Archive for category Data Security

Are Insurance Companies Managing Their Risk of Data Breach?

Posted by on Wednesday, 9 May, 2012

An injury that doesn’t happen needs no treatment. An emergency that doesn’t occur requires no response. An illness that doesn’t develop demands no remedy. The best way to stay safe … is to avoid getting into trouble in the first place. That requires planning, training, leadership, good judgment, and accepting responsibility—in short, risk management.  

– Boy Scout Field Book

Insurance companies are the experts at analyzing and managing risk. They identify, quantify and set pricing based on the calculated costs of risk. Naturally, the higher the perceived risk, the higher the cost to mitigate the potential losses.

Yet here is the irony.  While those in the insurance industry excel at evaluating risk management for their clients, they often neglect risk mitigation within their own operation.

Exposed data is serious risk

The insurance industry collects and analyzes overwhelming amounts of data. This often sensitive and confidential information becomes the basis upon which many critical decisions are made, and which produces the competitive advantage to provide better policies, prices, and solutions to the market.

All of this data, both historical and cutting-edge, is truly the lifeblood of the insurance industry. Therefore, the astute management and protection of this data is the infrastructure of arteries and veins delivering this lifeblood to all of the appendages of the company that need the results of this data compilation.

In addition, this sensitive and private information is disseminated to various internal and external associates, customers, partners and collaborators usually via the Internet, which exposes this data to compromise.

And yet, despite their expertise in risk analysis, many in the insurance industry fail to ask these questions:

  • Given how much data we’re exchanging with clients, partners, financial institutions, healthcare organizations, etc., what is our risk of a data breach?
  • What is our liability if we suffer a data breach?
  • What can be done to mitigate potential losses?

When examined this way, any underwriter would agree that failure to adequately protect the sensitive data continually in transit in an insurance company’s daily workflow presents an extremely high risk.

Insurance industry, heal thyself

If data really is the lifeblood of the insurance business, and the data center is at the heart of the company, then the arteries and veins are the methods of moving that data to and from your departments, clients, business partners, and others.

While adding layers of physical security to the data center is a top priority for insurance IT professionals, securing the pathways in and out of that data center tends to be overlooked, despite media coverage of data breaches at companies worldwide.   This lack of action underestimates the extent of the public’s concern that their private data may be compromised, and state and federal efforts to more strictly regulate data storage and transfer policies.

Effectively managing FTP transactions is essential to mitigating the risks of data loss.  The costs of implementing managed file transfer solutions are minimal and provide tremendous flexibility when striving to meet the requirements of trading partners and compliance regulations.

As the insurance industry knows better than anyone, the best approach is to mitigate risk with a cost efficient solution.  In this case, taking direct action to protect data transfers is the obvious prescription for any organization — especially one based on risk management.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

Is Your Company Letting Data Slipping Through the Cracks?

Posted by on Monday, 16 April, 2012

Many Americans have spent the last few days frantically searching for receipts and other documentation to finish their taxes before Tuesday, April 17.  No doubt some of those people thought they knew exactly where to find what they needed, and were dismayed to discover that their confidence — as well as their data — had been misplaced.data breach, managed file transfer

How about your confidence regarding your organization’s sensitive data? As managers, are you aware of all of the transactions going in and out of the company network? Who is sending and pulling files, and why? What’s the best way to manage all of these data exchanges? Isn’t there a more user-friendly solution than prohibiting all FTP communications except from specified computers or user profiles?

Efficient workflow requires efficient data flow

No doubt data security is critical.  So is the ability to exchange information to accomplish daily business goals.  Almost every department needs to exchange files with trading partners, customers, vendors, remote employees, and more.

Here are just a few examples of data your company may be exchanging every day:

Finance/Accounting/HR

  • Tax documents
  • Annual, quarterly monthly reports to shareholders, investors, banks, financial partners
  • Personnel reporting

Marketing/Sales

  • Art files to/from artists, printers, marketing partners
  • Video and other content for web, publishers, printers
  • PDF brochures, proposals, whitepapers to prospects, partners, customers

Information Technologies

  • Data files to/from system integration partners
  • Database exchanges with business networks
  • System updates
  • EDI file transaction exchanges
  • Update to HA and offsite systems

Customer Service

  • Customer update documents
  • Client reporting documents
  • Receipt of supporting documents

Production/Warehousing

  • Supplier data exchange
  • Customer data exchange
  • Inventory reporting

Research & Development

  • Product specifications to/from manufacturing partners
  • Large CAD/engineering data to/from development partners

How do you control the data flow?

