Posts Tagged Data Breach

Are Insurance Companies Managing Their Risk of Data Breach?

Posted by on Wednesday, 9 May, 2012

An injury that doesn’t happen needs no treatment. An emergency that doesn’t occur requires no response. An illness that doesn’t develop demands no remedy. The best way to stay safe … is to avoid getting into trouble in the first place. That requires planning, training, leadership, good judgment, and accepting responsibility—in short, risk management.  

– Boy Scout Field Book

Insurance companies are the experts at analyzing and managing risk. They identify, quantify and set pricing based on the calculated costs of risk. Naturally, the higher the perceived risk, the higher the cost to mitigate the potential losses.

Yet here is the irony.  While those in the insurance industry excel at evaluating risk management for their clients, they often neglect risk mitigation within their own operation.

Exposed data is serious risk

The insurance industry collects and analyzes overwhelming amounts of data. This often sensitive and confidential information becomes the basis upon which many critical decisions are made, and which produces the competitive advantage to provide better policies, prices, and solutions to the market.

All of this data, both historical and cutting-edge, is truly the lifeblood of the insurance industry. Therefore, the astute management and protection of this data is the infrastructure of arteries and veins delivering this lifeblood to all of the appendages of the company that need the results of this data compilation.

In addition, this sensitive and private information is disseminated to various internal and external associates, customers, partners and collaborators usually via the Internet, which exposes this data to compromise.

And yet, despite their expertise in risk analysis, many in the insurance industry fail to ask these questions:

  • Given how much data we’re exchanging with clients, partners, financial institutions, healthcare organizations, etc., what is our risk of a data breach?
  • What is our liability if we suffer a data breach?
  • What can be done to mitigate potential losses?

When examined this way, any underwriter would agree that failure to adequately protect the sensitive data continually in transit in an insurance company’s daily workflow presents an extremely high risk.

Insurance industry, heal thyself

If data really is the lifeblood of the insurance business, and the data center is at the heart of the company, then the arteries and veins are the methods of moving that data to and from your departments, clients, business partners, and others.

While adding layers of physical security to the data center is a top priority for insurance IT professionals, securing the pathways in and out of that data center tends to be overlooked, despite media coverage of data breaches at companies worldwide.   This lack of action underestimates the extent of the public’s concern that their private data may be compromised, and state and federal efforts to more strictly regulate data storage and transfer policies.

Effectively managing FTP transactions is essential to mitigating the risks of data loss.  The costs of implementing managed file transfer solutions are minimal and provide tremendous flexibility when striving to meet the requirements of trading partners and compliance regulations.

As the insurance industry knows better than anyone, the best approach is to mitigate risk with a cost efficient solution.  In this case, taking direct action to protect data transfers is the obvious prescription for any organization — especially one based on risk management.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

FTP May Be Easy, But That May Be the Problem

Posted by on Monday, 23 April, 2012

It happens in your office every day:  someone on your team hits a roadblock when they realize that email just won’t handle the huge file they need to send – immediately. Or another coworker starts to send an account number or password via email and realizes that perhaps, email isn’t all that secure.

FTP alternative, managed file transferThat’s when the tech savvy gal in the corner suggests the obvious solution: just send that file or sensitive personal information via FTP!  She lists a variety of “free” tools that can be downloaded easily, as well as a couple cloud solutions, and in desperation (and often ignorance), your coworker takes her advice and a new FTPer is born.

FTP, or “file transfer protocol,” is a solution that’s been available for more than 30 years.  Within the last decade, so many free or inexpensive FTP tools have become available that many of us assume that FTP must be a reliable solution, or why would so many people be using it?

As we know with many of society’s ills, just because something is easy to find and popular to use doesn’t mean it’s a smart or effective idea.

The downside of FTP

While FTP may be able to send large files, standard FTP – like email — is not secure, and is therefore vulnerable to hackers.

Rogue FTP tools, like those free tools sprinkled on employees’ PCs, start to become a liability to the company, both financially and to its reputation and credibility.

To begin with, multiple employees with multiple FTP tools mean that no one has a master view of the flow of data in and out of your company. It’s impossible to know who is sending what to whom, and who is receiving files from where.

State and Federal laws require that data which contains personally identifiable information must be encrypted and secured. This also applies to most of the financial data that we collect and create. How can you keep tabs on all of this with a lot of FTP processes running on various PCs throughout the office?

Second, because FTP is not secure, the company increases its risk for a data breach.  Costs to notify those affected when a data breach occurs, combined with the fines that can be assessed, can be in the millions of dollars, not to mention the damage to the company’s brand.

If not FTP, then what?

One approach to control FTP traffic is to set up restrictions on the corporate firewall, essentially prohibiting access for all but specifically authorized personnel to the ports required for FTP processes to work.

Chances are, though, that the same tech savvy employee who suggested FTP in the first place also knows how to bypass this restriction by finding different ports or switching to online FTP services. For determined FTPers, even our cell phones are equipped to send and receive files.

