Skip to content Skip to sidebar Skip to footer
Accueil / Should I Upload Personally Sensitive Information on Cloud

Should I Upload Personally Sensitive Information on Cloud

Enregistrer un commentaire

Nosotros asked 34 experts what the biggest mistakes companies brand with data security are. Here'due south what they had to say.

Keeping sensitive information secure from theft and vulnerability in today's digital world isn't as like shooting fish in a barrel equally putting a lock on the file chiffonier - especially with the widespread adoption of cloud computing. Fifty-fifty if you accept every precaution with your online accounts and identifying information, at that place are many means that information can state in another private or company's data management systems, where it tin can and so somehow exist fabricated vulnerable to information theft or information leakage.

At Digital Guardian we specialize in helping businesses manage and secure various types of company data. Our top priority is helping our customers go on their sensitive data where information technology belongs and every bit secure every bit possible. To get a better moving-picture show of the current state of enterprise data protection and information loss prevention we interviewed information security experts on what matters nigh when securing sensitive data.

To do this, nosotros asked 34 information security experts to answer this question:

"What'south the #i biggest mistake companies make when it comes to securing sensitive data?"

Nosotros've collected and compiled their expert advice into this comprehensive guide to finer securing your company'due south sensitive data. Run into what our experts said below.


Run across our Console of Data Security Experts

  • Jonathan Gossels
  • Chuck Davis
  • Steve Marsh
  • Amit Pamecha
  • Dr. Scott Nelson
  • Jack Wilson
  • Colin Lobley
  • Michael Fimin
  • Joe Moriarty
  • David Arnoux
  • Alan Bakery
  • Stelios Valavanis
  • Eric Jeffery
  • Jeremy Ames
  • Michael Howard
  • Dave Oder
  • Ivo Vachkov
  • Andrew Bagrin
  • David Mohajer
  • John Dancu
  • Christopher Stark
  • HK Bain
  • Amit Bareket
  • Patrick Oliver Graf
  • Paul Ferguson
  • Liam Fallen
  • Paul Banco
  • Drew Farnsworth
  • Rich Reybok
  • Aaron Ross
  • Ryan Satterfield
  • Kevin D. Murray
  • Marking Nicholas
  • Matthew Turner

Jonathan Gossels

The biggest mistake companies make when it comes to securing sensitive information is…

The lack of understanding where their sensitive information resides because they have not fix policies to systematically and consistently categorize their data, and consequently, they don't have controls in place to ensure that all categories of data are handled accordingly.

For example, if a visitor has a policy that says any information set that contains personally identifying data is considered to be "sensitive" and has to be encrypted both in transit across a network and at rest, and the company has implemented technical controls to enforce that policy, information technology is very probable that the data set is condom.

There is also a user education dimension to this problem - users need to understand the sensitivity of the data they work with and their function in keeping it safe. In many cases, this involves educating users about what not to practise.

For example, access to payroll information is usually restricted to those employees that process the payroll and those that review information technology. This is commonly done inside a payroll application that has born security and admission controls. Payroll data and similar data sets should NEVER be downloaded onto an unsecure laptop, thereby undermining all the required controls. As in a very public data breach that occurred a few years agone, when this laptop was lost, millions plant themselves risk for identity theft.

The best way to secure sensitive data is to do the basics well (like blocking and tackling in football game). Empathize what is sensitive in your data, set rules for handling it, implement technical controls to ensure it is really handled properly, and educate your users most their office in keeping it prophylactic.

Jonathan Gossels is the President of SystemExperts, a network security consulting firm specializing in IT security and compliance.

Chuck Davis

The biggest mistake companies make when securing sensitive information is…

Not properly classifying it and protecting information technology against current threats.

There are three essential parts to proper protection of sensitive data.

  1. Data Classification - Companies must understand what data needs to exist protected and create a Data Classification Policy to classify information based on sensitivity. At a minimum three levels of data nomenclature are needed.
    • Restricted: This is the most sensitive data that could cause great adventure if compromised. Access is on a need-to-know basis but.
    • Confidential or Individual: This is moderately sensitive information that would cause a moderate risk to the visitor if compromised. Access is internal to the company or department that owns the data.
    • Public: This is not-sensitive data that would cause little or no gamble to the company if accessed. Access is loosely, or not, controlled.
  2. Encryption - Encryption is a very generic term and there are many ways to encrypt data. Companies need to implement and manage encryption correctly. The key to a good encryption strategy is using strong encryption and proper key direction. Encrypt sensitive data before it is shared over untrusted networks (ex. Encrypted Email, Encrypted file storage).
  3. Cloud Misuse - Storing data in the Deject equates to storing your data on someone else's computer. One time it's there, you no longer accept control over information technology. If that information is Classified or sensitive, encrypt information technology Before uploading to the Cloud. If you will be sharing keys with the Cloud provider, make sure y'all sympathize the Deject provider'south policies. (ex. What is their backup policy? Who has access to your data? What'south their data breach communication policy?)

By agreement what you're trying to protect, and creating a strategy to protect each level of data appropriately, companies can fairly secure data against the threats of today.

Chuck Davis, MSIA, CISSP-ISSAP is an Author, Professor and Senior Security Architect. He teaches Ethical Hacking and Reckoner Forensics classes for Harrisburg Academy and is a Senior Security Architect at a Fortune 500 Visitor, having previously worked every bit a Security Operations Manager for IBM. He holds the CISSP and ISSAP certifications from (ISC)2. He as well co-authored 2 books on the field of study of security, holds four patents and has four published invention disclosures. He has been a speaker at numerous security conferences and was a featured guest speaker a Hacker Halted Conference in United mexican states City and Atlanta, GA.

Steve Marsh

The greatest security mistake organizations make is…

Failing to protect their networks and data from internal threats.

"Snowden" has get the buzzword for every kind of security alienation. Merely the Snowden leak was an within job.

The leak was the issue of a SharePoint-related issue – non with the SharePoint platform, but with governance decisions (i.due east., who has admission to what data), monitoring and oversight. In Snowden'due south case, he copied gigabytes of data to thumb drives with piffling challenge. Snowden was given access to sensitive content that he shouldn't have had admission to for the purpose of carrying out his tasks. He was already inside the fortress.

