GDPR isn’t a checkbox exercise, it’s an opportunity to differentiate

April 12th, 2018


by Tim Upton

The ramifications and awareness of corporations getting access to and using personal data came to the forefront recently with the news that personal data of 50 million Facebook users was used to influence various political processes in the UK and US.

No doubt the leaders at Facebook wish they took a different approach to protecting data. At the same time, users likely wish they took more caution and control with the information they shared.

The reality is most regulations come about as a result of some unanticipated consequence. We have tools that allow us to easily collect, distill, and use data to inform our business practices. But awareness of these tactics has built up among consumers and they’re understandably concerned about how their personal information and data about their habits and activities are being used.

According to PwC’s 2017 Consumer Intelligence Series report, 25% of consumers believe most companies handle their sensitive personal data responsibly. What’s worse is that only 10% of consumers feel like they have complete control over their personal information. This awareness and concern have only grown as the size and frequency of data breaches increase.

So, how do you protect data?

Organizations are accustomed to using data without prescriptive rules, but new regulations are forcing them to make changes. While it’s not the first compliance regulation out there, the EU’s General Data Protection Regulation (GDPR) is the one that’s forcing organizations to wake up to how they’re handling data. After all, with potential fines of the larger amount – €20 million, or up to 4% of the previous fiscal year’s worldwide turnover – there’s a lot at stake for businesses.

Some organizations are looking at GDPR as a checkbox exercise, making sure they meet the requirements and then going back to regularly scheduled activities. It’s good to know you’ve done what’s required to be compliant, but what if there was a better way?

Treat GDPR as an opportunity to differentiate your business

We all know GDPR isn’t the last word on data compliance. It’s only a matter of time before a new compliance regulation comes along in a new country with even more restrictive rules. Can any organization really afford to stay in a position of constantly catching up?

Instead, why not build a security mindset in your organization by educating employees, helping them stay vigilant about the data around them, and the need to protect it? Doing this distributes the responsibility and accountability for keeping data secure across your entire organization, making it easier to be successful. It makes the security of all types of data – physical and digital – part of everyday work.

After all, if business leaders can get ahead of compliance regulations, it’s an opportunity to build lasting trust with customers by targeting a higher standard for data protection.

Data protection: People and tools are the drivers

Establishing a culture of security empowers individuals at all levels. When they understand the kinds of data being used throughout the organization and the expectations of how each type of data should be handled, they can help make proper data identification.

Data classification tools make identifying data easier by applying markings and triggering policies for how data can be accessed by internal and external users.

The best part of these tools? They make it easier to know what data you have. Because you can’t adequately protect data if you don’t know you have it.

Don’t just check the boxes on GDPR compliance

Technological advancements have accelerated our ability to generate, collect and use large amounts of data. And lawmakers are taking action in response to the demands of consumers. Regulations like GDPR make protecting it essential, just like you lock up the office at the end of the day to secure equipment and other physical assets. Data is a significant asset for organizations. It’s time to start acting like it because there’s a lot more than fines at stake.

Tim Upton is the CEO and one of the founders of TITUS. Tim has an extensive background as a technology consultant in the security and large infrastructure spaces that helps inform company direction.

 

You Had Me at Hackathon: How one TITUS employee builds his skills

April 5th, 2018

Image: MLH London Hackathon

by Farhan Ahmed

Ever since I can remember, I’ve been curious about the impact technology has on people. And I’ve always wondered, “What’s next?” This curiosity and interest inspired me to pursue a degree in computer engineering at Western University. I realized something else during the course of my studies: I want to help others see what’s possible with technology. For example, I developed a computer science curriculum for kids aged 9-15. I taught HTML, Scratch, Python and we worked with Lego MINDSTORM Robots.

Learning at the drop of a hack

I’ve also been encouraged to step outside my comfort zone to push the boundaries of my own learning. So, I started attending hackathons. And let me tell you, I’ve gained so much experience from these events that have helped my studies and my time as a co-op student at TITUS. I was asked to share my experience with hackathons here on the TITUS blog, so I want to take this opportunity to pass along some key lessons I’ve learned.

Get a view of the big picture

When you’re working on an idea during a hackathon, you get a glimpse of the full product cycle. You pitch the idea knowing the importance and value it adds to solving a problem and how it’s going to be used. As developers, we need to see things through the eyes of actual users because that perspective helps us understand how our solutions work.

