So, what sorts of things should your data protection policy cover?

• A designated role responsible for maintaining the policy
• A system for defining the classification of data based on its sensitivity or criticality
• Provisions for conducting a risk analysis to identify where sensitive data is stored, how it is used, and where it travels to
• Established guidelines for data handling and protection procedures for employees
• Defined disciplinary measures for violations of the policy
• Restrictions on physical access to the servers that store and process sensitive data
• A plan for backing up critical and sensitive data, and ensuring that the backup data is secure
• A system for monitoring and periodically reviewing data access to ensure it is safe
• Define data breach incident reporting requirements and incident handling procedures
• Establish a periodic review of the data protection policy to modify or update it as needed

This is just a baseline, but it’s a start. If you don’t have a written data protection policy that your employees are aware of you can’t expect them to follow it. Develop an effective data protection policy, then support and enforce that policy with the award-winning tools from Zecurion.

Zecurion is offering special discount pricing on our award-winning data loss prevention and encryption products through the end of the year. Is your data adequately protected? Do you have the right tools in place to enable you to exercise some control over how and where your sensitive data goes without getting in the way of productivity?

You simply purchase the one-year support agreement, and we’ll throw in the product license for free. It is an 80 percent savings off the normal price. You owe it to yourself — and the employees, customers, vendors, and others that trust you with sensitive data — to take advantage of this offer before the ball drops at midnight on December 31.

Your 2012 will be much happier if you have the peace of mind that comes with knowing your data is protected. Happy New Year!

Security vendor Sophos recently bought a number of USB thumb drives at auction that were left behind on trains. Sophos found that two-thirds of the USB thumb drives contained malware–possibly suggesting they were intentionally “left” behind to be found and used by an unsuspecting victim. But, the 50 USB drives comprised nearly 140GB of potential lost data.

None of the USB keys was encrypted, and none of the USB keys contained any encrypted data. None. Sophos found all kinds of interesting data on the USB keys, including lists of tax deductions, minutes of an activists’ meeting, school and University assignments, autoCAD drawings of work projects, photo albums of family and friends, a CV and job application, and software and web source code.

Don’t let that be your data. Make sure you have policies and security controls in place to control what data is allowed to be stored and transported on portable storage media, and make sure your data is encrypted so it is protected even if that media is lost or stolen.

There are, of course, attackers out there with low moral character, a lack of ethics, and too much time on their hands who will not hesitate to exploit holes and expose data if possible. However, if you review the data breaches large and small that occur on a daily basis, the vast majority have nothing to do with any attack at all. Sensitive, personal information is compromised and exposed because the authorized users entrusted with that information are often clueless–or at least careless–in how they handle it. There are school principals accidentally uploading sensitive information, employees tossing files with personal information into public trash bins, and many employees with unencrypted data on laptops, tablets, and smartphones that are easily lost or stolen. The hackers often don’t have to work very hard.

Organizations should do more to educate users and increase awareness about sensitive data, data protection policies, and proper data handling procedures. Beyond that, though, organizations should have tools in place on the endpoint systems, monitoring the flow of network traffic, and protecting data at rest on servers to ensure that a lapse in judgment doesn’t lead to a data breach.

Because protecting data is not a black and white issue, the solution needs to be more flexible than simply blocking or allowing access. Zecurion’s Zlock gives IT admins the ability to apply fine-tuned controls that prevent the unauthorized copying and storing of data without impeding legitimate, authorized use of removable media at the same time. Just as one person may have no business opening a file that another person needs to do their job, one person may have no legitimate business purpose for storing data on removable media, while the next person may need that capability to perform their job function. A solution that simply locks down USB ports is like killing a housefly with a hand grenade, and applies too broadly to provide functional data protection.

Zlock takes it a step farther, though. Jim may have a business need to store sensitive data on a removable drive, but you don’t need to grant blanket permission to Jim. You can still set up controls in Zlock that let Jim store data on a USB flash drive, but only if the data is encrypted. In fact, IT admins can configure Zlock to only allow Jim to store data on a specific brand of company-issued flash drives, or even a specific hardware ID of an individual USB flash drive issued to Jim. That way, data is protected, and the flow of sensitive data is controlled, but Jim is still able to do his job without having to jump through any additional hurdles.

Now, through the end of 2011, you can get Zecurion Zlock for 80% off.

Michael Pattison, the head of Allens Arthur Robinson’s technology law group is quoted saying, “Ultimately you trust people that you employ, so it’s depressing to find at times that the trust is breached.”

When employees leave a company–whether through firing or of their own accord–they often take proprietary and sensitive data with them out the door. Computershare is learning that lesson the hard way. An employee resigned and the company is accusing her of having stolen internal documents, emails, and possibly personal data and financial records of millions of shareholders that rely on Computershare’s global share registry.

A certain measure of trust is expected between employees and employers. If either party can’t trust the other to some extent, it creates a paranoid, hostile work environment. But, trust is a poor policy for data protection, and companies need to have tools in place to secure sensitive data even from the employees it is entrusted to.

The compromised data includes names, ID numbers, addresses, birth dates, and other sensitive data such as relationships between individuals for 9 million Israeli citizens. The information was illegally distributed in a program called Agron 2006 which enables users to query the database and drill down through the data to identify demographic sectors of society, and trace the relationships between key individuals. In the wrong hands, this information could be used to target certain groups or individuals, and put their extended families and friends at risk as well.

The Justice Ministry investigation has been ongoing for five years, and just recently resulted in the arrest of six individuals. Bringing responsible parties to justice is important, but the proverbial horse has already escaped the barn. Hopefully the Israeli government has implemented better data encyrption and data loss prevention tools to prevent such incidents from occurring in the first place in the future.

In this particular case, though, Anonymous Austria insists that it didn’t have to do any fancy hacking to get the data–it just “found it”. TGKK agrees because it is adamant that its network and servers were not breached.

A TGKK official stressed that no hackers have penetrated the insurer’s double firewall. But, if personal information on 600,000 customers has been exposed or compromised in any way, the double firewall and extensive security measures in place internally on TGKK servers offers little solace.

The fact remains that data entrusted to TGKK–that TGKK is obligated to protect and securely maintain–is now in the hands of someone else. In fact, it is actually a larger issue that the information was just “discovered” online somewhere. It would be better if Anonymous Austria had to demonstrate some degree of hacking prowess to acquire the data.

The question for TGKK is “what good is a double firewall and formidable server protection if you transmit or share unencrypted and unprotected data across the Internet?”

TGKK should be using tools to ensure that sensitive data doesn’t leave the network in the first place. If the data transmission is authorized and legitimate, TGKK should have a record of exactly who sent the data and where it went, and the data should be encrypted so it can’t be intercepted and accessed by unauthorized users.

I think we’ve all been pretty tolerant of data breaches up to now. Perhaps too tolerant.

We always give the benefit of the doubt to companies and their employees: “They didn’t mean to expose my Social Security number”, or “I’m sure it was an accident that the medical center posted my health record on the Web”, or “Well, it’s not my bank’s fault that the postal system lost the disc with my data on it.”

But, those excuses won’t fly any more. Companies and employees do know better. It is a simple matter of having solid data handling and data protection policies, and the tools in place to enforce them. That worker probably didn’t intend to expose your Social Security number, but a data loss prevention (DLP) tool could have prevented the inadvertent exposure. It probably was an accident that your medical records were posted online, but a DLP gateway would prevent that information from leaving the network. Your bank can’t guarantee that the post office won’t lose a disc in transit, but they can have tools in place to automatically encrypt data so that it is protected from unauthorized access.

In the past, we could forgive these things. But, data breaches are in the news almost daily. There are multiple industry, state, and federal mandates in place governing the effective protection of personal and sensitive data. No company or employee can claim ignorance at this point.

No. Now it’s a matter of willful neglect. Employees know what they’re supposed to do, but they’d rather take shortcuts and ignore data protection policies. Companies know what they’re supposed to do, but they’d rather save a buck and gamble with your personal data instead. 

DLP tools are not expensive–especially in relation to a data breach. There is no excuse.

However, you will still have authorized users who have access to confidential company data, and sensitive employee or customer information. The point of a tool like Zlock is to enforce data policies and prevent data leaks without impeding the day to day productivity of those with a legitimate need to work with that data. So, what happens when an authorized employee decides to willfully violate policy, or if the USB thumb drive of an authorized user is lost or stolen?

Thankfully, Zlock’s Shadow Copy enables you to monitor and inspect files accessed and moved/copied from the network. Shadow Copy provides a silent or shadow copy of all data along with other auditable information. This reinforces personal accountability and prevents unnoticed data leaks.

Zlock copies all documents written to an external device to a secure log on the local machine and transfers the log data to network when the local machine is connected to the network. Zlock’s Shadow Copy can track specific information about the file and its contents–date and time of the event, user’s credentials, type of device used and other useful data–providing you all the necessary facts to investigate any security incident or breach. The information can be tracked and grouped by specific users, user groups, types of media and other criteria, enabling you to compile the precise data needed to meet audit requirements or conduct forensic investigations after a data loss incident.

In addition to preventing unauthorized movement and copying of electronic files, Zlock Shadow Copy also provides the same audit trail capabilities for printed materials, giving the organization ultimate control over all network endpoints, both inside and outside the network perimeter.

When you use tools like Zlock and Zgate, you can prevent virtually all data leaks. For those instances where an authorized user becomes the attacker, or when an authorized user has data lost or stolen, the Shadow Copy feature is a life saver.