Somewhere along the line, the security and governance protocols broke down within the NSA and Snowden was able to admission and take sensitive data. The NSA may still not be entirely sure what content was copied. Pro-actively addressing the insider threat with appropriate security and controls would have fabricated it easier to properly assess the damage. The problem will only grow if government agencies and businesses apply the aforementioned security and governance protocols as they go to the cloud or utilise a hybrid (cloud and on premises) model.

The claiming for regime and business organisation is to use the tools that SharePoint and other vendors provide to pro-actively found, monitor and enforce security protocols and to limit internal access to sensitive content.

Steve Marsh is the Director of Product Marketing for Metalogix, providers of manufacture-recognized management tools for mission-critical collaboration platforms. For over a decade, Metalogix has developed the industry's best and most trusted direction tools for SharePoint, Exchange, and Office 365, backed by our globally acknowledged live 24x7 support. Over 14,000 clients rely on Metalogix Tools every minute of every day to monitor, migrate, shop, synchronize, archive, secure, and backup their collaboration platforms.

Amit Pamecha

Staying alee of data security threats is hard enough, equally seen in loftier-profile hacks of credit card numbers from Target and Home Depot the past few months. In my company'south opinion, brands need to get away from the business of having to shop and manage credit card data and put it into the hands of experts. A business owner should be a concern owner, not besides a tech expert on peak of that. That said, these are some tips companies should keep in mind when addressing their data security…

  1. Train and staff up appropriately
    The grooming of a brand's people is crucial to data security. You need to educate every fellow member of your organization nigh the significance of information like that, and you have to have a compliance officer involved in business decisions.

    When we piece of work with very IT-savvy organizations, every determination they brand, they ask, 'How does this affect PCI compliance or HIPAA?' Having somebody, an adept, assigned to that compliance helps.

  2. Embrace new NFC methods
    More retail brands have developed their own smartphone apps with features like mobile pay and mobile loyalty, and they have taken major steps to brand those apps more secure. Brands like Your Pie, Starbucks Coffee and Protein Bar, for instance, use branded apps that allow smartphones communicate with special near-field communication readers attached to the greenbacks register. When users enter their payment information into the app i time, information technology produces a special QR code the user can employ to pay past belongings information technology to the NFC reader rather than using a credit card.

    Apple's proclamation of Apple Pay, an NFC organisation on the iPhone vi that lets consumers pay with the moving ridge of a smartphone, is most beneficial for retailers from the standpoint of its data security. Like other apps, Apple Pay lets consumers link their bank accounts to their phones by entering or scanning a credit or debit carte. Importantly, nonetheless, the app does not save that business relationship or card number and instead produces a unique lawmaking that a user may requite to a merchant to draw coin from the account.

    Transactions remain secure if the person using the business relationship-linked phone is the rightful owner of the smartphone. Apple'southward security would go farther past requiring the user to activate the TouchID, which verifies rightful ownership of the phone by scanning a person'south fingerprint.

    Hither, Apple is trying to remove personal info and get more than to person-based authentication, which is the right mode to be going. For franchise retail brands, information technology'south something they should await at supporting every bit presently every bit possible, so that they don't have sensitive numbers shop in their infrastructure.

  3. Work with payment processors
    Though they do not have the aforementioned flash and cool factor as NFC from Apple Pay or QR codes, a major innovation coming before long to safeguard payment information are debit and credit cards with embedded "EMV" fries that cosign users' identities and forbid fraud.

    Major payment processors similar American Express have begun to coil out these smart cards as well, just there'south been some foot-dragging on the retailer side investing in the technology needed to back up them.

    Information technology'southward not quite cool enough a tech leap to be on board with EMV chips right now, merely if processors are asking you to do additional things, like require Nada codes for purchases or support EMV, they oft offering better terms on their transaction fees, and then there are incentives to move that way.

Amit Pamecha is the CEO of FranConnect, a global franchise operating systems provider that helps franchisors sell franchises, manage franchise operations and franchisees' local marketing. Services to businesses include franchisee royalty management, training, operations, marketing and due east-commerce & POS solutions.

Dr. Scott Nelson

The unmarried biggest error an organization can brand in securing sensitive data is…

To trust its technology.

No matter how sophisticated, you can never trust your technology. In "The Lawmaking Book" by Simon Singh i of the all-time examples of this was during WWI when the Germans believed that they had impenetrable encryption and Foreign Minister Arthur Zimmerman sent the properly encrypted telegram that the British intercepted and then used to bring the Us into the War.

Nix is secure indefinitely and you lot are well-nigh vulnerable when you lot trust your engineering unequivocally. Singh meticulously documented that annihilation that can be made secure will somewhen be hacked.

Then if you tin can't trust engineering, who practice you lot trust? The brusque answer is yourself.

First, you lot must have a squad that not simply checks compliance with your security approach, but continuously monitors the deportment of the hackers and constantly upgrades your approach securing sensitive data. But this is only the first of the solution. Your MarComm organization must likewise be ready when the inevitable happens.

When iCloud was recently hacked, Steve Melt did not come out with a letter that focused on a new technology arroyo to iCloud security. He quickly bodacious people that the hole was fixed and then spent the majority of his fourth dimension stressing the company values toward the business concern of Apple tree's customers: privacy. You must have a planned response to address what matters to your customers. In Apple's case this was privacy. In the case of a depository financial institution it is limitation of fiscal liability. In the case of home automation information technology volition exist balls of rubber. Don't make the mistake of trusting your security engineering science unequivocally. Exist technically prepared and diligent, simply know that information technology will fail and be prepared to protect the brand and maintain client trust.

So start with the assumption that a motivated political party will get admission to your information. Now what do you lot practice. Updates. Change in operational processes. Minimizing footprint and signature. Never let guard down, updates, patches, enquiry. Partner and collaborate.

Dr. Scott Nelson is the CTO and Executive Vice President at Logic PD. In his leadership function, Dr. Nelson responsible for leveraging Logic PD's technology expertise and offerings across a wide range of markets with a focus on connected solutions and the Internet of Things (IoT). Scott has nearly 25 years of feel leading engineering and production development.

Jack Wilson

The biggest mistake companies make when securing sensitive data is to…

Underestimate the necessity of managing their software vulnerabilities!

The lack of endpoint security is among the biggest corporate security threats. And vulnerable software on these endpoints is i of the about pop attack vectors with hackers ¬ an set on vector that is likely to get more and more used.