Educate your employees

Each organization has developed rules and codes of conduct to maintain productivity, positive morale, and customer confidence.  Ideally, these policies are documented and part of employee training. It’s imperative that the rules governing data management are also included in the documented policies, and all employees regardless of their roles need to demonstrate their understanding of the data management policies. Clear directives regarding management’s expectations is the first line of defense against data breach.

Implement the appropriate technology solution

The right technology tools can also be a valuable part of the data control approach.  Most data exchanges can be performed through secure email, FTP and network communications. A combined implementation of firewall and managed FTP solutions will help secure and distribute the resource requirements as appropriate for every department’s needs.

Firewalls not only protect the company network from outside intruders, but can also help manage internal traffic.  A managed file transfer (MFT) system allows specific types of transfers based on users’ permissions or specified events so the inbound/outbound flow of data can be better managed and monitored. With an MFT system, audit logs are automatically kept of each data exchange, and files and emails can be encrypted and secured to ease worries that they might be sent to the wrong people.

The bottom line

Given the multitude of data files that need to be moved in and out of your organization, and the need to create efficient workflows that allow employees to do their jobs while maintaining strict vigilance about data security, few facets of your business are more important than controlling your data flow.  Getting information in the right hands and keeping sensitive data shielded from non-authorized access is an ongoing challenge, but education and the right tools are the keys to success.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

Data Breach Remains a Hot Topic for Media

Posted by on Monday, 19 March, 2012

During the past few years, the media has highlighted a variety of examples of the loss of private information by large companies either by theft or misuse.

One of the reasons for the increased media attention is the renewed focus on establishing and enforcing data breach notification laws which apply to companies that own, lease or store private, personally identifiable information. If that data is exposed to unauthorized use either by accident, cyber attack, employee misconduct, or other causes, most states require companies responsible for protecting that data to announce the data breach and individually notify everyone affected. Some states require that credit agencies are also notified.

data breach, managed file transferFor clarification, private data means any information that can be used to identify an individual, including sensitive information such as a credit card number, social security number, or health related data.

There are a few exceptions to having to report the data breach. If the compromised files were encrypted while in transit across the Internet or stored on stolen backup tapes, for example, it is unlikely that the files could be unencrypted, so the individuals’ privacy isn’t as likely to be compromised.

A company that finds itself dealing with a data breach learns quickly that the process is not just embarrassing and costly (sending notifications, providing free credit reports, etc.), it can also damage the company’s hard-earned reputation resulting in the loss of customers. The point is that companies are responsible – and legally liable — for the information that is in their hands.

Securing File Transfers

Most companies use FTP (file transfer protocol) to send data files back and forth to their trading partners, vendors, remote employees, etc. Most often, FTP is used to send files that are too large to email.

However, file transfers like these are captured and compromised by data thieves on the Internet every day — unless security procedures have been put into place to safeguard the files’ data.

Companies need to implement procedures that secure both an in-motion process (files in transit over the Internet) and an at-rest process (files stored on servers or backup tapes). SFTP and FTPS protocols both secure the file while in motion by encrypting the communication link between two systems during the file transfer. PGP encrypts the file itself, protecting it while at rest on the server or backup tapes.

When addressing the challenge of sending ad-hoc files that are too big to email, finding a managed file transfer solution that includes a secure mail feature can mean the difference between an accidental data breach and a successfully delivered file.

Implementing these security procedures is a significant step organizations can take to greatly reduce their risk of data breach, and therefore their exposure to the financial liability and the loss of confidence of their customers and trading partners.

 

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

Ad-Hoc File Transfers Present Challenges, Vulnerabilities

Posted by on Thursday, 1 March, 2012

Regardless of industry or job title, most employees who sit at a computer screen all day have, at one time or another, needed to email a file that was too big to send.  For most people outside of IT, that posed a significant obstacle.

Take Betsy, for example. How could Betsy in Marketing send the CEO’s requests for changes to the annual report back to the ad agency if the file was too large to attach to an email?   Fax it, maybe?  So old school!

secure mail, ad-hoc file transferBetsy is eager to do a good job and meet expectations, and hates depending on someone else to help her do something she perceives should be relatively easy to do — like send a file as an email attachment.  Therefore, because her boyfriend told her something about FTP-something, she uses a search engine and finds a host of FTP tools she can download for free that promise to solve her problem quickly and easily.  Score!

Free FTP tools, browser apps, and cloud-based storage, oh my!

This scenario is replicated in thousands of companies every day.  Employees download FTP tools or use FTP features that “come with” their browser, and they rejoiced believing that their file transfer problems were solved.   Others created accounts on cloud-based file storage systems where they uploaded files and then sent an invitation to the recipient to download the file using a specific link.

