Archive for ‘Compliance’

GDPR makes employee data security education essential

Friday, February 9th, 2018


by Doug Snow

The compliance regulation du jour is the EU’s General Data Protection Regulation (GDPR). But many companies aren’t ready for the May 25th deadline and many don’t even know they need to pay attention. Of course, knowing whether your organization is subject to GDPR is only the beginning. You have to take steps to ensure you comply.

As more and more compliance regulations come into effect, it’s creating a lot of work for businesses as they shift, evolve or completely overhaul business processes and deploy tools to meet the requirements. The effort is worth it, though: This is an opportunity to show your customers how committed you are to building a solid relationship of trust – starting with protecting their data. And you can avoid massive fines at the same time.

Of course, no tool or process will ever be effective if people aren’t on board. A security education program can help you build that solid foundation with people to encourage shared ownership of data security across your organization. That classic annual security training video everyone watches for half an hour (to pass a quiz that proves they recalled the information for five minutes) is no longer enough.

Every employee in the world signs an employment agreement that obligates them to follow corporate information handling policies. Even an accidental leak/disclosure can result in termination of employment but what tools do we give them to be compliant?

Today, the consequences are far-reaching, and people have long memories (and search engines). The fines levied and goodwill lost can lead to the failure of the business and countless lost jobs. That’s why it’s imperative to help employees be part of the solution.

So, how do you get people to use effective, secure data handling practices? Here are three ways you can focus your efforts to build a program that will win them over.

1) Build awareness of the data and data protection policies of the organization

This doesn’t mean you need to give everyone an in-depth overview of GDPR or any other compliance legislation. Instead, they need to know the kinds of data that need to be protected across the organization – even when it’s not part of their job.

As they learn about the types of data, they need to know what level of sensitivity should be applied and why. When people understand the policies and reasoning, it’s easier to make decisions about what to do with the data their handling.

The education shouldn’t end as people leave the training, though. You’ll want to keep promoting awareness in various ways:

  • Posters with reminders throughout your facilities
  • Ongoing training sessions to keep people sharp
  • Sharing stories about how people are mindful of security

Without a foundation of awareness, people won’t be able to take the next step of being mindful of information sensitivity as they go about their day-to-day work.

2) Encourage mindfulness about data security

When awareness resonates in a lasting way, it can lead to a more intentional focus on protecting the data they’re handling. With GDPR looming, that’s an important goal! Your organization will benefit from people who go through their workday mindful of data that’s being passed around. They become your first line of defense against data breaches.

Your awareness efforts can help bolster mindfulness by providing reminders to consider the sensitivity of data.

Having mindful people makes the use of technology for data protection more effective. Introducing tools that apply markings and trigger data protection policies can serve as one more way to build mindfulness right into the workflow. When every document has the sensitivity level clearly marked, it’s easier for employees to see at a glance how the material should be handled.

The technology takes this a step further by preventing inadvertent data breaches, disclosures or losses by blocking the most sensitive documents from being sent to unauthorized recipients.

How many times have you been rushing to the next meeting or trying to leave at the end of the day? You fire off an email and realize it went to the wrong person or group right after you hit send. There’s no calling it back, so having a tool that prevents those errors is invaluable.

3) Empower people to take appropriate action and be accountable

Knowledge is power. Putting knowledge into action reinforces what they’ve learned. When there’s only a handful of people in your entire organization who have the responsibility to train, monitor, audit, and maintain all data security efforts, they’ll be more successful if they can build an army of champions for good data security practices.

When awareness and mindfulness lead to reputation-saving preventative action, reward those instances and share the stories to continue the cycle.

Education is key to building a culture of security

The result of all this work is a culture of security where security mindfulness is the status quo of your organization. And when you have the whole company working together to protect sensitive data across your organization, it doesn’t matter what the next data protection regulation is – your entire organization will be ready, willing and able to meet it head on together.

Doug Snow is vice president, Customer Success at TITUS, where his 30 years of IT industry experience and project management expertise make him ideal to lead the team that ensures our customers’ needs are taken care of every step of the way.

 

 

CUI Compliance – What You Need To Know (Part 2)

Friday, October 6th, 2017

Established by Executive Order 13556, the Controlled Unclassified Information (CUI) program defines a uniform policy for the treatment of unclassified information that requires safeguarding or dissemination controls. As of December 31, 2017, all federal contracts will require contractors to comply with the Federal CUI Rule (32 CFR Part 2002) that governs the treatment of CUI.

In the second installment of this two-part blog series, Patricia Hammar, founder of PKH Enterprises and a recognized expert in the areas of government policy and privacy, answers some additional questions on Controlled Unclassified Information (CUI) compliance.

(more…)

 

 

CUI Compliance – What You Need To Know

Monday, October 2nd, 2017

Established by Executive Order 13556, the Controlled Unclassified Information (CUI) program defines a uniform policy for the treatment of unclassified information that requires safeguarding or dissemination controls. This framework standardizes practices around the sharing of controlled unclassified information, with the goal of improving the sharing of information across Federal executive branch agencies.