Gartner predicts that in 2015 80% of successful hacks will succeed using known exploits. These attacks tin can be deflected if the organization ensures that the applications on their network are patched and up to date, and that every vulnerability is remediated or mitigated. Information technology is essential that companies take preventative action confronting vulnerabilities, which tin impact both hardware and software on the network.

Essentially, business organisation and individual endpoints are very rewarding targets for cybercriminals. This is because, being extremely dynamic environments with numerous programs and plug-ins installed, they are very difficult to secure. Together with unpredictable usage patterns, this makes them formidable targets that are difficult to defend.

Endpoints are where the most valuable data is found to be the least protected. By definition, endpoints accept admission to all data needed to conduct an system'due south business, and every endpoint represents a valuable target for cybercriminals, even if no sensitive data is nowadays. The endpoints calculating ability and bandwidth provide valuable resources, for case equally an infection point, proxy, or for distributed password cracking services.

To protect endpoints that are connected to the corporate It infrastructure from vulnerabilities, information technology is essential to identify the vulnerable software, prioritize it and when possible patch it. A patch remediates the root cause of the problem, and thereby eliminates a large number of attacks. Where a patch is not available, other mitigation methods must exist applied.

To summarize: the complete visibility of an arrangement'south infrastructure - and receiving verified vulnerability intelligence - is essential to securing sensitive data. By constantly monitoring the corporate surroundings, companies are able to pinpoint where the dangers lie and tactically prioritize their remediation efforts.

Jack Wilson is Vice President and General Director of North America for Secunia, a provider of optimal security and vulnerability direction for enterprise customers and home users, where he drives the visitor's North American sales strategy, execution and expansion.

Colin Lobley

The #1 biggest mistake companies make when information technology comes to securing sensitive data is…

Not valuing the data to enable take chances-based investment.

When faced with data security, most businesses reach for a cyber-/Information technology-security standard and wait to the It security manager / CISO / CTO to implement this. This has the potential for businesses doing too much or too little when information technology comes to securing their information - security standards are a 1-size fits all arroyo but individual businesses are anything simply standard. Their operating environs, the threats they face and their take a chance appetite will all exist different.

To be able to accurately invest the right corporeality in the right areas to secure data in a way that enables risks to be managed in line with ambition, businesses need to be able to undertake a robust chance assessment and in turn develop a robust business case for targeted investment.

All-time do suggests that organizational objectives (KPIs), risk appetite and risks should all deport the same unit of measure out - typically £/$/other currency in a commercial arrangement. Assessing the business concern affect from the threats to sensitive information in these terms is not a mutual exercise. In the traditional 'reach for a standard' approach the of import step of identifying the relative value of data and information in terms of its contribution to operational delivery, and ultimately strategic objectives is not undertaken with the level of robustness needed to accurately assess the business risk and make a business case with clear ROI assessments.

A risk-based concern case is typically invest £/$ 'x' to minimize the risk by 'y'. If the information is not valued in financial terms, the hazard cannot be assessed in fiscal terms, and so 'y' cannot be assessed in financial terms and the ROI becomes unclear leading to nether or over-investment.

Colin Lobley is a managing director at London-based strategy and risk consultancy Manigent, where he heads up the Data Hazard Practice working with businesses to help them build competitive advantage from their information and cyber-resilience.

Michael Fimin

When it comes to securing sensitive information, the biggest pitfall hides in…

The simulated confidence that you know exactly what is going on across your Information technology systems.

If all It pros know exactly what is going on in their Information technology infrastructures, so why do companies continue to experience security incidents that are discovered months after a alienation occurred? "2014 State of Information technology Changes Survey" found out that more than a one-half of It professionals however brand changes to their It systems without documenting them. Obviously enough, this makes the detection of the data leak source a hard task, as there is a huge number of changes happening to data and organisation configurations.

When a user accesses the data, downloads or shares it - all these activities are tracked in the log files. When there is a decent corporeality of users working with sensitive data, monitoring those changes manually becomes an uphill task that will most likely lead to disregarded malicious change that caused a security breach. Assuming that the data is under rigid command without whatsoever proof, unfortunately, you put sensitive information at risk. So a wise affair to consider will exist establishing a continuous auditing of the unabridged Information technology environment.

Change auditing solutions that give real-time information of unauthorized or malicious changes help you ensure a complete visibility across your IT infrastructure, prove that security policies in place really piece of work and sensitive information is secured. This will not save you from security violations, merely will help to detect a breach on early stages, assist during root-crusade analysis, and therefore signal weaknesses that you tin can ready to strengthen security of your It infrastructure.

Michael Fimin is the CEO and Co-Founder of Netwrix, #1 provider of change and configuration auditing solutions.

Joe Moriarty

The #1 biggest mistake companies make when it comes to securing sensitive information is…

Not adding security layers to data shared in the deject.

The popularity and skyrocketing adoption of cloud-based file sharing and storage services have fabricated it easy for businesses akin to collaborate and share content with multiple users. As businesses plough to cloud storage and sharing platforms such as Google Bulldoze, Dropbox and others, data leaks go an increasing concern. These services lack the security controls required to mandate and track with whom, how and when file and content are shared.

By adding content controls, protection, tracking and deep analytics to files, companies can plug security and workflow holes. Content controls enable companies to accost security concerns by adding watermarks to files and videos; limits on file viewing, printing and forwarding; engagement and activity analytics; and more - preventing unauthorized access to data, screenshot taking, credential sharing, and other information leakage risks.

Joe Moriarty is Co-founder of Content Raven, a cloud based content control and analytics platform, and has a long history of motivating teams and delivering increased sales for various technology providers. He co-founded Content Raven in May 2011, previously working with Hybrivet Systems, where he was Vice President of sales and marketing. Joe holds a Bachelor of Science in Resources Economics from the University of Connecticut.

David Arnoux

The #1 biggest mistake companies make when it comes to securing sensitive data is…

They simply don't take the time to secure devices and data that are physically "leaving the edifice".

Present many companies distribute laptops, tablets and smartphones enabling employees to work whatever time, whatever place. Instead of coming to work to work on stock-still desktops, the employee is taking piece of work and company data everywhere (physically).

This once secure data leaves the secure company building and can exist:

  • exposed to being stolen or loss
  • being used by others (children or spouse)
  • being used at dwelling for online shopping etc.

David Arnoux is head of growth at Twoodo, a team collaboration tool for the #hashtag generation. Building SaaS products and meeting with CTOs weekly has made him an adept in understanding customer security requirements.