I honestly can’t describe the feeling of pride and the sense of accomplishment when you get to see the final product of your hack. You get to reflect on what you’re capable of learning and the boundaries you’ve surpassed.

Approach problems from new angles and learn new skills

I recently attended a hackathon in London, Ontario, which was hosted by Major League Hacking. The challenge my team wanted to solve was to provide better photodynamic light therapy for skin cancer patients. Currently, photodynamic light therapy uses one standardized wavelength. Our approach was to feed the machine learning algorithm information about each individual’s physiology so the wavelength delivered would be more effective for the treatment. I was initially worried about my lack of experience with databases. But I was quickly able to overcome that fear by collaborating with my team members.

That’s what it’s about – people working together on a solution that will help others.

The hackathon mindset at work

I joined TITUS in September 2017. Since then, I’ve been working with the machine learning team to help our customers combine user-driven and automatic classification of their data. Machine learning is a hot topic in information security these days, so you can imagine my surprise when I learned about our own internal hackathon at TITUS. The goal of my first hackathon at TITUS was to come up with new ways to visualize the results that come from our policy engine. It was a lot of fun being an entrepreneur and seeing real business implications from the solutions you work on.

Hackathons are an important part of the high-performance culture we embrace at TITUS. With new technology comes innovation and new possibilities. Seeing how hackathon ideas are integrated into our products allows us to understand the end-user experience and truly appreciate the value of our efforts.

Get out of your comfort zone

By definition, lifelong learning is, “the ongoing, voluntary, and self-motivated pursuit of knowledge.” Growing as a person involves learning and stepping outside your comfort zone. A hackathon is designed to promote this kind of learning. We’re challenged to learn and implement skills within a short period of time. I strongly encourage everyone to attend a hackathon and stretch your boundaries to learn!

Farhan Ahmed is a co-op student at TITUS, specializing in machine learning. He’s responsible for delighting customers by making it easier to classify data.

 

Protect sensitive data in the cloud with Netskope and TITUS

March 22nd, 2018

Concept Image: protect sensitive data in the cloudBy Corey Markell

The amount of information created these days is staggering. We’re doubling the volume of data every two years. That’s a lot for organizations to filter through to protect sensitive data. Not only is the amount of data increasing, but the way people work and share information is changing, too.

Companies aren’t confined to strict physical locations anymore. And collaboration with remote full-time employees, contractors, and contingent workers is the new normal. But that means the traditional corporate network perimeter is gone.

Build data protection into the workflow – everywhere

We can’t roll back the clock to a carefully contained data container in organizations. Besides, we all know employees will scale those walls or punch a hole right through them to get their work done. Since productivity is the main driver behind the use of shadow IT, organizations need to address the needs of workers so they can continue to get their work done as easily as possible. That’s where cloud sharing and storage apps come into play.

They’re essential to business operations, but they’re changing the urgency and need for tools that protect sensitive data beyond the traditional firewall because of the amount of data that now moves in and out of the cloud. Not to mention the pressure that’s coming from compliance regulations, such as GDPR.

Reduce the risks of data loss, breaches or leaks with controlled cloud usage

The biggest challenge with cloud apps is the ease with which large amounts of data can be shared – even from mobile devices. IT departments and CISOs have limited visibility into what information is being uploaded, downloaded and shared. This makes it easy for users to inadvertently share sensitive data or use unsanctioned applications. Establishing sanctioned apps with Netskope and ongoing coaching on appropriate use is a critical step in protecting data in the cloud.

Establish shared responsibility and accountability for data security

Take the time to create an awareness and education program that covers the basics so you can protect sensitive data at all levels of your organization. When people know how to handle data and the implications of a data breach, they’ll be the best first defense for securing information. After all, it’s in the best interests of the entire organization to keep data secure.

Use the right tools to protect sensitive data – everywhere

Data classification is the foundation of data security – within the corporate firewall and in the cloud. Because you can’t protect data you don’t know you have. TITUS Classification provides automated, system-suggested, and user-driven classification to clearly identify to people and technology how information should be secured. And Netskope cloud enablement solutions enables enterprises to embrace the cloud while ensuring sensitive information is not at risk.

