» 

Blog

Get the Guide: Meeting GDPR Requirements with GoAnywhere MFT

GDPR and GoAnywhere data sheet

The General Data Protection Regulation is set to replace the Data Protection Directive in the EU on May 25, 2018. At this time, and long afterward, organizations that aren’t found compliant with its requirements will face hefty fines and penalties.

Are you ready for the GDPR? Is your organization at risk of being found noncompliant, or worse, facing a potential data breach of sensitive personal data? Many companies meet these questions with unease.

But don’t worry. GoAnywhere is here to help.

The General Data Protection Regulation aims to give EU citizens control of their personal data. What is personal data? According to this press release from the European Commission, it’s defined as “any information relating to an individual whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

For organizations to protect and secure this personal data, the GDPR requires them to meet eight different rights. They are:

  • The right to be informed*
  • The right to access
  • The right to rectification
  • The right to erasure
  • The right to restriction of processing
  • The right to data portability
  • The right to object processing
  • The right to not be subject to automated decision making

GoAnywhere MFT is an all-in-one managed file transfer solution that can help organizations meet the GDPR’s eight rights (excluding the one marked with an asterisk) through a variety of key features. These include encrypted data transfers, key management that stays in the company’s control, secure emails, auditing/logging capabilities, and more.

If you’re looking for a comprehensive way to address GDPR requirements, we’ve put together a guide that demonstrates which key features in GoAnywhere MFT will help you fulfill specific GDPR standards.

Download the guide to learn more about how GoAnywhere makes GDPR compliance easy.

 


Should You Really Change Your Password Every 90 Days?

 90 day password policies

If you’ve worked a job that requires you to have login credentials, you’re probably familiar with the common “90 day rule” for passwords. The rule being: change your password every 90 days (or 45 days, depending on the workplace). It’s a security best practice that will keep your accounts—and your organization—secure from hackers and nosy coworkers.

The “90 day rule” has been around for years, and no matter how each individual company decides to enforce it (some are encouraged to change it around the three month mark; others receive emails or warnings that count down the days until the current password expires), the outcome remains the same. Employees around the world stop what they’re doing, think up a new, hopefully strong password, and apply it as quickly as possible so they can get back to work.

This is the way it’s always been done. Changing your password makes the network secure and thwarts evildoers, right? And the good outweighs the inconvenience. Why fix what isn’t broken?

Unless it is broken.

Emerging studies from University of North Carolina at Chapel Hill and Carleton University report that requiring password changes every 90 days may not actually be the best way to protect your company data and user accounts. In fact, some big organizations are actively starting to question this practice: in 2016, the National Institute of Standards and Technology (NIST) put out new guidelines that recommend removing routine password change requirements.

So, should you really change your password every 90 days? There’s no absolute consensus in the IT industry yet, but there are good arguments on both sides. To help keep you informed, we compiled information about each perspective. Here’s what we found:

The “No” Camp

On one side of the ring, we have the “no” camp, the organizations and thought leaders that are talking about how outdated mandatory password rotation policies are. The main theory for the 90 day naysayers? Requiring frequent changes causes users to create weak passwords—or simply slightly modify their current one.

Lorrie Cranor, computer science professor at Carnegie Mellon University, spent a year with the U.S. Federal Trade Commission as a Chief Technologist. During this time, she wrote on the FTC blog: “There is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can easily guess.”

Think about the passwords you create. In the frustration of the moment, have you ever created a new password similar to your last one, just with different punctuation or capitals? A majority of users probably have at least once. According to a study by University of North Carolina, Cranor writers, the people whose credentials they had access to “tended to create passwords that followed predictable patterns … such as incrementing a number, changing a letter to a similar-looking symbol…, adding or deleting a special character…, or switching the order of digits or special characters.”

Troy Hunt, author at Pluralsight and Microsoft Regional Director, also addressed the “90 day rule” in our recent project, Cybersecurity Myths Debunked. His thoughts? The myth about password rotation is “really interesting because we have this mix of opinions at the moment where most organizations say ‘you must rotate your password every 90 days in order to keep it secure’ and on the other side you have The National Cyber Security Centre of the British government and NIST saying ‘don't do this because it makes it worse!’ And I love the rationale that they use, it's just so pragmatic: If someone gets your password, they're not going to wait 90 days to use it, they're going to use it now!”

Hunt’s point is an important one. If a hacker has access to your password, changing it to something different is unlikely to be effective.  Chances are, they’ve already peered into your account, maybe even installed a keylogger to cull your future credentials. The fix to a compromised account isn’t to update your password; the fix is to create a unique password for each account, then tighten your security through measures like multi-factor authentication and slow hashing (a hashing algorithm that slows, if not completely thwarts, brute-force attacks against hashed passwords. Many people use Bcrypt for this).

The “Yes” Camp

On the other side of the ring, we have the “yes” camp, the organizations and thought leaders that are talking about how important the “90 day rule” is for IT security. The main theory for the 90 day hype? If you change your password every three months, a hacker that has access to an old password (say through a data breach) won’t be able to use it forever, and won’t be able to use it across your accounts.

Many data breaches have happened over the years. In May 2017, 560 million email credentials were leaked, which included “a collection of data from previous breaches at LinkedIn, Dropbox, LastFM, MySpace, Adobe, Neopets, Tumblr and others,” reports this article from LifeHacker. If you change your passwords frequently and use strong/unique passwords that aren’t similar to your previous ones, your data is likely safe. But if you rarely change your password, have an account with an organization affected by a leak, or use the same password across multiple accounts? Well, you may be out of luck.

