On 28th May 2018, the European Union (EU) General Data Protection Regulation (GDPR) will come into force with harsh fines and onerous implications. The primary goal of GDPR is to harmonize the protection of personal data across all EU member states. It will have an impact in the EU and around the world, affecting any organization that handles the personal data of EU residents. Don’t let that seemingly distant date delay you from starting to prepare.
Archive for ‘DLP’
As a Brit who thinks our country is great, but also a European who spends a large part of his time travelling around the continent, I was shocked to find that the UK electorate voted to leave the European Union! If I’m honest with myself, I didn’t see it coming. My general impression of the British public is that, on the whole, we are conservative with a small “c” and typically vote to maintain the status quo. – the grass is very rarely greener…
I think that I communicate with my colleagues almost as much via email as through verbal communications – even those I share an office with. In fact, probably about a third of the verbal communications are social interaction rather than direct business discussion. In email, however, most of the communication with my colleagues contains business information, sometimes including large attachments containing sensitive strategic plans. And unlike a verbal conversation which is lost to the ether, email endures. So, while talking about business plans outside the office where someone might overhear has some risk to the company, sending an email to the wrong recipient can be significantly more damaging. Yet, organizations are still not protecting themselves from these accidental breaches.
As a case in point I offer you this example from the National Football League (NFL). It is reported that on July 1st, the New Orleans Saints intended to send an email to the NFL head office regarding their plans to pick up a player who was just put on waivers (released) by the Cleveland Browns. The email, however, was accidentally addressed to the entire league. In other words, they broadcast their plan to all of their competition.
LEGO is slippery. I know that statement doesn’t sound like it makes sense and you are probably saying to yourself: “Surely he knows that LEGO blocks interlock and stick together!”
That is true. But, if you have ever used LEGO to build on a hard surface you know that, as you add more bricks to the building you are making, your construction can easily slip around. Unless you are building on a LEGO surface, you can’t always be sure the pieces you are adding won’t cause the structure to slip or tip. The foundation that you build upon makes all the difference to the stability of what you are building.
Each year, International Privacy Day reminds us how important it is to question where sensitive data resides, who has access to it, and how to best value and protect private information. As large enterprises hire the next generation of social media savvy employees, it is also a good time to question whether these millennials understand the value of data. Do they know what information should stay private vs. what can be shared?
Working with a generation that readily connects, collaborates and shares information online, companies are faced with educating employees on balancing the need to share with the need to protect. In an era of digital business, company brand and customer loyalty and retention depend on it.
This will be the rarest of posts. I am going to begin my post about why Data Classification is important to a content and context aware security program by telling you all of the reasons why I was originally skeptical of its value. I do so in hopes that people who share the same concerns I did will have an opportunity to experience the magic of the Titus approach vicariously through me. I am also going to do something that few people who are in my position are willing to do, while simultaneously do something no author should ever do. I am going to admit I was wrong and I am going to quote myself.
“I was wrong” – Me
We put a lot of resources into data loss prevention, information classification and cyber security projects in an effort to ensure our information is safe. We have developed sophisticated methods of detecting sensitive information and stopping it from being copied over the network, uploaded to the cloud, copied to USB sticks and even burned to DVDs. But there is still one (low tech) leak that seems unstoppable: paper. What is to prevent someone from printing out sensitive information and then taking it out the door or losing control of it in some other way?
At first glance it may seem there is nothing we can do, but there are steps that can be taken.
Last week my colleague Libby Robinson wrote about the enhanced automated classification capabilities of the new TITUS Classification Suite 4.4. While TITUS can automate classification better than ever, Libby nonetheless concluded that: “it is best practice to deploy a combination of user-driven, system suggested and automated classification.” If you read the TITUS blog regularly, I’m sure you are familiar with user-driven classification and its importance to the organization. But what is “system suggested classification” and when would an organization use it?
With “system suggested classification,” the TITUS policy engine runs the same evaluation policies as are performed during the automated classification process (based on content, context, the user, the recipient, etc.). The key difference is that a user is prompted to confirm the automated classification results and is able to quickly adjust the classification if the automated process was deemed incorrect.
While they offer incredible advantages, cloud sync and share services like Box and Dropbox also come with risks. As usual, one of the top risks isn’t from the technology itself, but the user. What guarantees do you have that your users are safely sharing information in the cloud? Unlike folders on the network, cloud folders are easily shared with users outside of your organization, and it is not always easy to tell which folder was created for sensitive content and which was not. As a result, users are more likely to make a mistake and overshare information.
While you can drill down to see with whom a folder is shared or examine the content of the folder to determine its sensitivity, this is time consuming and slows the speed of business. This inevitably means some users will fail to take those extra steps. It is also easy for a user to simply create a new folder on the run, forget the access details over time, and assume it is safe to use for another document at a later date. Folder names rarely convey the sensitivity or collaborative nature of the folder. So, when users share via the cloud do they know if the folder is shared externally? Can they easily tell if the folder is meant for public or internally facing documents? And, are your users always going to double check to make sure they know the answers before they upload a file? Unfortunately, when it comes to using a cloud service mobile app, ease of sharing information often takes priority over security. TITUS Classification for Mobile considers user experience, ease of use, and data protection all as equally important.