data Protection Officer, providing a single point person accountable for the implementation of the regulation.
With Gemalto being a global publicly-traded company incorporated in the EU, my colleagues will undoubtedly provide further insights into the new law as the year unfolds.
Wishing all a safe and secure 2016!
Is your data safe and secure? Protect your data, start by exploring Gemalto’s Data Compliance Solutions.
Jean-Francois SchreiberDecember 21, 2015, 12:00 pm EST
It’s becoming more obvious that companies are losing the battle to protect their customers’ data from theft. In fact, this year data breaches got much more personal than previous years with more than 53% of data breaches being the theft of personal identities and information.
With ever increasing reports of data and identity theft, consumers are getting increasingly skeptical of the ability of corporations to protect their information. According to a recent global study by Gemalto, 75% of consumers believe that companies do not take the protection and security of customer data very seriously. That’s up from 50% last year. The study also found that 64% of consumers said they were unlikely to do business with a company where their financial or sensitive data was stolen. Half said they would not do business again with a company were non-sensitive information was stolen. These are figures that companies need to take notice of.
So, what is at stake here? Trust. It is one of the fundamental bonds between customers and the brands they do business with. Trust takes on many forms in the buyer-seller relationship. Trust can mean the customer believes in the ability of a company to deliver a high quality and reliable product, all the time. It also can also mean the product does what it was marketed to do and meets the consumer’s needs very well, all the time. First and foremost, trust is built over time by consistently meeting customer expectations. The advantage for brands that can deliver on trust means customers keep coming back despite the emergence of other choices.
As our world becomes more digital, brand loyalty will also come to mean trust in the security of customers’ digital data. In fact, over time it may come to be the number one thing consumers value most in choosing who they do business with. However, there are several challenges business will face that will only exacerbate the data security and trust problem if certain changes do not take place.
First, as consumers, we are all sharing more and more of our information about ourselves in order to take advantage of more and more digital services, from online banking and social media to the cloud-based services where we store and share our documents and photos. Consider this number. Some studies suggest that for 24-34-years olds, there are 40 online accounts per person on average.
Second, we are exposing ourselves to more points of attack by cyber criminals because we are accessing digital services from our phones, televisions, watches, cars and the other connected devices in our homes. One study found that the average British household has 7.4 Internet connected devices. This is only the beginning as we are on the verge of an explosion of consumer IoT devices. According to Gartner, consumers will account for the greatest number of connected things and projects that by 2020 that there will be 13.5 billion Internet of Things devices in use by consumers.
The implication of all of this is that in order to be digital citizens, we have to surrender our identities and information in order to enjoy the full benefits of digital services that allow us to be connected and have ubiquitous access to information anytime, anywhere. As a result, the cloud connected and mobile nature of our digital lives means the security of our information is dependent on the security (or lack thereof) of these devices, services and the companies that offer them.
The digital world has deconstructed traditional notions of data security. For the past two decades, companies have protected data by securing it in only one place – in the data center behind a firewall with some intrusion detection, AV and SIEM technology. Basically, security has amounted to building a perimeter around the data and maintaining some watchful guards to see who is trying to compromise the perimeter. This mindset no longer works in a world where the cloud and mobility have totally destroyed traditional notions of data residency and accessibility. Data is now fluid, living everywhere and accessed from anywhere.
The cloud, mobility and the Internet of Things have serious implications for the security of information. However, companies, governments and other organizations continue to fight cyber criminals and attempt to secure the digital world with defensive strategies that have proven to be ineffective. The simple truth is that breach prevention is dead.
There is nothing wrong with perimeter security. In fact, it is still important, but it can no longer be counted on as the only means of defense. Companies should assume they and the products they make will be breached. In a world where the defensive front line has moved from the corporate network and data center to the users and devices who access the information and the data itself, security must now move to these battle fronts as well. This adds more complexity because it means there are more end points and data environments to defend. To adapt to this new reality, it requires an entirely new data security mindset. Companies need to accept that data breaches are inevitable and develop strategies to Secure the Breach when perimeter defenses fail.
So, why is this relationship between trust and data security so important? As brands increasingly become digital brands, the relationship between trust and strong data security will increasingly become more important to the C-Suite and boards of directors of companies. This year we saw two senior leaders leave their organizations as a result of data breaches. The first was the Director of U.S. Office of Personnel Management and the second was the CEO of Avid Life Media, the parent company of Ashley Madison. In fact, Forrester is predicting that two to three CEOs will be forced out of their positions as a result of data breaches in 2016. We are also now seeing for the first time companies taking serious financial hits from data breaches.
As companies and devices collect ever-increasing amounts customer information and as consumers’ online digital activities become more diverse and prolific, more data about what they do, who they are and what they like is at risk to be stolen from the companies that store their data. Until now, consumers may not have been concerned about having their credit card numbers stolen, because there are built-in protections for them. However, if their entire personal data is being coopted so thieves can rob their houses, compromise their cars, or steal their identities again and again, the calculus will change. In the very near future, trust in digital security will matter most. That is because in this digital world it can be lost so quickly.
To learn how Gemalto can help you secure your customer’s data. View Secure the Breach: Protect Your Data, Not the Perimeter
Jennifer Dean January 14, 2016, 10:00 am UTC
Mor Ahuvia January 7, 2016, 10:00 am UTC
Cheryl Barto Shoults March 19, 2012, 10:05 am UTC
Jennifer Dean January 14, 2016, 10:00 am UTC
Andrew Young November 20, 2013, 11:41 am UTC
Cheryl Barto Shoults January 24, 2012, 08:30 am UTC
Motty Alon June 6, 2013, 01:21 pm UTC