As an aside: You can check to see if any of your accounts were leaked in the breach using Have I Been Pwned, a tool created by Troy Hunt that scans for your email account in a list of data that’s been publically released. The results may surprise you, and inspire you to update your account security.

No matter which camp you personally fall in, it’s critical to use almost-impossible-to-crack passwords and enable multi-factor authentication, especially for accounts you have with financial institutions, medical institutions, and email providers. To ease this burden, many thought leaders recommend using a password manager, like LastPass or 1Password, that allows you to create original passwords for your accounts without having to remember them all … or inevitably stick a colorful post-it note under your keyboard (hint: don’t do that).

Do you subscribe to the 90 day rule? Share your thoughts in the comments below.

 


4 Understated Tool Categories for Cloud App Security

how to protect your cloud applications

As more and more organizations migrate their data to the cloud, IT teams discover a new world of useful cloud apps, from cloud-supporting hardware to new software and services that promise to make business processes easy and efficient. However, every cloud app you add to your arsenal needs its own protection, even if the data itself is locked up tight.

Cloud migration also introduces another concern: shadow IT. Moving to the cloud can inspire employees or departments to use software and services that aren’t always approved by the usual channels beforehand. Employees can also use personal technology at work “or niche technology that meets the unique needs of a particular business division and is supposed by a third-party service provider or in-house groups, instead of by corporate IT,” according to TechTarget’s definition of shadow IT. Once these tools (including Dropbox, Google Docs, or instant messaging services) are implemented, it’s not always easy to root them out—but it doesn’t have to be hard to secure them, either.

Whether you’re using IT approved apps or have shadow apps hiding in the corners, always make sure they’re protected. Not sure where to start? Here are four understated tool categories you should use for cloud app security, as well as a few matching products or services that address each one.

DDoS Protection Tools

A DDoS (Distributed Denial of Service) attack happens when a malicious user or group floods a service with traffic from multiple sources, intending to cripple the business and make it unusable for an extended period of time. When the service goes down, people can’t access it. The situation becomes a complete nightmare for everyone involved.

DDoS attacks can be devastating to an organization’s bottom line. A single successful attack can cost upwards of $2.5 million, and DDoS disruption alone can cost around $100,000 an hour in lost revenue. What’s worse, the number of DDoS attacks per year only continues to rise, with Neustar reporting that a whopping 84% of companies have experienced an attack in the last year, compared to 73% in 2016.

It’s imperative for businesses to take DDoS attacks seriously and implement tools that will thwart their efforts. Here are a couple DDoS protection tools you can use to secure your cloud apps:

AWS Shield

Amazon Web Services offers AWS Shield, “a managed Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS.” AWS Shield works with Elastic Load Balancing, Amazon CloudFront, and Amazon Route 53 to detect DDoS attacks and provide automatic mitigation whenever needed.

Do you currently use AWS as your cloud services platform? According to their website, “all AWS customers benefit from the automatic protections of AWS Shield Standard,” which protects your applications from network and transport layer attacks.

aiProtect

Microsoft Azure offers aiProtect Denial of Service Protection, a service that “automates the identification and mitigation of Denial of Service (DoS & DDOS) attacks, while providing detailed reporting necessary to end the attack.” aiProtect can protect your cloud applications by reviewing incoming traffic requests and blocking ones that are suspicious, giving you time to act before the attack takes down your network.

Cloud Access Security Broker (CASB) Tools

CASB tools give you the power to retain control of your cloud apps while simultaneously monitoring them for threats and vulnerabilities. TechTarget’s definition of CASB states, “CASBs use auto-discovery to identify cloud applications in use and identify high-risk applications, high risk users and other key risk factors,” which is a great asset for organizations that have shadow apps.

Cloud Access Security Broker services act between an organization and the cloud to make sure all network traffic abides by set security policies. They can provide valuable insights into where data is going, what cloud apps the business uses, what actions users and accounts are taking in their daily work environment, what threats exist in the infrastructure, and more.

Knowing what apps your business uses and what threats they may pose is also an important part of protecting your data, and your cloud processes. Here are a couple CASB tools you can use to secure your cloud apps:

CipherCloud

CipherCloud is a CASB solution that helps “monitor and rate over 15,000 cloud applications, and [the] intuitive drill-down dashboard lets you identify all clouds and block risky apps.” With a tool like CipherCloud implemented, you can assess business risks and vulnerabilities, then address them using available policy actions (notify, quarantine, user self-remediation, etc) without interrupting regular business processes.

Skyhigh

Skyhigh is another popular CASB platform you can implement on a single cross-cloud platform to “gain visibility into cloud usage and risks, meet compliance requirements, enforce security policies, and detect and respond to potential threats.” It offers a variety of key features for governance, threat protection, compliance, and security throughout their solutions and products.

Data Loss Prevention Tools

Are you worried about losing control of your data? Most people are. When you move your data to the cloud instead of having it in your internal network, it’s hard to imagine letting go of your assets—which is why we suggest using a data loss prevention tool. A DLP tool helps you keep control of your data during migration, protects it while it’s at rest in the cloud, and can alert you to any data placed in the cloud that shouldn’t be there.