By clearly identifying data, TITUS Classification empowers Netskope to make dynamic, fine-grained policy decisions before information is uploaded to the cloud. Together, TITUS and Netskope provide organizations with the confidence to embrace the cloud.

Want to learn more about how TITUS and Netskope work together to keep your data secure in the cloud? Check out our Netskope technology partner page.

Corey Markell is the strategic partner manager for TITUS. He’s responsible for creating and maintaining meaningful technology partnerships that create new opportunities and value for TITUS customers.

 

Want to boost your GDPR compliance effort? Get your people involved.

March 15th, 2018

Image: People putting together puzzle - we can all help with GDPR

With the GDPR compliance deadline right around the corner, many organizations are working through various stages of preparation. According to Forrester Research’s report, The State of GDPR Readiness, about 30% of companies globally are fully GDPR compliant.

However, the report also notes that only a fraction of these organizations includes data classification and data discovery as part of their preparation for GDPR. Instead, many have focused their efforts on IT to meet compliance requirements.

But is this the right move?

GDPR compliance is everyone’s responsibility

We partnered with SC Magazine to host a webcast on March 20th at 2:00 p.m. ET with our VP of Customer Success, Doug Snow, and featured guest Enza Iannopollo, a research analyst with Forrester. Doug and Enza will discuss why collaboration across the organization is important to achieve GDPR compliance.

We sat down with Doug to get some insight on what GDPR compliance means for organizations today and to learn what role employees must play.

It seems like GDPR is putting a microscope on the way personal information from customers and employees is treated. What’s your take on that?

Doug: GDPR outlines some important information about security process and data protection by design and by default. The last two words really stand out to me – by design and by default.

Organizations don’t always know what data they have and where it came from, but with GDPR they will have to take a close look at all the ways they gather, classify, protect, and share information across the business.

What do you think will change the most when it comes to data protection “by design and by default”?

Doug: I think we’ll see security and risk professionals familiarize themselves with the design processes and systems in marketing, finance, legal, consulting services, HR, and any other group that handles personal information.

The first step is for people to come together and provide insight into the type of information they deal with on a regular basis. Transparency helps people adopt a culture of security that values collaboration across the business to properly protect information.

You mentioned the potential need for security and risk professionals to get involved in process design from the beginning. What else is their to-do list for GDPR at this point?

Doug: I’ve spoken with quite a few S&R pros lately and they’ve all mentioned a few things. First, they’ve been working with people from across the organization to understand what kind of data they have and where it is.

Second, they’re working through a risk assessment that specifically talks about information ownership. I think educating employees about information security and data protection is very much part of the prep work for GDPR because the way we create and share information is constantly changing. It’s good for employees to stop, think, and consider the business value of the information they are creating and handling.

Finally, they’re making sure reporting capabilities are in top shape because data breaches must be reported to the proper supervisory authorities within 72 hours.

What do you think GDPR means moving forward?

Doug: GDPR is a great opportunity for organizations to demonstrate the thoroughness and care they take in handling personal data. It’s about being a responsible organization, through and through.

Because, at the end of the day, we’re all responsible for information security. So, I look at it as an opportunity for people within an organization to mature their secure information handling practices – all to earn new business, improve customer retention, and boost employee engagement around information security.

GDPR compliance takes a village

Want to know how a culture of security can help you meet GDPR compliance? Tune in to our webcast with SC Magazine and Forrester Research, “GDPR Takes A Village: Practical Advice to Help You Achieve Compliance.” Click here to watch!

 

GDPR makes employee data security education essential

February 9th, 2018


by Doug Snow

The compliance regulation du jour is the EU’s General Data Protection Regulation (GDPR). But many companies aren’t ready for the May 25th deadline and many don’t even know they need to pay attention. Of course, knowing whether your organization is subject to GDPR is only the beginning. You have to take steps to ensure you comply.

As more and more compliance regulations come into effect, it’s creating a lot of work for businesses as they shift, evolve or completely overhaul business processes and deploy tools to meet the requirements. The effort is worth it, though: This is an opportunity to show your customers how committed you are to building a solid relationship of trust – starting with protecting their data. And you can avoid massive fines at the same time.

Of course, no tool or process will ever be effective if people aren’t on board. A security education program can help you build that solid foundation with people to encourage shared ownership of data security across your organization. That classic annual security training video everyone watches for half an hour (to pass a quiz that proves they recalled the information for five minutes) is no longer enough.