So, if it’s hard to stop it, the next best option is to educate your employees, and to develop and promote clear expectations and consequences regarding sending files and sensitive data from work. Many employees want to do the right thing, but don’t understand the implications of sending sensitive data through the easiest – though not necessarily the safest – means.

Another option that is rapidly growing in popularity is the implementation of a managed FTP solution that can be configured to allow users to send and receive large files  and sensitive information within their daily workflow, but with the addition of administrative control and much greater security.

A managed file transfer solution such as Linoma Software’s GoAnywhere Suite, in combination with setting up appropriate firewall rules and educating all employees of corporate policy and procedures,  will keep your employees – tech savvy or not – productive and happy, and give your IT department peace of mind knowing that the company data is secure.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

Is Your Company Letting Data Slipping Through the Cracks?

Posted by on Monday, 16 April, 2012

Many Americans have spent the last few days frantically searching for receipts and other documentation to finish their taxes before Tuesday, April 17.  No doubt some of those people thought they knew exactly where to find what they needed, and were dismayed to discover that their confidence — as well as their data — had been misplaced.data breach, managed file transfer

How about your confidence regarding your organization’s sensitive data? As managers, are you aware of all of the transactions going in and out of the company network? Who is sending and pulling files, and why? What’s the best way to manage all of these data exchanges? Isn’t there a more user-friendly solution than prohibiting all FTP communications except from specified computers or user profiles?

Efficient workflow requires efficient data flow

No doubt data security is critical.  So is the ability to exchange information to accomplish daily business goals.  Almost every department needs to exchange files with trading partners, customers, vendors, remote employees, and more.

Here are just a few examples of data your company may be exchanging every day:

Finance/Accounting/HR

  • Tax documents
  • Annual, quarterly monthly reports to shareholders, investors, banks, financial partners
  • Personnel reporting

Marketing/Sales

  • Art files to/from artists, printers, marketing partners
  • Video and other content for web, publishers, printers
  • PDF brochures, proposals, whitepapers to prospects, partners, customers

Information Technologies

  • Data files to/from system integration partners
  • Database exchanges with business networks
  • System updates
  • EDI file transaction exchanges
  • Update to HA and offsite systems

Customer Service

  • Customer update documents
  • Client reporting documents
  • Receipt of supporting documents

Production/Warehousing

  • Supplier data exchange
  • Customer data exchange
  • Inventory reporting

Research & Development

  • Product specifications to/from manufacturing partners
  • Large CAD/engineering data to/from development partners

How do you control the data flow?

Educate your employees

Each organization has developed rules and codes of conduct to maintain productivity, positive morale, and customer confidence.  Ideally, these policies are documented and part of employee training. It’s imperative that the rules governing data management are also included in the documented policies, and all employees regardless of their roles need to demonstrate their understanding of the data management policies. Clear directives regarding management’s expectations is the first line of defense against data breach.

Implement the appropriate technology solution

The right technology tools can also be a valuable part of the data control approach.  Most data exchanges can be performed through secure email, FTP and network communications. A combined implementation of firewall and managed FTP solutions will help secure and distribute the resource requirements as appropriate for every department’s needs.

Firewalls not only protect the company network from outside intruders, but can also help manage internal traffic.  A managed file transfer (MFT) system allows specific types of transfers based on users’ permissions or specified events so the inbound/outbound flow of data can be better managed and monitored. With an MFT system, audit logs are automatically kept of each data exchange, and files and emails can be encrypted and secured to ease worries that they might be sent to the wrong people.

The bottom line

Given the multitude of data files that need to be moved in and out of your organization, and the need to create efficient workflows that allow employees to do their jobs while maintaining strict vigilance about data security, few facets of your business are more important than controlling your data flow.  Getting information in the right hands and keeping sensitive data shielded from non-authorized access is an ongoing challenge, but education and the right tools are the keys to success.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

Data Breach Remains a Hot Topic for Media

Posted by on Monday, 19 March, 2012

During the past few years, the media has highlighted a variety of examples of the loss of private information by large companies either by theft or misuse.

One of the reasons for the increased media attention is the renewed focus on establishing and enforcing data breach notification laws which apply to companies that own, lease or store private, personally identifiable information. If that data is exposed to unauthorized use either by accident, cyber attack, employee misconduct, or other causes, most states require companies responsible for protecting that data to announce the data breach and individually notify everyone affected. Some states require that credit agencies are also notified.

data breach, managed file transferFor clarification, private data means any information that can be used to identify an individual, including sensitive information such as a credit card number, social security number, or health related data.

There are a few exceptions to having to report the data breach. If the compromised files were encrypted while in transit across the Internet or stored on stolen backup tapes, for example, it is unlikely that the files could be unencrypted, so the individuals’ privacy isn’t as likely to be compromised.