Knowing exactly where your data is and if it’s vulnerable or not can give back some of the control you need and let you rest easy at night. Here are a couple DLP tools you can use to secure your cloud apps:

McAfee

McAfee Total Protection for Data Loss Prevention “safeguards intellectual property and ensures compliance by protecting sensitive data wherever it lives.” It gives you a detailed look at where your data is being used, allows you to pinpoint and address any leaked data you might have, and uses “flexible file tagging to set up time-saving data security policies based on location and application types.”

Digital Guardian

Digital Guardian’s Data Loss Prevention solution works to protect your assets by tagging sensitive data as classified whenever a user requests it. If the user then attempts to send the data outside of the network or to the cloud, the solution blocks the transmission. Digital Guardian for Data Loss Prevention also automates classification of sensitive data and stops leaks without affecting employee productivity.

Cloud Backup Tools

Backing up company data is often listed as a security best practice, and it’s very true: you should have a plan in place for creating frequent cloud backups. But are you storing your backups off-site, or is everything kept in one place or accessible from the same account?

Code Spaces, a company that once offered source code management tools to developers, met a dismal end at the hands of a hacker, in part because their backups were controlled from the same control panel as their data. “An attacker gained access to the company’s AWS control panel and demanded money in exchange for releasing control back to Code Spaces,” writes Paul Venezia, Senior Contributing Editor at InfoWorld. “Code Spaces had replicated services and backups but those were all apparently controllable from the same panel and, thus, were summarily destroyed [when they tried to take back control].”

Implementing a tool that places your cloud backups off-site is a simple way to save your organization a lot of potential heartache. It may cost time and resources to put every piece in place, but you’ll be two steps ahead of any security disasters you face in the future, as your data will be protected.

Sadly, Code Spaces didn’t have a chance without off-site backups. But you can. Here are a couple backup tools you can use to secure your cloud apps:

Azure Backup

Microsoft Azure’s BaaS solution, Azure Backup, protects your data wherever it’s at rest (the cloud, your data center, your office locations) by providing six offsite backup targets of your applications stored in two different Azure datacenters. Azure Backup can also integrate with Azure Site Recovery, which orchestrates protection and recovery of private clouds.

Asigra Cloud Backup

Asigra Cloud Backup is a cloud-to-cloud backup and recovery service that can help you control the data you’ve entrusted to SaaS and PaaS providers. It “enables you to manage the recoverability of cloud-based application data in multiple ways,” including backing up your cloud environment to the data centers of your choosing, deploying backup policies to cloud app users for consistent protection, and scheduling backup activities from a single interface.

These four tool categories can absolutely kickstart your cloud app protection, but they’re not exhaustive. Is there a tool you use that we missed in this post? Leave it in the comments below!

 


8 Essential Resources to Help You Understand GDPR

On May 25, 2018, the General Data Protection Regulation (GDPR) will be fully enforceable in the European Union (EU). This new regulation succeeds the Data Protection Directive, a two-decade old directive that’s languished in recent years due to the growth of available online information.

Once it’s officially required, the GDPR will apply to every member state of the EU and address the protection and movement of personal data. What does the EU consider personal data? According to this press release from the European Commission, it’s defined as “any information relating to an individual whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

Are you prepared for GDPR compliance? This regulation will change the way data is handled and threaten companies with strict consequences if they fail to cooperate, so it’s vitally important that European businesses—and even international businesses that handle the data of EU residents—are aware of what’s coming and address needs now to satisfy upcoming legal and customer requirements.

If you don’t have a clear grasp on what GDPR entails, don’t panic. This helpful list of resources will tell you everything you need to know.

 

1. A Primer on the GDPR: What You Need to Know [Article]

This quick seven-minute read from Proskauer, a privacy and cybersecurity practice group, covers basic information behind the what and why of the GDPR.

Why it’s helpful:

Not only does this article discuss why the Data Protection Directive needs to be replaced, it compares the two regulations and gives readers insight into the potential business implications that will follow the change, such as increased violation fines.

 

2. GDPR Compliance in 5 Minutes [Video]

Are you involved in marketing? Do you have marketers in your company? If you answer yes to either of these questions, check out this video from Gated Content for a summary of how the GDPR will affect marketing methods. Tips on making your web forms regulation compliant are also included at the end.

Why it’s helpful:

Marketers are especially poised to be affected by the GDPR, as they frequently handle personal data through the use of web forms and opt-in consent. This video deconstructs GDPR compliance for marketers into simple ideas and easy-to-understand graphics.

 

3. The EU General Data Protection Regulation Website

The EU General Data Protection Regulation website is a central space for GDPR education. Have a burning question about the GDPR? Check their FAQ, or follow their quick links to key regulation changes and a full regulation timeline.

Why it’s helpful:

Most resources on the internet cover the what, why, and when of the GDPR, but few tackle a FAQ quite as well as this website does. Learn about the difference between a regulation and a directive or read up on how the GDPR affects data breach policies. It’s all right here.

 

4. Preparing for EU GDPR [SlideShare]

If presentations are more your thing, this SlideShare from IT Governance in the UK is a great way to start learning about the GDPR. It’ll walk you through each article of the regulation, then leave you with nine steps you can take to meet GDPR compliance.

Why it’s helpful:

Each slide is packed with the knowledge you need to get a decent overview of the GDPR. We particularly love the explanations of what “natural person” (#7) and “personal data breach” (#9) mean. IT Governance also includes an hour-long video (#32) at the end, providing more context to the entire presentation if you need it.