Every employee in the world signs an employment agreement that obligates them to follow corporate information handling policies. Even an accidental leak/disclosure can result in termination of employment but what tools do we give them to be compliant?

Today, the consequences are far-reaching, and people have long memories (and search engines). The fines levied and goodwill lost can lead to the failure of the business and countless lost jobs. That’s why it’s imperative to help employees be part of the solution.

So, how do you get people to use effective, secure data handling practices? Here are three ways you can focus your efforts to build a program that will win them over.

1) Build awareness of the data and data protection policies of the organization

This doesn’t mean you need to give everyone an in-depth overview of GDPR or any other compliance legislation. Instead, they need to know the kinds of data that need to be protected across the organization – even when it’s not part of their job.

As they learn about the types of data, they need to know what level of sensitivity should be applied and why. When people understand the policies and reasoning, it’s easier to make decisions about what to do with the data their handling.

The education shouldn’t end as people leave the training, though. You’ll want to keep promoting awareness in various ways:

  • Posters with reminders throughout your facilities
  • Ongoing training sessions to keep people sharp
  • Sharing stories about how people are mindful of security

Without a foundation of awareness, people won’t be able to take the next step of being mindful of information sensitivity as they go about their day-to-day work.

2) Encourage mindfulness about data security

When awareness resonates in a lasting way, it can lead to a more intentional focus on protecting the data they’re handling. With GDPR looming, that’s an important goal! Your organization will benefit from people who go through their workday mindful of data that’s being passed around. They become your first line of defense against data breaches.

Your awareness efforts can help bolster mindfulness by providing reminders to consider the sensitivity of data.

Having mindful people makes the use of technology for data protection more effective. Introducing tools that apply markings and trigger data protection policies can serve as one more way to build mindfulness right into the workflow. When every document has the sensitivity level clearly marked, it’s easier for employees to see at a glance how the material should be handled.

The technology takes this a step further by preventing inadvertent data breaches, disclosures or losses by blocking the most sensitive documents from being sent to unauthorized recipients.

How many times have you been rushing to the next meeting or trying to leave at the end of the day? You fire off an email and realize it went to the wrong person or group right after you hit send. There’s no calling it back, so having a tool that prevents those errors is invaluable.

3) Empower people to take appropriate action and be accountable

Knowledge is power. Putting knowledge into action reinforces what they’ve learned. When there’s only a handful of people in your entire organization who have the responsibility to train, monitor, audit, and maintain all data security efforts, they’ll be more successful if they can build an army of champions for good data security practices.

When awareness and mindfulness lead to reputation-saving preventative action, reward those instances and share the stories to continue the cycle.

Education is key to building a culture of security

The result of all this work is a culture of security where security mindfulness is the status quo of your organization. And when you have the whole company working together to protect sensitive data across your organization, it doesn’t matter what the next data protection regulation is – your entire organization will be ready, willing and able to meet it head on together.

Doug Snow is vice president, Customer Success at TITUS, where his 30 years of IT industry experience and project management expertise make him ideal to lead the team that ensures our customers’ needs are taken care of every step of the way.

 

Protect private data by building a culture of security

January 25th, 2018

By Steph Charbonneau

This Sunday, January 28th is Data Privacy Day. The recognition of this day by governments and other organizations has been a reason for people and businesses to talk about data privacy and security. But first, we have to talk about what those words mean.

What is data privacy?

Countries around the world have passed legislation acknowledging that individuals have a right to privacy, meaning we should have the ability to control when and to whom access is given to our personal information. This type of legislation is more important than ever as technological advances have increased the amount of data we share.

Why should businesses care about data privacy?

Because it’s good for business. After all, we need consumers to trust us. Today’s businesses and many other organizations rely on data assets to support, sustain and fuel operations. When you look at the large-scale data breaches that have made the news, it’s clear that organizations have to step it up when it comes to protecting the data that keeps them going.

It’s easy and even instinctual to try to fix breaches by building a technological fortress, but that’s not a true long-term solution. Technology is only as strong as the weakest user password or passcode on a lost device. And let’s not forget the surge of shadow IT that circumvents the fortress. The connected nature of our world combined with the human nature of people means technology is an incomplete solution.