Alan Bakery

In my opinion, the biggest fault companies make when it comes to securing sensitive data is that…

They minimize or ignore the human dimension of security; at that place is a cultural aspect to security that must become function of the Dna of the organisation.

Organizations are willing to spend a lot of money developing the necessary standards, guidelines and procedures required by a comprehensive security plan, and they are willing to spend even more on the technology required. Where organizations tend to drib the ball is the human chemical element; staff needs to be acutely aware of the security policies, trained in the proper awarding of the policies and sympathize (and accept) their personal responsibilities and accountabilities. There needs to exist a training regimen for both new and existing staff, too equally periodic refreshers. Security responsibilities should be built into their role descriptions and their personal objectives.

It's as well necessary that security be deployed in a manner that volition allow staff to fulfill the responsibilities of their job while fully complying with the requirements of the programme. The information security program cannot be a roadblock; its awarding must be proportional to the risks identified and it must support (and non inhibit) the power of the organization and (and its staff) to acquit its concern.

And a 2d error: Organizations implement a security program and think they're done. They're non. Security programs need to continuously arrange to in order to meet new threats and ecology changes. The security mural is e'er evolving, both on the side of threats and on the side of regulators; organizations need to ensure that their security programs modify in response.

Alan Baker is the Possessor, President and Chief Consultant at Spitfire Innovations, a boutique consulting firm based in Toronto, Canada, that helps organizations envision, ready for and implement change. The business specialties include fiscal services, particularly life insurance, and customer relationship management. Prior to his leadership role at Spitfire Innovation, Alan was an IT AVP at a medium size life insurance company where part of his portfolio was IT security, and where he was responsible for the cosmos and maintenance of the organization'southward security program.

Stelios Valavanis

There are lots of things companies neglect when securing their data. The biggest one is…

A lack of monitoring (IDS) and reporting to a tight command matrix.

Without it they never know if their policies are even beingness adhered to. On top of that the process has to feed back findings into the IDS signatures. These internal policies and their measurement are the biggest security exposure.

Stelios Valavanis is the Founder and President of onShore Networks. He currently serves on the boards of the ACLU of Illinois and Nosotros the People Media, and informational committees for several other organizations. He has appeared equally a guest lecturer and panelist for local colleges, not-profits, and various industry events. Stelios graduated from the University of Chicago in 1988 with a Bachelor's degree in Physics. Prior to founding onShore, Stel held a number of technical positions at the University of Chicago.

Eric Jeffery

When it comes to the biggest fault companies make when it comes to securing sensitive data, there's a very elementary respond…

They don't!

Businesses "believe" they are securing information, however, sadly, they are not. There'south a huge discrepancy between what IT says/thinks they are doing versus what leadership understands. Commonly through ignorance, sometimes through negligence.

This lack of securing data occurs through failure to fill-in agile systems to failing to verify if the backups are viable. They don't understand the difference betwixt data in transit versus data at rest and the fact at that place's need to handle each in separate fashion.

I had a hospital client that had not backed up their financial system for seven years. I had a global SAN storage visitor that almost burned downwards two years in a row and all of their data was in the same room on 2 unlike storage devices. I had another infirmary client that backed up their critical systems to record and stored the tapes in the same room every bit the server. These all go to complete lack of security the data. Not to mention none of the backups, on tape, that's transportable, were encrypted.

Eric Jeffery Founder and CEO of Gungon Consulting, a firm with focus on pocket-sized and medium sized business. Our services provide assistance in the critical areas of cyber security, system availability, off-site infrastructure solutions as well as operational efficiencies and productivity enhancements for our clients. Eric has over 15 years' security experience including work for the DOD, healthcare industry, aerospace, and numerous applied science companies.

Jeremy Ames

The #i biggest mistake companies make when it comes to securing sensitive data is…

Differing standards of data security.

More specifically, in about companies, executives are held to a lower standard of data security than the rest of the employee base. They're immune more than leniency in terms of BYOD and in general they operate more freely exterior the corporate firewall, which is a huge error.

The reality is that if a group is out there trying to plan a cyber attack, they're most probable to target a member of the C-Suite, particularly the CEO, because they know he or she is going to be the holder of the nigh sensitive information.

That means that executives demand to be even more diligent than the rest of the employee base, because if data is compromised information technology could have dissentious financial and legal ramifications. That being said, most companies neglect in the three-pronged defense necessary to protect executives:

  1. additional focus by Information technology
  2. continued education past HR and
  3. personal responsibility by the executive

Jeremy Ames is President of Hive Tech Hour, a applied science consultancy that helps companies notice, implement and enhance their 60 minutes systems. He is a member of the 2014 SHRM 60 minutes Direction and Technology expertise panel, and former CFO of IHRIM, an association for Homo Resources Information Direction. Jeremy has been quoted in many articles dealing with the securing of HR data, including a SHRM article entitled "Prevent CEOs, C-Suite Executives from Getting Hacked" and a recent article near the Backoff virus.

Michael Howard

In the past twelvemonth, 92% of Forbes Global 2000 companies reported information breaches with an boilerplate toll of $136 per record compromised and $five.4M overall. With an evolving technology landscape that is increasingly continued, maintaining a secure It environment is more important now than ever before.

The most common pieces of engineering science that companies secure include PCs and network servers. All the same, the biggest error companies brand when it comes to securing sensitive data is…

Non securing their printing fleet.

Nearly 90% of enterprise businesses have suffered at least ane data loss through unsecured press. Luckily, there are preventative steps that business owners and Information technology managers can take to ensure that their workplace doesn't experience the same security issues.

  • Audit your impress environment: Companies should consider conducting an inspect of their print environment utilizing rigorous standards from the National Institute of Standards and Technology. This reduces network security risks and improves compliance without adding to IT overhead.
  • Install proper security software: At that place are a multifariousness of differentiated software solutions that can help secure your technology. Because a adventure monitoring solution could aid companies identify and highlight potential risks, making it easier for Information technology to manage. This not only keeps data and devices secure, information technology likewise helps slash press costs.
  • Secure your mobile workforce: By allowing companies to print deeply via a simple touch of their smartphone or tablet directly to the printer, It managers tin ensure data printed through a secure mobile print surroundings cannot be compromised.
  • Protect your company newspaper trail: The virtually mutual printing security breach is the theft of a printed document resting in an output tray. Past implementing a secure pull print solution, you tin help your visitor decrease your adventure of a data alienation while too reducing printer waste material.