A company that finds itself dealing with a data breach learns quickly that the process is not just embarrassing and costly (sending notifications, providing free credit reports, etc.), it can also damage the company’s hard-earned reputation resulting in the loss of customers. The point is that companies are responsible – and legally liable — for the information that is in their hands.

Securing File Transfers

Most companies use FTP (file transfer protocol) to send data files back and forth to their trading partners, vendors, remote employees, etc. Most often, FTP is used to send files that are too large to email.

However, file transfers like these are captured and compromised by data thieves on the Internet every day — unless security procedures have been put into place to safeguard the files’ data.

Companies need to implement procedures that secure both an in-motion process (files in transit over the Internet) and an at-rest process (files stored on servers or backup tapes). SFTP and FTPS protocols both secure the file while in motion by encrypting the communication link between two systems during the file transfer. PGP encrypts the file itself, protecting it while at rest on the server or backup tapes.

When addressing the challenge of sending ad-hoc files that are too big to email, finding a managed file transfer solution that includes a secure mail feature can mean the difference between an accidental data breach and a successfully delivered file.

Implementing these security procedures is a significant step organizations can take to greatly reduce their risk of data breach, and therefore their exposure to the financial liability and the loss of confidence of their customers and trading partners.

 

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

Citigroup Breach Triggers Congressional Response

Posted by on Monday, 11 July, 2011

The data breach at Citigroup in May – a breach which reportedly exposed an estimated 200,000 customer accounts – has motivated members of the U.S. Congress to re-introduce legislation to penalize the very organizations that have been victimized by hackers.  What are the next steps your company should take?

New bills to protect consumers’ personal dataLinoma Software Managed File Transfer Solutions

Two bills are proposed by both House and Senate legislators.

First, Sen. Patrick Leahy (D-Vt.) has introduced the Personal Data Privacy and Security Act of 2011.  The new bill provides:

  • Tough criminal penalties for individuals who intentionally or willfully conceal a security breach involving personal data;
  • A requirement that companies that maintain personal data establish and implement internal policies to protect data privacy and security; and
  • A requirement that the government ensure sensitive data is protected when the government hires  third-party contractors.

This act would also require, under threat of fine or imprisonment, that businesses and agencies notify affected individuals of a security breach by mail, telephone or email  “without unreasonable delay.” Media notices would be required for breaches involving 5,000 or more people.  The FBI and the Secret Service would need to be notified if the breach affects 10,000 or more people, compromises databases containing the information of one million or more people, or impacts federal databases or law enforcement.

But that’s not the only security bill that has businesses concerned.

In the House, Rep. Mary Bono Mack (R-Ca) is holding hearings in preparation of a bill she’s named The SAFE (Secure and Fortify) Data Act that would also require “reasonable security policies and procedures” to protect consumers and enable disclosures to victims and the Federal Trade Commission within 48 hours of a data breach.

Companies no longer viewed as the victims

All this sounds good from the consumer’s point of view. But what about the expense – and potential Linoma Software GoAnywhere Managed File Transfer Solutionpenalties – suffered by the “owners” of the data: the businesses themselves?

While these bills may address the public’s interest for notification — and indeed they would bring some semblance of a national standard – they also represent an interesting shift in the liabilities that companies will face.  How is that?

Though we currently have no federal data breach notification law, federal policies now view the companies that experience a data breach as the victims of crime. However, under the proposed legislative bills, companies that do not act quickly to appropriately secure the personal data of customers – or fail to report a data breach in a reasonable amount of time – would not only suffer the theft of data, but also be held liable for its loss.

This is a significant shift. Companies are now being viewed not as the owners of consumer data, but merely guardians and trustees whose job it is to protect that data or face criminal penalties. And the message is clear: if companies won’t take adequate precautions to secure the sensitive data of our customers, they’ll pay a hefty price.

Where does your company stand?

In a world in which diligent hackers have the power break into seemingly secure networks and systems, what can your company do?

The challenge is first to determine exactly what qualifies as adequate precautions.

GoAnywhere Secure Managed File Transfer A review of the HIPAA HITECH security provisions that took effect last year provides some insight about what the government considers adequate protection.

HITECH strongly recommends the use of encryption technology. Encryption is a good place for your company to start, especially when dealing with the data your company stores on its servers.  If sensitive data itself is kept securely encrypted, a data breach doesn’t expose the content of the information itself.

Secure managed file transfer protocols – which send data using encryption – is the second place to focus attention.

If data is encrypted when it is being securely transmitted between business partners, the value of that data should it be breached – through hacking, theft, or other malicious actions – is worthless.  Encryption and secure managed file transfers can dramatically minimize the holes of technical breaches, significantly reducing an organization’s liability.

Preventing exposure

The Citigroup data breach has rekindled the momentum for a nationwide, cross-industry data breach reporting standard. This standard will not to eliminate the physical breaches themselves. What’s needed is legislation to encourage companies secure the underlying data that is the target of the hackers.

Isn’t it time for your company to take a serious look at its liabilities and to investigate how encryption and managed file transfers can close these important security holes?

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website