Organizations need to build a culture of security

When you actively seek to make security a part of the culture in your organization, you make education, awareness, and accountability an integral part of day-to-day work. It becomes habitual to look for and notify management about vulnerabilities.

  • The door that doesn’t quite close all the way
  • Visitors being admitted without signing in
  • Confidential information left in public areas
  • Badges branded with the company logo
  • Laptops not secured to desks

These examples don’t necessarily relate to technology but ensuring the protection of data means addressing every access point – both physical and virtual.

How do you build a culture of security?

The responsibility for security can’t be shouldered by one person or even one department. And changing culture and behaviors isn’t easy, but the investment will pay off in protecting your business and the data you collect and generate. Here are some steps you can take to get started.

1) Educate employees about data

The security policy new hires sign during orientation isn’t enough. Make ongoing education about data and data handling a priority. People need to understand what data is sensitive so they know to take appropriate steps to protect it. But you can’t guarantee that people will just know your policies and practices. Only when people know how to identify and handle data appropriately can they be accountable for doing so.

2) Promote ongoing awareness

Establishing a shared responsibility for security only works when people are aware. Make awareness an ongoing effort. Hang posters that grab attention and share tips. Send emails with stories and examples of people raising concerns. Make it a community effort and encourage peer recognition. Get help from security advocates or champions who speak up and help the cause.

3) Use technology to enhance and enable security

A tight culture of security is the first and best line of defense against data breaches. But mistakes happen and vulnerabilities get exposed. Providing tools that help users identify the type of data they’re using so they use, share, store, and dispose of it appropriately makes it easier to prevent and/or contain breaches. These tools are like a seatbelt for your data: Once you’re in the habit of using them, you don’t feel as safe handling data without them.

Data privacy is an ongoing concern

The conversations about data that start around Data Privacy Day each year are important to have, but just like the ongoing effort of building a culture of security, we have to keep the conversation going throughout the year.

Steph Charbonneau is one of the founders and chief technology officer for TITUS. His background as an IT security architect helps bridge the gap between customer requirements and TITUS products.

 

Honoring Those Who Serve and Sacrifice

November 10th, 2017

I’m moving too fast. We probably all are.

As the weather begins to cool, I realize that the day we honor soldiers who have served faithfully and dutifully is nearly here. And then I wonder if I’ve taken enough time to reflect. To show my appreciation. Have I – at the very least – donated enough money to veterans associations to help ensure that our veterans and their families are properly supported when they need it?

The answer is usually, embarrassingly, no.


Read the rest of this entry »

 

“Keep This Between Us” and Other Classifications

October 12th, 2017

The recent data breach at Equifax was apparently the result of a failure to apply a software patch that was made available several months ago. I’m not writing this blog to continue piling on the situation and bash the information security team while they’re down. What I do want to focus on is the need for immediate action. In the world of data security, five months is an eternity.

What we believe here at TITUS (along with many others in the industry) is that most breaches can be avoided if we change how users – you, me, and all our colleagues – think about data. We need to adjust the user’s mindset and bring the thought of security into the daily routine.


Read the rest of this entry »

 

CUI Compliance – What You Need To Know (Part 2)

October 6th, 2017

Established by Executive Order 13556, the Controlled Unclassified Information (CUI) program defines a uniform policy for the treatment of unclassified information that requires safeguarding or dissemination controls. As of December 31, 2017, all federal contracts will require contractors to comply with the Federal CUI Rule (32 CFR Part 2002) that governs the treatment of CUI.

In the second installment of this two-part blog series, Patricia Hammar, founder of PKH Enterprises and a recognized expert in the areas of government policy and privacy, answers some additional questions on Controlled Unclassified Information (CUI) compliance.

Read the rest of this entry »

 

CUI Compliance – What You Need To Know

October 2nd, 2017

Established by Executive Order 13556, the Controlled Unclassified Information (CUI) program defines a uniform policy for the treatment of unclassified information that requires safeguarding or dissemination controls. This framework standardizes practices around the sharing of controlled unclassified information, with the goal of improving the sharing of information across Federal executive branch agencies.

In this two-part blog series, Patricia Hammar, founder of PKH Enterprises and a recognized expert in the areas of government policy and privacy, answers some key questions on CUI compliance.

  Read the rest of this entry »