In this two-part blog series, Patricia Hammar, founder of PKH Enterprises and a recognized expert in the areas of government policy and privacy, answers some key questions on CUI compliance.

  (more…)

 

 

The First Step Toward GDPR Compliance

Thursday, May 11th, 2017

Last week my colleague Mark Cassetta described how data categorization could be used as a means to simplify information classification and protection. This week I would like to expand on this concept to show how categorization can be put into practice. The European General Data Protection Regulation (GDPR) only 12 months away. Yet, only 10 percent of organizations impacted by the GDPR report that they are “completely ready” to comply with the regulation (Osterman Research), it seems like this would be a great example for highlighting the use of categorization.

The key goal of the GDPR is to ensure that any organization that controls or processes sensitive personal information about EU residents also properly protects the data. In fact, organizations must show that data protection is a fundamental design aspect to their data workflow and processes.

So, where does an organization start?


(more…)

 

 

Data Categorization or Data Classification?

Wednesday, May 3rd, 2017

In the last few years there has been a dramatic shift from data classification being “nice to have” to becoming a “need to have”. Behind this momentum, private companies and organizations are implementing data classification using “traditional” taxonomies and schemas that worked for governments and militaries, but don’t necessarily translate well into the workflow or culture of commercial enterprises.

When TITUS started over a decade ago, many of our first customers were large government and military organizations who were familiar with the concept of classification. We all  remember the “secret” and “top secret” rubber stamp with red ink used to classify paper documents and files before the dawn of digital productivity tools. As a result, when government and military customers began to deploy classification, their users were already well educated on the meanings and appropriate use of their classification taxonomies. As classification has moved into commercial enterprises, the template for classification has remained unchanged. As a result, many enterprises have struggled to find a way to align classification labels and policies to meet their own unique needs.


(more…)

 

 

Turn Your Users Around

Wednesday, March 29th, 2017

It’s been a long time coming, but the mandatory breach notification laws will be in force in Australia next February (Privacy Amendment (Notifiable Data Breaches) Act 2017). Having seen similar regulations in effect in North America, and with the knowledge that they’re also coming to Europe next year in the form of the EU GDPR, it is impossible for any business to ignore the issue of data security. Organizational change is necessary across the globe.

I was recently in Australia, and the new legislation was a very hot topic in meetings with both existing partners and new customers, bringing up a multitude of questions. From a general perspective, it’s fantastic that more and more organizations are wising up to security (and there are countless surveys to back this up), but from our experience, most seem to be struggling with the myriad of different ways to protect their data and the persistent threat of breaches.


(more…)

 

 

TITUS to Provide Solutions to NATO Agencies around the World

Tuesday, February 28th, 2017

TITUS and the NATO Communications and Information Agency (NCIA) recently signed a joint Master Service Agreement (MSA) that enables TITUS to supply our solutions to NCI Agency, NATO Member Nations and other NATO entities.

Cybersecurity is a major area of concern for NATO, and is considered the fourth domain of operations after air, land and water. NATO and its member agencies know that they need to be prepared to defend networks and operations against the increasingly sophisticated cyber threats and attacks.


(more…)

 

 

Protecting Information in a Multi-Cloud World

Wednesday, January 11th, 2017

bergen_wilde-ns

Around our office there is a lot of talk about “hybrid Cloud” as we help our customers create strategies to safely migrate from on-premise to cloud storage and applications. A hybrid cloud strategy provides both flexibility and peace of mind, enabling organizations to ease into utilizing the Cloud at their pace. The actual challenge however is not finding the right balance between on-premise and the Cloud, but coping with the multitude of cloud options.

titus-cloud-blog
(more…)

 

 

Introducing Classification for Mac, offering the broadest Outlook coverage on the market

Wednesday, September 14th, 2016

libby_robinson-ns

TITUS is excited to announce the addition of Outlook for Mac to our Classification for Outlook offering!

Email is everywhere.  It’s across various platforms and devices, even within a single organization.  While the majority of users may still be on Windows based computers, more and more are beginning to choose Macs.

According to Aberdeen Research, 20% of organizations have enterprise email installations that include both Windows and Mac. In isolation, this number may not seem particularly large, but often these Mac deployments are on desktops where the most sensitive information resides – primarily executive offices, as well as designers and developers.

If your efforts to secure the information transmitted via email is limited only to certain members of your organization, you are risking breaches of either your own intellectual property (IP), or of PII, PCI or PHI.  You don’t want to spill your secret sauce, or face the possibility of loss of consumer trust, market share, or substantial fines.
(more…)

 

 

The TITUS Experience

Friday, August 26th, 2016

bergen_wilde-ns

During a recent TITUS event, I had the opportunity to listen to a conversation between a deployed customer and another still in the planning phase that highlighted the classification challenges many organizations are facing. The questions being asked of the deployed customer weren’t technical ones, but focused on business transformation, such as:

  • How did you train your users on the meaning of the classification levels?
  • Would you recommend a full-fledged, single phase implementation or break it into several smaller phases?
  • How much did you choose to involve the workers in the application of classification at first?

meeting-blog

(more…)