Michael Howard is the Worldwide Security Practise Lead at Hewlett-Packard Company. In his leadership role, Michael Howard is responsible for evolving the strategy for security solutions and services in Managed Services. He works with the HP security business unit of measurement and labs to ensure HP's leadership office in security, and besides educates customers on the importance of security policies and procedures for imaging and printing. His principal surface area of focus has been around solutions for security, document management, core content management and output management.

Dave Oder

Credit card data is i common type of shared sensitive data for many companies that affects businesses and consumers. Virtually every major attack confronting credit card data in the past few years has exploited a unmarried, glaring vulnerability in the current payment industry infrastructure…

The fact that merchants are nonetheless permitted to handle actual credit card data in their systems. The manufacture security standards (PCI DSS) and fifty-fifty the carte du jour brands' best practices have failed to protect merchants from these types of attacks. Information technology doesn't have to exist this fashion.

The electric current mindset of most payment security "experts" is fundamentally flawed. They are focused on rules and regulations to protect data that merchants shouldn't take in the first place. These payments manufacture regulators desire businesses to pay to dig deeper moats and build higher walls around their castles in club to protect the princess (the sensitive data) inside. Wouldn't it exist simpler (and more toll constructive) to remove the princess from the castle and motion that vulnerable data to a location purpose-built to protect sensitive information?

This is exactly what happens when merchants properly combine indicate-to-betoken encryption and tokenization technologies. With encryption occurring as soon as the card information is swiped (or keyed in), the business organization never handles actual card data as the transaction is candy through the merchant environs. And with just a secure token returned to the merchant forth with the authorization, there is no more hazard of storing vulnerable cardholder data because the onsite database but holds tokens that are meaningless and valueless to thieves.

As an added bonus, this approach of combining point-to-point encryption and tokenization drastically reduces the amount of vulnerable data in the merchant's environs, which in turn reduces the scope of their almanac PCI assessments - saving time and money.

Dave Oder is the President/CEO of Shift4 Corporation, the world's largest contained payment gateway. A relentless advocate for merchants, Dave introduced tokenization to the industry in 2005 and released the technology without patent and so that other vendors could likewise leverage it to secure their merchant customers' data. Dave earned a Available'southward in Business/Accounting, a Main's in Computer Science, and an MBA - all from University of California, Los Angeles.

Ivo Vachkov

In my feel #1 security fault companies brand is…

Relying on obsolete security models in complex It environments.

Many companies would just keep using their well established systems with no business for the changing security landscape, following the well know "Don't fix information technology if information technology ain't broken" concept. And that complacency is normally the reason for the downfall.

Increasing Information technology Complexity in combination with obsolete technologies are a unsafe mix. Avoid information technology if possible, or accommodate if not. This is where It security personnel should add value to your organization.

In many cases different security models cannot even co-exist. Due to time pressure engineers volition follow "least resistance" path choosing to lower the security requirements, instead of reworking the whole component, thus introducing security flaws in the product in the implementation phase.

There are cases where this situation looks unavoidable (old Information technology infrastructure supports only obsolete crypto technologies and you still need to work with it). Information technology is commonly non. One tin always use security in depth, dissimilar forms of perimeter protection, service isolation and compartmentalization techniques to "upgrade" to a modern security level.

In whatsoever case, be enlightened that increasing IT complexity, natural human being complacency and the "least resistance" are serious enemies to data and system security.

Ivo Vachkov is DevOps Engineer in Eleven Group Ltd. where he deals with information security concerns on a daily basis. In the past he worked as Head of IT for the biggest prepaid MasterCard card issuer in Europe. He is as well teaching "Programming Secure Code" and "Network Security" courses in New Bulgarian Academy in Sofia, Republic of bulgaria.

Andrew Bagrin

I believe the #one biggest error companies make when it comes to securing sensitive data is…

Relying on the big misconception that if your data is stored in the cloud, information technology is less secure than if it'south not stored in the deject.

Without await at how much data was stolen from the cloud versus local computers and servers (because it's merely too hard to track) nosotros can look at it theoretically. If you lot store data on your computer or server and that figurer is continued to the internet somehow, you are now part of "the cloud."

So the question becomes, do you feel that you tin secure your data locally better than the experts at Google, Box, Dropbox etc.?

Do you know the ins and outs of stored data security?
Do you keep everything up to date, protected etc.?
Or should you rely on the experts?
Do you keep your valuables in a safety deposit box, or at abode under your bed?

The news of Apple iCloud and Jennifer Lawrence make u.s.a. doubt the deject, it's just that we don't hear well-nigh the hundreds of cases where data was stolen from local computers.

Andrew Bagrin is the CEO and Founder of My Digital Shield, a leading provider of Security-as-a-Service (SECaaS) for small businesses, and an It security expert with more than 17 years of experience.

David Mohajer

The number one mistake that companies make when securing sensitive data is…

Not contemplating and reconciling the human being element.

  1. What do you do in the case of corrupt employees? How do you know who it was that breached your information? We solved this by making the data unique to each person and then nosotros tin can figure out who disseminate what in the effect of a follow-up to the alienation.
  2. Lazy employees who may not empathise how to handle the information properly (they need to understand what Protected A is vs. Protected B, etc.) or are too lazy to practise and so. Yous can solve this by preparation them and re-engineering science the related systems (if viable) to brand them more convenient to use for lazy users. A lazy employee might even exist a manager who is assigning roles or privileges to their team - they demand to understand that merely specific things should be assigned. Example: Giving everyone administrator rights to a disquisitional system when they just demand to enter in work orders is opening the doors for problem.
  3. Non having a procedure in place to detect problem employees, and problem vendors that have partial access to your systems. Example: Someone in your role sets up a human being-in-the-middle assail (like shooting fish in a barrel to mitigate/detect if you gear up for it) on your server, just you don't take a procedure in place to verify that traffic is routing properly. They can go away with a lot of sensitive data without anyone knowing until the impairment is done.

David Mohajer is Master Executive Officer and Co-Founder of XAHIVE, a Canadian social networking platform that facilitates mass communication betwixt people inside a 2-kilometre radius. In his leadership role, David has a clear vision for the time to come of XAHIVE, and has been implementing the plan with the help of the Chief Operating Officer (COO), Sem Ponnambalam, since September 2013. David has fifteen years of experience working as an data engineering science consultant in the private and public sector, and an additional v years of experience working every bit a federal regime employee.