Unfortunately, while a free FTP tool downloaded from the Internet might solve an immediate need, it often creates a host of other problems, and many of them go unnoticed because IT administrators are unaware that this is happening.

Here are just a few of the challenges for the IT staff:

  • Who has what tool installed on which machine?
  • Who provides support for these tools if there’s a problem with a file transfer?
  • How are the file transfers secured to prevent data breach?
  • Who is monitoring what data is being transferred, by whom, to which recipients, and for what purpose?
  • How is the receipt of the documents confirmed?
  • How will compliance auditors view this approach to ad-hoc file transfers?

There’s no easy solution — or is there?

Company policies could dictate a variety of solutions.  They could block the download of any apps to individual desktops at work, and/or require people who need to do ad-hoc file transfers to register the tool and the relevant login data with the IT department for approval.  They could require that anyone who needed to send a large file make a formal request to the IT department and wait for someone there to send it via the company’s official FTP software or managed file transfer solution. They could require all staff to sit through mandatory training to deter them from continuing this practice.

A more effective approach might be implementing a secure mail tool.  A trustworthy secure mail system will keep the files that need to be transferred stored securely within the organization’s network, and will allow authorized users to email a unique link to a trading partner that they would use to access and download the files via an HTTPS secure channel.

Most of the cloud-based file storage systems provide a similar approach, allowing users to store their files and then invite others to view or download them using a link.

There are critical differences, though, between a secure mail system and the cloud-based apps.  Most importantly, secure mail gives control back to an organization’s IT administrators so they can track file transfers and maintain audit logs, both of which are required by most compliance regulations such as HIPAA, PCI DSS, SOX and GLBA.  A secure mail system that is controlled by the IT staff can ensure that file transfer policies are followed, and can include additional security features such as requiring additional password protection, applying link expiration dates, and other features.

Bottom line

Most organizations want efficient workflows, employees who feel empowered to do what it takes to meet expectations, and assurances that the data they store and transfer is insulated from external threats.  A secure mail ad-hoc file transfer solution seems like a smart way to accomplish all of those goals.

GoAnywhere Services just released a new Secure Mail module, so check it out.

Susan Baird

Susan is the Marketing Manager at Linoma Software, helping promote our secure file transfer and encryption solutions. Her specialty is content creation and social media marketing.

More Posts - Website - Twitter - Facebook - LinkedIn - Pinterest - Google Plus

Silence the Nagging By Securing Your Data

Posted by on Monday, 6 February, 2012

Compliance issues and the ever-growing list of compliance regulation acronyms (HIPAA, PCI, SOX, etc.) are persistently nagging IT folks who must meet tough mandates and overly complicated rules.

compliance, HIPAA, PCI DSS, data securityOf course, the real reason we must now pay so much attention to compliance is others’ irresponsible abuse. Somewhere along the data strewn path, a few malicious malcontents had to succumb to the voice of greed and abuse their technological skill sets.  All IT professionals’ jobs are tougher thanks to those that through hacking, sniffing, or lifting data sources chose to steal and sell inadequately secured information.

The truth is, though, that “data” really is sensitive information and we live in a paranoid modern world where dastardly damage is done with a just a little twist of the facts.  So in response to the cries of outrage among our citizens, politicians have wrung their bureaucratic hands and offered plenty of passing legislation designed to protect our data.

Because IT is responsible for the company’s data, we need to stay abreast of the laws that apply to it. We also need to to fully understand and implement the three types of data protection: physical, transitional, and procedural.

Physical

Physical protection is probably the easiest. We secure the data on our servers, backup tapes and offsite facilities with technologies such as passwords, drive encryption, backup encryption, data center surveillance, physical locks, etc. We spare no expense in securing the physical because we can see it and believe it is secured. Or so we think.

Transitional

Transitional protection is a little more difficult.  Any data files that leave our networks should be secured with managed FTP solutions that encrypt the files with SFTP, FTPS, HTTPS, PGP, and other protocols.  Firewalls are set up to control what can leave or enter our data domain. DMZ gateways are set up to increase the virtual protection of the data and still allow designated users access to it.

Procedural

Procedural security is a type of data protection that is least understood and implemented.  A clear and understandable security policy needs to be communicated to the end users so they become familiar with sensitive data is secured, and what consequences may loom if procedures aren’t followed.

The majority of us in IT are protective about who has access to our own sensitive data, so we can understand the reason for protecting everyone else, too.  Yes, it’s a lot of work, but it’s part of the new normal.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube