One way that OU would be able to be certain that student information was not compromised is if the data stored on the laptop, or on servers the laptop has access to was encrypted. I am not sure why these incidents seem to occur almost exclusively at medical establishments and educational institutions, but simply investing in the proper security controls up front can save time, money, and embarrassment for the organization, as well as protecting the personal and sensitive information the organization has been entrusted with.

Examining the issue of data encryption in the cloud, the article states “Several providers of cloud-based backup storage install appliances at the customer site to accommodate encryption, but Flushing was not interested in that setup.”

It also explains “At Flushing Bank in New York, CIO Allen Brewer turned to the cloud for data backup after getting fed up with on-site tape backup. Using Zserver from Zecurion, Flushing is now sending files over the Internet to be stored for backup.”

 Read the white paper Protecting Data in the Cloud to learn more about encrypting and protecting data in the cloud with Zecurion’s Zserver.

Following on the heels of the recent botnet compromise at Penn State University, Tufts University has discovered that “several computers were recently exposed to an unknown virus or malicious software program.” As a result, roughly 7000 alumnus may have had their student ID numbers exposed–and like Penn State University the breached data is legacy data from a time when the university used the student’s Social Security number as their student ID number.

Universities, including both Penn State University and Tufts University, have abandoned that practice, but apparently have not found the time to go back through archive data and old databases to purge legacy information from the servers. While that is still a good idea, and a project that these universities should be pursuing, having sufficient data protection controls in place, such as encrypting the stored data, would ensure that it would not be exposed even in the event of a malware compromise or breach of the server itself.

A small investment in proactive security measures goes a long way and saves the organization from the lost reputation, time, and money involved in responding to a data breach incident.

Penn State has not used SSNs as a student identifier for 5 years, however an archived copy of a legacy database apparently still existed on the compromised server.

A Penn State spokesperson explained that “We have, of course, standard defenses: site-licensed antivirus, unit firewalls, patching, vulnerability scanning, web application scanning, intrusion detection and blocking of confirmed hostile sites or frequently probed ports. When a machine is compromised, it must be re-installed from known ‘good’ media before it’s allowed back on the network, since it’s not possible to truly clean a machine that’s been fully compromised.”

All of those are excellent security controls and fit nicely with established security best practices. However, the data itself should be encrypted so that if and when an attacker figures out how to circumvent those defenses the data itself will still be impervious to unauthorized access.

In a perfect world, simply stating that data should only be stored on approved USB devices, and that all data on portable storage media must be encrypted would be good enough. In the real world, though, simply stating it is not good enough. Stating a policy–without any means of monitoring or enforcing compliance with it–is simply paying lip service to data protection and gambling that a data breach incident will never occur.

West Berkshire Council lost that gamble when an unencrypted USB memory stick containing sensitive information relating to the ethnicity, and mental and physical health of children was lost. The report also contains this quote “It is essential that organisations ensure the correct safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children.”

The best option to ensure correct safeguards are in place is Zlock. Zlock allows IT administrators to restrict users from writing to data to unapproved portable storage media. Access can be locked down to devices from a particular manufacturer, or of a particular type. A specific USB memory stick can be associated with each individual user, and all other memory sticks can be blocked.

In the case of West Berkshire Council, Zlock would have been instrumental in ensuring  that users relied on the encrypted USB memory sticks they were issued four years ago, rather than storing data on the now lost unencrypted USB memory stick.

While some email programs have a feature that allows for a message to be recalled, that functionality usually relies on two things- 1) the recipient must be on the same mail server–in other words someone in your same organization, and 2) the recipient must not have already received and opened the errant email message. Typically, what happens is that someone tries to recall a message and the errant recipient receives a notification that the sender would like to recall the email message, which just piques the recipient’s curiosity and draws attention to the fact that there is some reason the sender does not want you to see the message. Its not a very good system.

All of that is a long way of getting around to a recent data breach incident that occurred in Ireland. An error occurred in merging account data into emails which resulted in the wrong account information being sent to various parties and compromising the data. Since the account data merging was an automated process, it seems fair to assume that the sender did not actually have an opportunity to review and approve each email prior to transmission. It seems that the Tralee Town Council was not aware of the problem until it was too late.