John Dancu

The #one biggest error companies make when it comes to securing sensitive data is…

Non having a robust identity verification organisation in place when verifying someone in a customer non nowadays environment.

John Dancu is the President and CEO of IDology, a providers of innovative applied science solutions, where he has served since 2005. During this time, IDology has grown to be a leading provider of identity verification and fraud prevention solutions in the financial services, merchant processing, payments, retail, healthcare and other markets.

Christopher Stark

Accessibility to data anytime and anywhere makes the cloud an bonny selection for companies looking for help with storing sensitive data. Before a visitor decides to shop critical information in the cloud, there needs to be a level of trust with the cloud vendor information technology chooses. The biggest mistake companies make when deciding to store sensitive information in the cloud is…

Choosing the wrong vendor.

An error in judgment or shortening of the vetting process of prospective cloud vendors tin can leave a company vulnerable, because information thought to be secure could actually be accessed by hackers. Often times, companies face up issues related to security and accessibility when it partners with a cloud vendor that does non confirm where the data will be stored. This could lead to increased retrieval fourth dimension for information or data breaches in the well-nigh farthermost cases.

The ideal vendor for a company is a solution provider that stores data off-site in a U.Due south.-based data centre that is under lock and key, physically and logically. From the information centre, the cloud vendor will have the adequacy to transmit sensitive data to a company's headquarters, satellite offices or to staff members working via the cloud using 256 bit encryption. The cloud vendor will have security protocols in identify to ensure or restrict access to information as advisable and the IT staff overseeing the data storage and retrieval processes volition undergo thorough background checks.

When a company partners with a cloud vendor information technology trusts, it can balance assured that sensitive data is secure. Companies can relieve themselves from making the disquisitional fault of choosing the wrong vendor by just doing their due diligence. This involves checking references, confirming with prospective vendors where data is stored and the lengths they will go to physically and philosophically protect relevant information.

Christopher Stark is the President and CEO of Cetrom Information Applied science, Inc., an manufacture-leading provider of custom cloud solutions. A veteran of the IT manufacture with more than 25 years of experience in all facets of the IT manufacture, and holding some of the industry's most prestigious technical certifications, Stark founded Cetrom in 2001 based on the premise that there was a smarter, easier fashion to deport business.

HK Bain

The biggest error nosotros see businesses—especially SMBs—make when securing sensitive information is…

The hope strategy.

It goes something like this. We lock our filing room, have a password policy on employee computers, and use a firewall on our network. Nosotros promise that's enough to proceed out the bad guys. Besides…why would anyone want to come afterwards us?

Here are the facts. The number of incidents reported in the last 12 months rose 25%, and the average losses resulting from these breaches rose by more than 18% [i]. The hope strategy only isn't working. Y'all have to remember across just electronic data to also protecting confidential information stored on paper every bit well.

We encourage companies to take a look at Enterprise Content Management (ECM) systems like Digitech Systems, Kofax, and Hyland. These options are lower-toll, so they're inside achieve for companies of all sizes. ECM likewise includes better data security than many IT departments can offer. ECM converts paper to electronic images, which are stored in the aforementioned secure repository as electronic files. For those with permission, information is available using a simple keyword search. Everything is protected past multiple layers of protection like passwords, SSL, and encryption at rest and in transmission.

ECM is available as both traditional software to install on your corporate network or as a cloud-based service. To further heave your data security when choosing cloud ECM, enquire for the SOCII audit written report to verify the provider's arrangement controls come across your needs.

ECM offers boosted benefits likewise control. A study released this calendar week from Nucleus Research indicates that every $1.00 invested in ECM technology will return $7.50 to your system in value.

HK Bain is the President and CEO of Digitech Systems, providers of an Enterprise Content Management Solutions Software, and oversees the management and overall vision of the visitor. Before long after joining the visitor in 2000, he implemented the company's Foundation, which guides decisions, strategic planning and business organization growth based on organizational values and priorities. Continuing firm on his priorities of God, family unit, and work, Mr. Bain attributes his success to maintaining a value-based visitor that weighs all activities against this stiff set of guiding principles.

Amit Bareket

In response to the question of "what is the #one biggest error companies brand when information technology comes to securing sensitive data", I have a few words of advice…

Starting time of all, many companies store their clients' passwords as plainly text rather than hashed passwords. That is very risky since all their clients' data gets compromised in the case of a security breach. Since many people use the same login names and passwords for all their email and social media accounts, hackers and then get instant access to all the users' accounts in such a leak.

Studies take shown that the boilerplate cost of a data breach is US$three.5 one thousand thousand, so it is obvious that companies must focus as much on securing their own data as they must safeguard their clients' information (source: 2014 Ponemon Price of Data Breach: Global Analysis).

A second, yet related, mistake is that some companies don't use whatsoever kind of encryption when sending confidential data over public and not-secured networks. This means that a snooper on that hotspot tin can intercept all unencrypted transmitted data, including passwords. There is so a possibility that the snooper can use those intercepted credentials to log into the company'south business organization systems, cloud storage or intranets.

To mitigate this risk, companies must ensure that all their employees ever connect using a virtual private network (VPN) which encrypts the user's connection and prevents hackers from snooping into any transmitted data. On summit of that, all devices should be secured with anti-malware software to preclude the spread of any virus or malware.

Amit Bareket is the CEO and Co-founder of SaferVPN, a VPN provider that helps thousands of individuals and dozens of enterprises worldwide safeguard their individual data online. Amit has over 10 years of experience in cyber security, including the part every bit Team Leader at IBM, and has 7 patents pending in network technologies and file storage. SaferVPN works proactively to brainwash people on the importance of online security and privacy, making information technology easy and accessible to everyone, everywhere.

Patrick Oliver Graf

The biggest fault companies brand when it comes to securing sensitive data is…

Failing to have a defence-in-depth strategy in place.

As user demand for BYOD and remote access increase, enterprises should look for a better arroyo - i that includes multiple lines of defense - to proceed their sensitive data and networks secure.

Taking precautionary measures to mitigate the risks associated with corporate data, especially when being accessed remotely, should include a user-centric, centrally managed VPN. By using such a solution, enterprises can guarantee that sensitive data remains secure, while assuasive employees access to the corporate network using whatsoever device.

