The process of making sure your business is prepared to protect its data from ransomware and other disasters depends largely on the characteristics of your specific computing environment, such as the type of data you have and how it is stored. To begin the process of implementing or optimizing a data protection plan, you need to gain a full understanding of how data is used within your organization and what needs to be protected the most. Start by asking yourself these four questions: 1. What data do I have? The first thing…

Continue reading

With the upcoming onset of the GDPR, many companies are seeking to leverage their cloud services for GDPR compliance. The Microsoft Office Modern Workplace episode, ‘GDPR: What You Need to Know’ includes outlines to make this process painless.  Companies want to ensure that those cloud services in use are compliant.  The GDPR places a higher burden on companies storing data on Europeans, and for many businesses, this data resides in the cloud.  Some important GDPR compliance considerations include building support for the consent requirement, rights to erasure and data portability,…

Continue reading

The General Data Protection Regulation (GDPR) is the latest in a host of rules designed to protect privacy.  It is significant because it affects companies that do business in Europe or collect data on Europeans.  GDPR’s wide-ranging scope ranks it right at the top of significant regulations, sitting beside well-known requirements such as HIPAA and PCI. Your business may be doing quite a few things required by GDPR already because GDPR has similar goals to other regulations.  While HIPAA is designed to protect patient information in covered entities and business…

Continue reading

Bring your own device (BYOD) policies are commonplace in many organizations today. Employees bring in their personal cell phones, laptops, tablets and other mobile devices and use them to content to corporate networks. Additionally, employees regularly use personal computers and other devices not owned by the organization to work at home or on the road. Unfortunately, BYOD can be risky for organizations that do not implement adequate security controls.  Personal devices that aren’t properly managed by the company often have inconsistent security controls implemented on them. For example, one device…

Continue reading

Security spending could be compared to the stock market. It increases and decreases depending on intangibles such as how “at-risk” the organization feels rather than on objective measures such as the number of cyberattacks, vulnerabilities or data breaches. An organization may put technical controls in place, educate employees and establish new policies immediately following a breach, but over time the technology becomes outdated and no longer protects the organization as it should. Memory of the breach fades, causing exceptions to be made to the firm's policies and leading to forgetfulness…

Continue reading

As an organization becomes more conscious and engaged in protecting information, it progresses along a path of security maturity. I like to describe this path in five stages starting with ad hoc and ending with leading organizations (see the figure below). This model is helpful because it demonstrates how security is refined in an organization. Most importantly, it shows that security maturity takes time to be part of an established organization and how an organization can transform from viewing security as a cost to an investment. Let's see how it…

Continue reading

The Electronic Frontier Foundation issued a report on 18 web and technology companies that routinely handle data.  The study looked at the following six security policy and practice areas related to how the company responds to requests for user information. Does the company require a warrant before releasing information? Does the company inform users of requests for data? Are statistics published on how often data is provided to requesting agencies? Does the company have a policy outlining how they respond to information requests? Does the company stand firm when information…

Continue reading

The Florida Department of Juvenile Justice (DJJ) had a mobile device containing 100,000 youth and employee records stolen on January 2, 2013.  The device was unencrypted and not password protected despite a policy by the DJJ requiring both encryption and password protection on mobile devices. This latest breach further demonstrates the importance of encrypting mobile devices but more importantly, it shows that a policy alone is not enough.  Organizations and government agencies need to make sure that employees are aware and adhere to their policies.  Without this, such policies are…

Continue reading

President Obama signed an executive order on February 12, 2013, that requires federal agencies to share information on cyber threats with each other and private companies.  This will include unclassified information on activities of known criminals and terrorists and cyber-attacks and some classified information for owners of critical infrastructure.  The order does not require private companies to share data with the government which alleviates some of the privacy concerns present in the Cyber Intelligence Sharing and Protection Act (CISPA). Information will be collected and shared through two national critical infrastructure…

Continue reading