One way to ensure that sensitive or confidential data isn’t accidentally emailed out–and maybe prevent that “oops” feeling one gets when realizing sensitive information was emailed to the wrong party–is with Zgate. Zgate analyzes the contents of all fields in the email, including the body and file attachments, ensuring that sensitive information remains secure.

Just in the past couple weeks there have been two incidents of laptops from medical centers being lost or stolen. One from the Oconee Physician Practices contained name, date of birth, gender, height and weight, blood pressure and some other medical data connected with the EKG from more than 600 patients. Another laptop from Loma Linda University Medical Center had patient’s name, medical record number, diagnosis, surgery date, and the type of procedure for more than 500 patients.

How many laptops have to be lost or stolen before IT administrators and executive management realize that data has to be proactively encrypted and protected? The investment in the right tools to do the job–like Zecurion Zserver Suite–is significantly less than the cost–financially and to the company’s reputation–from being responsible for compromising the sensitive and confidential data of customers or employees.

Since HHS began tracking and posting these breaches in late September of 2009, there have been 77 such incidents, impacting a total of 2.4 million individuals. That is an average of more than 30,000 breached records containing personal information for each incident. A 2009 study by the Ponemon Institute found that the average cost of a data breach in the United States is $208 per compromised record, making the average cost of these 77 data breaches over $6.5 million.

Some of the data breaches were the result of physical data–forms and paperwork–being thrown into a dumpster. But, nearly 75 percent of the incidents involved unencrypted data stored on servers, backup tapes, or portable storage media.

Applying the averages–here is the bottom line: 56 out of 77 incidents could have been prevented if those organizations used Zecurion Zserver Suite to encrypt and protect data. That means that nearly 1.8 million of the 2.4 million affected individuals would not have had their personal data compromised, and that thesr organizations could have avoided a combined $364 million in costs to clean up after the breach.

The investment in proactively protecting data is significantly less than the cost of reacting to a data breach incident, and it doesn’t have the long-term negative impact to the organization’s credibility and reputation.

Since 1997, Minnesota-based Cyber Advisors (CA) has been providing information technology, e-business services, and solutions that work and grow with their clients. Consistently ranked one of the fastest growing companies by CRN and Inc., CA takes a true 360-degree view of technology and business, applying their knowledge and expertise to build, support, and use technology that enriches their clients and enhances performance. Key practice areas include security, storage, virtualization, DR/backup, Microsoft consulting, and outsourced managed services.

“Auditing and compliance used to be issues specific to the financial and healthcare sectors, but lately they have been spilling over into other industries,” says Cyber Advisors president and CEO Shane Vinup. “There are many security products on the market, but they don’t give companies the control they need. Zecurion is the only single-bullet security solution that fits in terms of price, and allows users to work when and where they want while maintaining corporate control over the data.”

“We’ve been aggressive in terms of creating a security solution that blocks, controls, and encrypts sensitive information, and we’ve been equally aggressive at creating a partner program that will attract high caliber partners like Cyber Advisors,” says Zecurion CEO Alexey Raevsky. “We’re pleased that Cyber Advisors selected Zecurion to be their security partner.”

You can learn more about Zecurion and Cyber Advisors at the Secure360 conference today and tomorrow in St. Paul, MN.

Moltzen begins by explaining the issue faced by organizations “Even well-meaning and well-trained employees can put data at risk on a network, and even heightened network firewalls can’t keep all data from walking out the door. Having data on a network means it could become available for download onto DVDs, floppy drives or thumb drives. Sensitive data could even be errantly left on a printer’s hard drive or cache–allowing anyone with the know-how to steal it.”

The conclusion Moltzen arrives at after seeing Zlock in action: “That’s why we think the approach taken by emerging security vendor Zecurion makes so much sense. Zecurion’s Zlock application provides a straightforward approach to securing and managing a network’s potential open doors and breaches, and it’s an approach that it makes too much sense to ignore.”

Moltzen adds “We think Zecurion could be on the way to becoming one of the stronger players in the data security space, and the company is a strong alternative for VARs to consider when looking at solutions for small or midsize businesses or workgroups.”

Read the complete article for more from ChannelWeb. To learn more about Zlock, click here.