Further, by focusing on employee pedagogy programs, creating common sense BYOD policies and implementing best-of-breed, interoperable solutions that assistance to secure corporate networks, BYOD can be supported while minimizing network security risks.

Patrick Oliver Graf is CEO of NCP Engineering, and an industry veteran with more than than xix years of experience in engineering science product management. His company sells its remote-access VPNs to regime agencies and other organizations, providing technology for fast, secure access to their network resources and communication of sensitive information.

Paul Ferguson

Of course the biggest mistake whatever organization makes when storing sensitive information is one of two things…

Either (a) Not encrypt information technology all, or
(b) Make some encryption implementation mistake that costs them dearly

Paul Ferguson ("Fergie") is Vice President of Threat Intelligence at IID. Paul leads IID's threat intelligence team that constantly collaborates with public and private enterprise to identify the latest malicious threats on the Cyberspace. Ferguson has been widely recognized for decades as a security industry luminary and has been fighting malware since the days of the earliest attacks in 1987. Prior to IID as Senior Threat Researcher at Trend Micro, Ferguson evaluated the entirety of the technology landscape for security vulnerabilities, as well as tracked and correlated criminal operations on the Cyberspace, communicating the latest variants of malware targeting the world'due south largest businesses and federal agencies to law enforcement worldwide.

Liam Fallen

The biggest mistake companies brand when information technology comes to securing sensitive data is:

Not paying enough attention to social engineering.

Social engineering present is the best way to obtain sensitive data. There are no long passwords, no two-factor authentication, no firewall, no virus programme, merely people.

People can be hacked easier than security systems, I could ship 100,000 emails to a visitor to effort and break through their spam filter or I could make one telephone phone call to the receptionist and utilize some expert social engineering techniques and retrieve data and/or sensitive information.

Social engineering is definitely easier than trying to cleft security. A polite phone call tin get your desired results in a matter of minutes and social applied science is used more and more every twenty-four hours to obtain sensitive data.

Liam Fallen has previously successfully used social engineering techniques in a positive way to influence business organization leaders and to raise funds for various charity fundraising efforts.

Paul Banco

Fax is the nigh normally forgotten, but most reliable and secure method of certificate ship, and in my experience, i of the biggest error companies brand when it comes to securing sensitive information is:

Non utilizing the method of faxing for securing sensitive data in their document ship.

Fax is nonetheless a much more secure delivery method than both email and cloud storage. This is critical not only for industries such equally healthcare and finance, but for logistics, education, authorities and more. Viruses cannot infect your network from a fax, considering they cannot be embedded anywhere. A faxing technology that operates in the cloud allows for companies to easily cut downward costs and scale their secure fax operations.

Paul Banco is CEO of etherFAX, a unique service that extends existing fax server solutions to the deject. Past eliminating the need for costly network fax systems, such as fax boards and recurring telephony fees, etherFAX leverages the Internet to manage all business organisation-critical fax communications.

Drew Farnsworth

The biggest error companies make when it comes to securing sensitive data is…

Not updating their passwords and access.

I'g a data heart infrastructure designer and consultant. When designing, building and commissioning data centers I take more than once been given admission to the internal network of a company. Months later I have come back and the passwords were not changed. I take always asked that this access be restricted.

In the wake of Edward Snowden it has become increasingly obvious that contractors of all kinds are given access to valuable information systems for a longer elapsing than they should be. User management controls should be put into place in society to guard against exterior contractors who (unlike me) might take advantage of the critical infrastructure that they either installed or maintained.

Drew Farnsworth is a Design Pb at Green Lane Pattern LLC, a firm that provides Data Center Design solutions, and has been working in the Architectural Design industry for over ten years. He has experience with uninterruptable power systems, N+Due north distribution and redundant generator systems and in the past six years he has undertaken numerous investigations into data center growth and reliability plans for Fortune 500 companies.

Rich Reybok

From my perspective, information technology'southward not that organizations are using the wrong technologies, perhaps the wrong key management or arroyo to encryption, or even incorrect arroyo to nomenclature of their data. The biggest problem that I see organizations make with securing sensitive information is…

Not being able to fifty-fifty respond the question of what the lifecycle of their data is.

They don't know if all of their data is actually protected in the showtime place, as they may not even know where information technology all is and what routes are available to access the data.

Equally we transition to the so-called "third platform" based on cloud, mobile, and social, it's increasingly incommunicable to track all the data through its lifecycle. Do organizations have an inventory of all their repositories that is kept up to date? Do organizations know where all their log data is stored and who can manage it? If they know where the data is stored, do they have an accurate motion picture of all the people and services that are able to access the data? Do they have all the proper policies and procedures in place to access the data?

The problem is information technology just takes a unmarried instance of something not following the best do for data security to break down. Attacks are often nearly escalating cognition. If sensitive information almost how the data is stored or accessed tin be gleaned from a mobile app by reviewing the log stream over my USB port, then the whole model falls apart. The threat role player takes what he learns from the app log and uses it to escalate to your endpoint API or your information services, looking for the next leak that gets them closer to the repository. Failure to know where all the information is stored and its touch points tin can lead to a disastrous chain of events.

Rich Reybok is the CTO and SVP of Engineering of Vorstack.

Aaron Ross

The biggest fault companies make when it comes to securing sensitive information is…

Non doing the proper research.

Every visitor requires a different solution to secure its data. A hardware company needs a cloud solution that lets them track mainly inventory online, whereas a small pharmacy needs to be able to communicate with their customers privately through a secure cloud portal. Each visitor needs a different information solution and it would be a tremendous mistake to choose a company without doing intensive enquiry.

Ultimately, choosing a payment provider makes all the divergence when it comes to dealing with sensitive data, customer or company. With the Home Depot data alienation, their mistake was not having a dissever visitor monitor the credit menu software. Instead of having Symantec monitor their information, they left that endpoint setting off, resulting in the alienation.

However, a smaller visitor would non need to institute such heavy protocols. Sanjiv Beri, President of Priority Payments Systems in the Northeast explains, "Having highly encrypted information using a reputable gateway is central to keeping customers information secure." Signing upward your small business for credit cards payments through an unknown online company non merely can put your company and customers at hazard, information technology'll cost you more besides!