 

5. EU GDPR: A Pocket Guide [Book]

Available in paperback and Kindle, this 56-page resource is promoted as “a clear, concise primer on the EU GDPR,” great for reading on your morning commute or over lunch hour.

Why it’s helpful:

If you need portable, pocket-sized information on the GDPR, we highly suggest this book. It covers the history of data protection, runs through a list of regulation terms and definitions, and describes what is expected of your organization during (and after) this important transition.

 

6. GDPR Simply Explained in 3 Minutes [Video]

Time is valuable. We know what it’s like to need information delivered quickly, without the additional fluff.

If you’re looking for something plain and concise, this video may be a beneficial resource in your arsenal. It explains the GDPR and its requirements in only 3 minutes, leaving you more time to focus on your business (and enjoy that morning cuppa).

Why it’s helpful:

If you’re a visual learner, this video’s strengths lie in its clean layout and helpful discussion on key regulation buzzwords. We also deeply appreciated its explanation of the GDPR requirements businesses must follow as soon as this regulation is enforced (May 2018).

 

7. 10 Ways to Prepare Your Organization for GDPR [Article]

Feel like you have a handle on the GDPR but aren’t sure what to do next? No problem. This article lists 10 ways you can prepare your company for GDPR compliance by May 2018.

Why it’s helpful:

Step-by-step instructions make it easy to plan ahead, and we love this resource because it does exactly that: give you the details you need to make informed decisions in your organization. Suggestions like “take a hard look at your current processes” and “educate your employees on updated consent requirements” help get you in the mindset of the new regulation—and bring you closer to full compliance.

 

GDPR Infographic8. What Does the GDPR Mean for Global Data Protection? [Infographic]

Infographics are great tools for education, and this one is no exception. In fact, all of all the resources we’ve shared, this is our favorite. It’s straight-forward and dressed with the information you need to move forward with GDPR compliance.

Why it’s helpful:

The chart is glued together with incredible statistics, a thorough timeline of the GDPR’s history, visual explanations of what this new regulation means for businesses that handle European data, and more. It’s easy to read and even easier to share, making it an authoritative resource to distribute across any organization.

 

 

 

Love resource lists? So do we! For information on another important area of business compliance, PCI DSS, check out our 7 essential resources on PCI DSS security.

Have a resource you’ve used that isn’t accounted for here? Share it with your fellow professionals by submitting it in a comment below.

 


7 Cloud Security Best Practices for Amazon Web Services

AWS cloud security best practices

Temporary and permanent storage of data in the cloud has grown in popularity over the years. Companies like Land O’Lakes and Boeing moved their information to the cloud last year to simplify the technology they used. Video-streaming behemoth Netflix finished their journey to the cloud in early 2016 after seven years of moving systems and customer services to Amazon Web Services (AWS).

What inspired this change from on-premises storage to the cloud? Ease of use and implementation, the cost-effectiveness of the cloud over having to maintain physical servers, and worldwide access to cloud storage without being dependent on a single network or location are just a few of the positives that encourage companies to migrate. Some cloud providers, like AWS, can even scale in either direction to support growing business needs—meaning you only pay for what you use.

This transition to the cloud brings a new set of security risks to the table, though. According to Digital Guardian, you lose some control over sensitive company data once you put it in the cloud, since that data is transferred to the cloud provider, versus stored on-premises. To prevent interception of data while stored or transferred within the cloud, companies should ensure they are encrypting files during storage and transit using a managed file transfer solution like GoAnywhere MFT. The cloud also allows personal devices to connect to and interact with data, and this has its own positives (flexibility in cloud use) and negatives (compromised information if a connected device is stolen or hacked).

Amazon Web Services markets itself as a “secure cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow.” As companies move to AWS for their cloud storage needs, they’ll have the opportunity to increase their productivity and reliability as long as they maintain best practices for cloud security.

If you’re getting ready to move your data to Amazon Web Services or already have, here are seven best practices for AWS we recommend to get the most out of your cloud security.

1. Document your AWS processes and procedures, then keep them updated

Imagine you have a very specific file structure set up in the cloud, complete with categorical folders that are protected by different levels of permission. You know that all company sales data should go in a specific folder, but a coworker, though meaning well, doesn’t know and decides to transfer sales data to a different, unprotected folder. Chaos ensues.

To avoid this type of confusion, create consistent cloud practices everyone can follow. Document your AWS processes and procedures. Store them in a common space that the organization can access, like a shared drive on the internal network. And update the document every time something changes in your cloud approach to help coworkers, stakeholders, third party vendors, and trading partners remain on the same page.

2. Use AWS CloudTrail to track your AWS usage

Understanding what actions users take in the cloud is an important step toward keeping your data secure and in the hands of those you trust. Use an AWS service like Amazon CloudTrail to anticipate and prevent security vulnerabilities in the cloud through “governance, compliance, operational auditing, and risk auditing of your AWS account”.

AWS CloudTrail can do the following tasks, and more:

  • Create API call history logs
  • Record when objects or data are created, read, or modified
  • Calculate and give you risk reports on your cloud storage account
  • Determine who makes changes to your cloud storage infrastructure
  • Track who logs in to your accounts (including successful and failed login attempts)

3. Complete risk assessments as often as possible

Even though the cloud is run by Amazon Web Services, both AWS and your organization are responsible for making sure nothing falls through the cracks. This includes maintaining “adequate governance over the entire IT control environment regardless of how IT is deployed” and having “an understanding of required compliance objectives and requirements,” among other things.

AWS completes and publishes risk assessments for their services, and you should do the same for the data you’ve stored in the cloud. Each time you give a new key player (including third party vendors and trading partners) access to your AWS cloud storage, walk through the following steps:

  1. Review the risks you currently know about and ensure they’re still being addressed
  2. Identify and add new risk scenarios to your list. Plan for how to tackle them
  3. Identify the key players who have access to AWS and ensure they’re following standard security hygiene
  4. Assess your AWS account. Make sure your settings, policies, and security are still relevant
  5. Consider the steps you should take next to manage your data and prevent future risk

Remember, risk assessment is an ongoing process that allows you to find and address security concerns in your infrastructure. Since storing data in the cloud takes away some of your control over sensitive company information by not being on-premises, it’s vital you complete assessments often to keep on top of potential security gaps and vulnerabilities.

4. Follow standard security hygiene for host and guest systems

Practicing standard security hygiene is one of the easiest ways to keep your data protected. These habits should become second nature, just like washing your hands or brushing your teeth, and will benefit you immensely without requiring much time or resources.

Enable multi-factor authentication for all accounts

Amazon Web Service’s MFA requires a user to provide two pieces of information to prove they’re authentic. The first piece is knowledge (something you know, your login credentials), the second is possession (something you have, an authentication code sent to an AWS MFA enabled device). Just enable multi-factor authentication for your AWS accounts to get an immediate boost in security.

Remove privileges from defunct accounts

When an employee, trading partner, or third party vendor leaves the relationship, clean out their account and delete any privileges they were given. This removes the temptation for a renegade player—or a hacker guessing at passwords and emails—to return at a later date and compromise sensitive company information.

Disable password-only access for guests

Even guest accounts should use multi-factor authentication wherever possible, even if they have limited authorities and privileges.

5. Manage and review AWS accounts, users, groups, and roles

Every so often, we recommend you review your AWS accounts, users, groups, and roles to gain a proper overview of the privileges and permissions they have. Are any of these stagnant or similar to other setups? Consider combining them. Are any of them no longer necessary? Limit the clutter. The less overlap there is, the better.

Administrators of Amazon Web Services accounts should pay special attention to the permissions listed for their S3 buckets. Several different types of access can be given to users, including list, upload, delete, view, and edit. A bucket can also be set to viewable for AWS account holders or anonymous users, which may cause high risk depending on the files in the bucket, so make sure to review your S3 buckets and permissions to avoid potential security pitfalls.

The bottom line? Provide your accounts, users, groups, and roles with the least amount of privileges they need to function. If someone needs temporary access, it’s better to add them in as they’re required and remove them right after to avoid information falling into the wrong hands.

6. Protect your access and encryption keys

If you’re using AWS to store your data in the cloud, you’re bound to have access keys and encryption keys. Access keys help AWS verify your identity against your login attempt and give you access to the resources you’ve been given. Users with different access keys may not be able to see the same things you do, so it’s imperative you keep your keys safe.

Similarly, encryption keys are used to encrypt and decrypt data. Since they unlock sensitive information, keep them separate from your data. This best practice is especially important for companies who need to comply with regulations like HIPAA, FISMA, and PCI DSS. “Essentially, the compliance requirements all say the same thing,” writes Luke Probasco for Pantheon, “encryption keys should never reside in the same environment or server as the encrypted data. This is a technical way of saying, don’t leave your key under the doormat a hacker walks in over.”

Here are just a few ways to keep your access and encryption keys safe:

  • Periodically delete any unused keys
  • Use temporary access keys instead of permanent ones wherever possible. This way, if an attacker compromises an account or discovers a user’s credentials, their access will be time-sensitive
  • Watch the encryption key life cycle and make sure new ones are properly saved and secured
  • Create procedures for worst case scenarios in the event a key is lost or tampered with

An easy way to protect your keys is to use AWS Key Management Services, the service Amazon offers that “makes it easy for you to create and control the encryption keys used to encrypt your data.” AWS KMS even integrates with AWS CloudTrail, Amazon’s log auditing service, so you can view logs of your key usage.

7. Secure your data at rest and in transit

When moving data between your network and the cloud, always encrypt your files and protect your communication using SFTP, FTPS, or SCP. Furthermore, keep them encrypted even when they’re at rest, sitting in an AWS S3 bucket or on a server. You can choose to encrypt single files or entire folders depending on your needs.

A managed file transfer solution can encrypt your files both ways using modern encryption methods. Good MFT software will help you stay up-to-date as encryption standards change over time, while also making sure your data transfers are easy to manage and audit.

GoAnywhere MFT, our managed file transfer solution, integrates with Amazon Web Services in a variety of ways. To learn how GoAnywhere MFT can meet your cloud needs, check out our Amazon EC2 platform page or request a demo.

 


Can HIPAA Certified Solutions Really Guarantee Compliance?

achieving HIPAA compliance

When searching for a new healthcare solution to meet your organization’s needs, it’s easy to see the labels “HIPAA Certified” or “HIPAA Compliant” and believe your bases are covered. After all, “HIPAA Certified” means the product or application follows HIPAA’s privacy rules and has everything in place to protect your health and patient information, right?

Unfortunately, no. While such a certification could be useful for organizations in the future, giving them peace of mind during the stressful process of shopping for new solutions, the U.S. Department of Health and Human Resources (HSS) “does not contemplate certification of HIPAA compliance, nor does it authorize any third party to provide an “official” certification,” reports this recent article from HealthData Management. This means businesses that tout their products as compliant or certified can do so—but can’t enforce the claim as legally true.

If you see a solution that’s labeled “HIPAA Certified,” you can still consider it as a viable option, just do so carefully. Businesses often use these terms as a simple way to say “we meet all of HIPAA’s rules and regulations in our given field, and we can help you take steps toward full compliance.” But they can’t guarantee their product will make you compliant, and ultimately the responsibility to become and remain compliant rests on you and your organization.

Rob Reinhardt, owner of Tame Your Practice, a company that provides consulting to mental health and wellness professionals, says this of “HIPAA Certified” solutions: “You cannot maintain HIPAA compliance by simply “only purchasing HIPAA compliant stuff.” Only Covered Entities and Business Associates can be compliant. They do so by following all of the requirements of HIPAA and HITECH, which are extensive.” Covered Entities are health care providers, like doctors and psychologists, health plans, like health insurance companies or government plans, or health care clearinghouses. Business Associates are people or businesses that help Covered Entities carry out their daily functions.

Are you shopping for a solution that will support your business processes and bring you one step closer to full HIPAA compliance? To make the search less painful, here are a couple tips we recommend following when vetting potential companies.

1. Read the Fine Print

When you come across a product that is labeled certified or compliant, read the fine print to see exactly what they’re offering you. Make sure they clearly list what they’ll do to help your organization achieve HIPAA compliance, and be wary of  any company that hides this information or won’t give it to you. We also recommend you think carefully before purchasing software from a business that’s been declared HIPAA compliant by a third party. Just because someone else says they’re compliant doesn’t mean they are.

2. Ask the Right Questions

Go into the conversation or demo with a list of questions you need answered. Here are a few we recommend to get you started:

  • Do you have a clear outline of how your product will help me become HIPAA compliant?
  • Do you have a HIPAA compliance checklist I can see?
  • How does the product encrypt sensitive data?
  • Can it run audit reports of data access and movement?
  • What level of expertise does your business have with HIPAA and HITECH?
  • Do you have a HIPAA specialist on staff that I could talk to?

In the end, finding a solution that matches your needs shouldn’t be difficult. It should be easy. Just remember: the right solution will help you in your journey to HIPAA compliance, not guarantee it. Only you can do that—by making sure your organization meets all HIPAA regulations.

Looking for a managed file transfer solution that can help your organization meet several key HIPAA and HITECH requirements via a managed, centralized, and auditable environment? Our solution, GoAnywhere MFT, may be right for you.

To learn more, download our white paper, How Managed File Transfer Addresses HIPAA Requirements for ePHI, or view our HIPAA and HITECH solutions brief.

 


Why You Should Implement a Third Party Vendor Assessment Program

  third party vendor assessment program

Third party vendors are incredibly useful. They allow businesses to automate certain processes they can’t do themselves, like implement payroll services to compensate employees, and bridge gaps in their technology. But while the money, time, and brainpower freed up by outsourcing tasks is a huge positive, third party vendors have their downsides. There must be a mutual agreement between all parties involved regarding security best practices. And sadly, that’s rarely a main focus, causing high risk to creep in where you least expect it.

As security concerns skyrocket, with data breaches happening to organizations of all sizes in all industries, IT and security teams are searching for ways to be proactive in their cybersecurity plans. Security awareness programs and carefully documented policies are a good start. But there’s no better way to prevent future security vulnerabilities than by starting with one of the biggest risks a company can have: careless outside players.

READ MORE: The Benefit of Empowered Employees: Why a Good Security Awareness Program Matters

“Security breaches attributed to third-party partners are increasing,” explains Paul Dusini, Information Assurance Manager at business management consulting company NuHarbor Security. “The number of data breaches attributed to third-party vendors increased by 22% since 2015.” And such frequency only continues to rise.

“Security breaches attributed to third-party partners are increasing. The number of data breaches attributed to third-party vendors increased by 22% since 2015.”

In fact, one of the biggest data breaches of this decade, Target Corporation in 2013, was thanks to unsecure third party vendors. A recent news report from American Banker states that “hackers first breached one of the retailers’ heating and air conditioning vendors, and from there, through a billing system, broke into Target’s servers to steal data on 40 million credit and debit cards and personally identifiable information of 70 million shoppers.”

Why aren’t third party vendors reviewed more often to prevent these kind of breaches? Shockingly, third party vendors are often considered an afterthought, since they provide services to an organization without being a part of their daily business goals. “Only 52% of companies have security standards for third-parties,” NuHarbor Security writes, yet an average of 90 vendors touch company data on a weekly basis. That’s a large number of players and access points a hacker could use to steal information—and part of the reason why third party vendors should be taken more seriously.

The good news is, organizations don’t have to quit third party vendors all together, a feat that’s likely impossible in this day and age anyway. Even better, data breaches and other vulnerabilities through third party vendors can be avoided.

Third Party Vendor Assessment Programs

Kathryn Anderson of Backbone Consultants has worked alongside many businesses, giving her the unique ability to observe how their IT teams practice data security and obtain valuable insight into where they regularly have security gaps. One of the best ways to close these gaps, she urges, is to start with third party vendors … and implement a third party vendor assessment program to minimize risk.

READ MORE: Introducing Kathryn Anderson of Backbone Consultants

I have helped grow 3rd party risk programs at multiple organizations across different industries,” Anderson explained in an interview with us. “From a compliance standpoint, third party (and fourth party) risk is becoming a key area for auditors. The reason why is that it’s high risk having third parties, parties that are under different cultures and employee policies, allowed access to your information by providing you with services. So it’s understanding and vetting those third parties that’s blowing up right now—for a very good reason.”

Implementing a third party vendor assessment program is an important step toward properly addressing third party risk and keeping it the way it should be: low and under control. Part of the work, Anderson said, could include creating a questionnaire for vendors based on the services they’re providing, using IT governance and risk management frameworks, discussing the value of the program with your organization, and sitting in on any approval meetings departments have for the new applications or cloud-based services they want to use.

Unfortunately, while these programs have a plethora of benefits that lessen the possibility of security vulnerabilities, they aren’t always easy to get off the ground. But the time and resources it takes to look at an organization and “figure out what you should really care about, what matters, and what are the triggers that say ‘this is a high risk vendor,’” she said, come with incredible benefits. And it can be done with a culture shift and proper stakeholder buy-in.

“The program is not about people sitting in the back corner looking at logs to identify anomalous activity in your environment, it’s being part of the business. Because security is a business risk. It’s not an IT risk,” Anderson explained, discussing how important it is get key players to want to work with you and your program. A vendor assessment program enables security to integrate with the rest of the organization and help it (rather than hinder it) achieve business goals in a safe and positive manner.

“The program is not about people sitting in the back corner looking at logs to identify anomalous activity in your environment, it’s being part of the business. Because security is a business risk. It’s not an IT risk."

“Security shouldn’t be a ‘no’ group. It should be a proactive partner. If the company has some sort of business need, it’s not up to security to say no,” she continued. “They can offer suggestions on how a desired vendor can improve their controls, identify gaps, or point out vendors that have better security controls, but IT and security should not be a ‘no’ group.”

In fact, Anderson said, a third party vendor assessment program is an ally in the quest for company success, not an obstacle to be overcome. “IT and security are like the security on a race car. The business is going super fast around the track, and it’s our job to make sure the airbags work and that they have a parachute. If anything, we put the security in place so they can go faster. We should be an enabler, not a road block.”

How to Implement a Third Party Assessment Program

If you’re ready to implement a third party assessment program in your organization, here are four steps you can take to get started.

#1. Identify Your Third Party Vendors

Organizations often don’t have a firm understanding of every third party vendor they use. Different departments use different vendors to get their work done. For example, Marketing uses an application to streamline their design goals or Development uses a web service to track project hours. Identifying these vendors and making a list of who you’re using pieces together the big picture, and leads to step 2.

#2. Review Your Current Third Party Vendors

Once you have a list of the third party vendors you’re using, review them to make sure they are up to standard. Do they have good cybersecurity practices? Are they accessing internal networks, and are those access points secure and monitored? How strict is their access; are they only allowed into the areas they need? Is the way they handle your data secure? Have there been odd discrepancies in the way they’ve worked with your organization, such as delays, inconsistent staffing, or spotty communication?

These areas of review can help you determine what level of risk your company currently faces. Then, you can make informed decisions on whether to keep these vendors, terminate the relationship, or discuss ways they should improve their controls.

#3. Create a Questionnaire for Potential Vendors

As Anderson suggested, using a questionnaire that addresses the specific services offered by a vendor (so asking a point-of-sale vendor retail-related questions) gives you insight into areas of weakness or concern before you create a relationship with them.

Ask questions like:

  • What sort of information will you need access to?
  • Do you have updated security policies and procedures in place?
  • Are you compliant with privacy laws/regulations regarding confidentiality and customer data? If so, which ones?
  • How often do you update your OS security?
  • What sort of controls do you have in place to secure your data?
  • What security software do you use to scan for viruses?

You can find several example third party vendor questionnaires online and use them to create your own.

#4. Assess which Meetings You Should Attend (then Attend Them)

With the beginnings of a third party vendor assessment program in place, you should start to anticipate the third party vendors that are added to your organization. If certain departments hold review meetings to discuss which vendors they should add to their arsenal, ask to sit in on them and speak up if you detect any problems or red flags that might cause high risk.

Just remember, security should be a proactive partner, not a nay sayer. The point of a third party vendor assessment program is to close vulnerability gaps and work with the organization to meet business goals and needs, not police what they can and cannot use.

These four steps serve as great starting points in creating a preliminary vendor assessment program, but they’re not all-inclusive. If you want to take your planning further, consider contacting a certified cybersecurity consultant. They’ll work with you to produce a detailed risk assessment for your organization, including reviews of your overall third party risk, reviews of proposed and existing contracts, and execution of a dynamic risk assessment questionnaire. Contact Backbone Consultants for more information on how they can help you implement a third party vendor assessment and decrease your security risk.

Want to hear more from Kathryn Anderson? Watch our on-demand webinar, Lessons from the Field: 7 Steps to Proactive Cybersecurity. It should interest those who want to learn how to implement a third party vendor assessment program or manage resources in their organization.

 


6 Experts Debunk Common Cybersecurity Myths

Cybersecurity warrior protecting dataThe life of a cybersecurity professional looks a lot like the plot of a Greek mythology action movie. We spend years preparing for an attack by an unknown creature, basing our strategy on tales passed down from cybersecurity warriors before us. DDoS attacks are waged by the mythical Hydra with multiple heads attacking from every angle; phishing emails are released, disguised as alluring calls from beautiful Sirens.

Along with these aggressions come the myths of how best to defend against such attacks. Which is why HelpSystems set out to debunk some of the most popular cybersecurity myths that exist today.

We asked six uniquely-qualified security experts from around the world to debunk their favorite IT security myths.

Read their intriguing answers in Cybersecurity Myths Debunked.

cybersecurity experts

 

Cybersecurity Myths Busted eBook


The Benefits of Empowered Employees: Why a Good Security Awareness Program Matters

 employee security awareness program

Every organization dreams of how they’d like to implement cybersecurity. It’s perfect in its execution: requirements would be met or exceeded, employees would be fully educated on security risks, and data would never be threatened by renegade phishing scams or careless user errors. But sadly, faced with time and resource constraints, it can be difficult for busy organizations to do more than just check the “high importance” boxes (like creating a data breach response plan and solid networking practices). Especially if today’s ever-changing security needs are hard to keep up with as it is.

Kathryn Anderson of Backbone Consultants argues that this struggle to maintain and surmount cybersecurity needs is exactly why businesses should find time to implement a security awareness program. As a security advocate with over a decade of industry experience, Anderson is passionate about risk and governance. And through her experience, she gained powerful insights on how to inspire awareness, responsibility, and empowerment in an entire organization.

READ MORE: Introducing Kathryn Anderson of Backbone Consultants

Anderson started pushing for employee awareness in her Senior Information Security Specialist role at a Fortune 500 consumer food company. Her manager had already put some groundwork in place, but she was fully responsible for developing a security awareness program that would impact new employees, near-retirees, and everyone in between.

Why spend so much time on employee education? “It’s a way to get people to care,” Anderson said during a recent interview with us, “and to be empowered.” She believes that security should be a part of employee job responsibilities from the moment they start their first day of work. But more importantly, it should be part of their responsibilities in everyday life—not just when they’re on the clock.

So Anderson used her security awareness program to shift the culture at the consumer food company, starting with a focus on modern cybersecurity risks and scams. “I brought in an email phishing tool. Based on the type of security events we were seeing and the questions I received, it was clear that the opportunity at our company and our highest risk area was phishing emails for employees,” Anderson explained. “What was super cool about the anti-phishing program I created was that it actually empowered our employees. Security became part of their job responsibilities and not just something that a bunch of nerds in the back were working on to keep them safe.”

“Security became part of their job responsibilities and not just something that a bunch of nerds in the back were working on to keep them safe.”

Several great program initiatives kept the momentum going. A fake phishing email sent internally encouraged coworker-to-coworker discussion that filled marketing meetings, finance meetings, and office spaces with excited security chatter. Employees started asking how they could help protect company data during their daily routine and discussing their role in the overall success of the company. It was a huge, and exciting, change from the initial belief that only IT and security were expected to be proactive in keeping data safe.

While Anderson’s work inspired employees to own their part in the consumer food company’s security practices, she also made it a point to talk about the importance of following the same rules at home. “Through the security program, we really focused on how you can help protect your family and keep your personal information safe,” she said. “So one tool that companies can also use is understanding that your employees are holistic beings; they’re not just people who are in the office from 9 to 5.”

The call for organizations to cultivate a vested interest in employee safety is not new. Brad Beatty, Lead Security Engineer at Enterprise Holdings, shared his thoughts on LinkedIn, writing “I had a vested interest in the success of those around me and the company I worked for because I was treated like family. I propose that by empowering employees … those employees will arise to the occasion and not only become your strongest business asset, but your strongest cyber security defense.”

Likewise, Darran Rolls, CTO and CISO at SailPoint, also wrote about employee empowerment: “[Cybersecurity pitfalls don’t] stop with employees. Friends and family are also targets. Because of this, it’s important that employees emphasize the importance of cybersecurity awareness with those closest to them and follow best practices outside of the workplace.”

So, what did the Fortune 500 consumer foods company do? With Anderson leading the initiative, they started having frequent conversations with their employees on how to protect data outside of work. They talked about how to stay protected during tax season, even though it had nothing to do with company data. And by putting time and effort into their employees’ personal lives, employees responded by practicing good security ethics everywhere they went—which ultimately helped lessen the opportunity for user error, both inside and outside of the workplace.

“There’s a lot of synergies between security and personal security. It’s an opportunity for people in my field to reach out and have conversations with everyday people they encounter, like at the library, or at parties. When you start talking about dual authentication at parties, everyone loves you and you’re always welcome back,” Anderson said. “You might even get a second dessert!” she added, laughing.

Are you focused on building a cybersecurity culture for your employees? If not, now is the time. The resources you’ll expend to create a strong security awareness program for your organization will be more than worth the good that follows.

Want to hear more from Kathryn Anderson? Watch our on-demand webinar, Lessons from the Field: 7 Steps to Proactive Cybersecurity. It should interest those who want to learn how to implement a security awareness program or manage resources in their organization.