What information technology comes downwards to is: understanding what information y'all demand protected. One time y'all have that settled, you tin can make a decision of what company can best assist you keep this data secure. Get references, detect out if this company has always had a software breach, and make your educated decision. A little enquiry now can save you a lot of heartache later.

Aaron Ross is an Internet Security Adept and Owner of the cloud site RossBackup.com. You can often meet Ross talking nigh cyberspace security on Trick News, CW & ABC, among other places.

Ryan Satterfield

The biggest fault companies make when security sensitive data is…

Non agreement what their own code truly does and how other code in their arrangement actually works. It's one matter to write code, just even the largest companies underestimate how their program can be used by an attacker.

I good example is the bug in Bash that the public has been alerted to. Every company that updates their server to protect confronting remote attacks at present believes their server is secure. This is non the case. The patch for the fustigate problems is easily bypassed, so all the same-called patched servers are nevertheless exploitable. We have exploit code for the latest version of bash that works, merely don't believe it would be appropriate for information technology to be published at this betoken in time.

Non-security companies don't prepare bugs that they don't understand even when they have a major impact or when they brand the fault of assertive a bug is minor. Under-estimating bugs is a cardinal mistake that fifty-fifty the largest companies make. A bug can seem pocket-sized, only attackers know how to make "minor bugs" take a major impact and use that to steal user information.

I can sum up companies and security with one discussion: underestimation – that is the underestimation of what their code can really do in the hands of an aggressor.

Ryan Satterfield is the Owner and Founder of Planet Zuda, LLC., a security visitor that has assisted Google, Ebay, Inc., Godaddy, and several other recognized engineering companies. Ryan has personally been working with online security since the mid xc'due south and has worked in the field of Internet security professionally since 2007.

Kevin D. Murray

This is a great question and my advice comes from almost twoscore years of experience. The #1 biggest mistake companies make when information technology comes to securing sensitive information is…

Tunnel vision focus on Information technology security.

All pre-figurer era data theft tactics however work, and are still used. And, most "computerized" information is available elsewhere earlier information technology is reduced to data.

Effective information security requires a holistic protection programme. IT security is an important part of this plan, merely information technology is but one door to your house of information.

Here is The Holistic Approach to Information Security

  1. Brainstorm by protecting information while it is being generated (discussions, sound and video communications, strategy development).
    Conduct Technical Surveillance Countermeasures (TSCM) inspections of offices and conference rooms on a scheduled basis. Ford Motors found vocalisation recorders hidden in 7 of their conference rooms this summer.
  2. Protect how the information is transmitted (phone, teleconference, Board meetings, off-site conferences).
    Remember, wiretapping and infiltration are all still very effective tools. Cheque for wiretaps on a scheduled basis, or encrypt the transmissions. Behave pre-meeting TSCM inspections. Never let presenters utilize old engineering FM wireless microphones. They broadcast further than y'all call up.
  3. Protect how information is stored.
    Unlocked offices, desk and file cabinets are a treasure trove of the freshest information. Impress centers store a copy of all print jobs. Limit written distribution of sensitive data. Crosscut shred sensitive waste paper. All these vulnerabilities and more than should be covered during the security survey portion of your TSCM inspection.
  4. Educate the people to whom sensitive information is entrusted.
    Security briefings don't accept to exist long and tedious. Establish bones rules and procedures. Explicate the importance of information security in terms they can understand. "Information is concern blood. If information technology stays healthy and in the arrangement, your job, and chances for advancement, stay healthy."

Kevin D. Murray, CPP, CISM, is a TSCM specialist providing electronic/optical surveillance detection and counterespionage consulting for business and government. New York area headquarters, with services available worldwide. Acquire more virtually Kevin and his work at world wide web.counterespionage.com.

Mark Nicholas

Equally an attorney who has practiced law in the financial, data and tech fields for more than 2 decades, and now as the founder of a company dedicated to securing people's data, information technology is my opinion that the core take a chance to securing sensitive data is…

In the control over admin passwords every bit well equally in the manner in which customers address their affairs.

More than breaches are caused by simple countersign intrusion than whatever other method and it can be a nightmare convincing customers to accept even the most bones self-protections. On the admin side, the ability to log in with admission to the overall records of the company is likely the most significant cause of major breaches that be; all could be easily prevented.

Marker Nicholas is the President and CEO of Family Archival Solutions, Inc., a company committed to offering a variety of state-of-the-art services to help prepare for, forestall, and accost the near of import bug facing your family unit, primarily past protecting personal legacies, family unit assets, and important documents.

Matthew Turner

One of the most dangerous aspects to how many direction systems or individual organizations approach the management of secure data is…

The simple use of (and reliance on) network drives.

Information technology may seem like shooting fish in a barrel to store your documents, PDFs and other files on a network drive considering information technology is easy to set upward file sharing. But all you're actually doing is replacing newspaper file cabinets with electronic files cabinets, and you lot still face all of the bug you faced before with security, hours spent searching through folders, managing issues with former employees and audits.

As a specific example of how this can touch a company, if documents tin can be contradistinct on a network drive they are no longer legally open-door. Regardless of your industry or the regulatory landscape you face, every organization faces legal threats. Whatever ceremonious action or lawsuit proceeding yous might face in the U.s.a. is discipline to the Federal Rules of Civil Process (FRCP). FRCP requires that every company involved in a lawsuit or federal litigation must safeguard and access electronic documents and email messages as part of the discovery process.

That ways all documents archived on your servers are subject to legal discovery. Yous must preserve those documents in an unalterable form as prove, including correspondence outside of your direction system. The risks of noncompliance include steep fines and fifty-fifty criminal penalties.

Matthew Turner is Primary Marketing Officer of PaperWise, a workflow automation and enterprise document management solutions provider focused on adaptable and scalable solutions to clients ranging from small firms to Fortune 500 companies. Matthew is besides the Founder of the a corporate strategy and marketing firm, Boston Turner Group, and has worked with dozens of hyper-growth companies ranging in size from $20M to $12B in annual revenue helping to set up corporate marketing strategies that develop, build, and advance value capture in differentiated markets for sustained growth.

Tags: Data Protection

hansonburem1949.blogspot.com

Source: https://digitalguardian.com/blog/expert-guide-securing-sensitive-data-34-experts-reveal-biggest-mistakes-companies-make-data

Ces posts pourraient vous intéresser

Enregistrer un commentaire for "Should I Upload Personally Sensitive Information on Cloud"