In this week’s Friday Five, catch up on the latest warnings from CISA, the Biden Administration’s new cybersecurity strategy, the actions of Chinese-backed hackers, and much more.

In this digital era, data has become the most important currency around which e-commerce and business revolve. Data-centric security highlights this by providing greater emphasis on the data itself rather than the technologies, and infrastructure, surrounding it. What Is Data-Centric Security? Data-centric security revolves around the actual data, focusing on core attributes like its lifecycle and dependability rather than the risks associated with inadequate security infrastructure protecting it. As a result, it involves protecting data wherever it is, whether at rest, in motion, or in use. This makes sense since most of the data an organization generates rarely stays within the confines of its corporate network. Instead, it is shared with third parties, advertisers, and other outside collaborators. Data-centric security represents a paradigm shift from the traditional security route organizations follow to protect data, which mainly consists of beefing up their digital infrastructure. While technology is still involved in data-centric security, its solutions are more geared towards providing layers of governance, policies, and best practices to protect data. This focus on data extends to how it is stored, where it is located, and how it is accessed. What Are The Advantages of Data-Centric Security? As data becomes increasingly valuable as a competitive advantage, organizations have increased spending on their cybersecurity apparatus. Yet, this hasn’t truly mitigated cyber attacks, hacking, and other security breaches from occurring. Lowering the Compliance Cost of Data By focusing on the data itself, data-centric security ultimately reduces the incidence of data security breaches. It also lowers the cost of maintaining compliance, often requiring constantly updating equipment, systems, and their underlying technology. Improved Handling of a Remote Workforce Technological changes and the Covid pandemic accelerated the adoption of a remote workforce. However, the proliferation of remote endpoints outside corporate infrastructure and networks drastically increased security risks posed to data. Adopting a data-centric solution that protects data wherever it goes reduces the risks highlighted by remote work. Guaranteeing File-Level Security Data-centric security involves more than a pivot from the traditional infrastructure-focused approach. It applies more granularity to data security by leaning more heavily on file-level security. This, in turn, makes it easier to track, store, and safeguard your data. In addition, file-level security facilitates the implementation of robust encryption mechanisms, along with strong access controls and policy enforcement. Without this document security, you can more reliably control what and when users can access resources. Creating Data Security Independent of Device or System Data-centric security relieves organizations of the burden of being beholden to any system or device. By building strong cybersecurity regardless of platform, they have more leeway for data management, especially with their supply chains. This is vital because while security infrastructure can fortify a system, it often results in presenting or providing security as an end in itself instead of the means to an end – which is protecting an organization’s data crown jewels. Moreover, data security independent of a system mitigates the risk or possibility of an attack on the organization’s data. Data-centric solutions also reduce the incidences of data silos and harm when a systemic failure occurs. How to Create a Data-Centric Security Model Creating a genuine data-centric security model brings security down to the data level. Defense-in-depth Defense-in-depth is the most salient feature of a data-centric security model. It entails adopting a military strategy that encloses data in successive layers of security. These concentric rings of security may start with the desktop as the outer layer, then move to network access and operating system controls before presenting authentication. Defense-in-depth provides sufficient redundancies that act as barricades of increasing complexity from one layer of security to the next. Data Discovery, Identification, and Classification The first step in building a meaningful data-centric model is auditing and taking inventory of your organization’s data across its intranet, databases, cloud systems, and various platforms. Before an organization can keep its data secure, it needs to know where it is located and how it is stored. The next step is properly classifying and labeling the data because you cannot accurately deploy protection until you know the value of the data you are dealing with. Once data classification has been achieved, possibly with the means of automation, infosec teams can prioritize the level of protection each category of data deserves. For instance, intellectual property information like patents and company secrets might need to be protected differently from, say, credit card details. Identity and Access Management (IAM) Identity and access management is a critical part of data-centric security. IAM ensures that only authorized users can access an organization’s data. Coupled with the principle of least privilege (PoLP), it provides the necessary controls so that users are exposed to only the data required to perform their duties. Governance and Compliance To be truly effective, data-centric security must adhere to industry-specific and governmental regulations, including federal and international mandates. One of the most all-encompassing is the General Data Protection Regulation (GDPR) of the European Union (EU). If your organization operates in the healthcare industry, then HIPAA laws cover the storage, handling, and overall confidentiality of patient information. As a result of data regulations, organizations adopting data-centric solutions must periodically conduct risk management audits to ensure they are maintaining compliance with data governance rules. Data Loss Prevention (DLP) One of the best ways to approach data-centric security is to incorporate a data loss prevention solution. DLP excels in preventing data from entering into the wrong hands or being exposed to unauthorized access. It detects and prevents data loss from data breaches, data leakages, and data exfiltration. DLP uses encryption and data masking to obfuscate and protect the data from unauthorized access and illegal tampering. How can Digital Guardian Secure Collaboration help you with Data-Centric Security? Digital Guardian Secure Collaboration possesses the correct tools to aid organizations in their data-centric security journey. With secure file collaboration technology, like digital rights management (DRM) and information rights management (IRM), Digital Guardian Secure Collaboration can help complement your DLP solution and extend your data protection strategy across your enterprise. Digital Guardian Secure Collaboration solutions provide data security that travels with your digital crown jewels wherever they go. Moreover, our solution works independently of the platforms, applications, and databases you use. To learn more about data loss prevention and how we integrate with DLP solutions, like Digital Guardian, here.

The dark web isn’t what it once was with Hydra, but cybercriminals are staying busy with ransomware, targeted attacks against developers, and more. Catch up on all these stories and more in this week’s Friday Five!

Data loss prevention software protects and secures your data from going where it shouldn’t go. What Are the 3 Types of Data Loss Prevention? Data Loss Prevention emerged to address the proliferation of data and is used to help organizations protect sensitive data, such as intellectual property and other business-critical data, from loss, damage, theft, and malicious abuse. The three types of data loss prevention are: Network DLP: This consists of security software and practices that monitor, track, and analyze activity across a network. Through network security, it tries to detect and prevent critical, confidential, or sensitive data from being exfiltrated through network traffic. In addition to inspecting network protocols, network DLP can discover sensitive information across various local and remote repositories (ex. Network share and MS Sharepoint Online), including databases. Endpoint DLP: Endpoint DLP extends monitoring for data loss to endpoints such as mobile devices, IoT devices, laptops, desktops, and servers. Endpoint DLP is predominantly concerned with protecting data in use and data at rest. Cloud DLP: Because the cloud is a storage location, cloud DLP is used to protect data at rest. In addition to the public cloud, this DLP can also protect data inside a private cloud run on a virtual server. How Does DLP Work? DLP has to engage with many attack vectors and access points in its task of data loss prevention. In addition to leveraging encryption and user access control, here are the processes involved in making DLP work. Classifying data: Data classification is an important prerequisite for DLP. This includes labeling data in an organization’s possession into, say, public, sensitive, or internal classification levels. Because classification can be labor intensive, most DLP solutions provide automated data discovery and classification services. This technology can scan your data repositories to classify new data entering the organization’s infrastructure. Establishing confidentiality levels: While DLP solutions provide classification features by default, you shouldn’t totally outsource this function. IT departments should assign data classification labels that make sense within the context of their data security. Typical classification examples could range from credit confidential, card information, sensitive, top secret, private, and internal. Linking protection to the right context: Because data in the enterprise can occupy several states (at rest, in motion, or in use), DLP has to account for the susceptibility of data loss at each stage and with each loss vector. Developing DLP policy: Configuring a DLP system’s behavior by creating data rules and policies. These encompass how the DLP system should react to data events. These may include revoking user access when someone is in violation of policy, issuing alert notifications when confidentiality markers are triggered, and so on. Monitoring and investigation: With the visibility provided by DLP, security experts can easily detect data leak security incidents through anomalous behavior, and subsequently reduce the chance of data loss and reputational harm. In summary, DLP requires discovering sensitive data, accurately classifying it, and taking remediation actions such as denying access or removing duplicates and inaccuracies. General DLP Use Cases When a data breach occurs, it exposes organizations to significant reputational, financial, and regulatory risks. A data breach or incident can manifest in several forms, such as insider threat, data leakage, data exfiltration, or data loss. Data loss generally encompasses any action or event that renders data usable through destruction, damage, or corruption. Insider threats are caused by authorized users who either maliciously or unintentionally cause data loss or abuse. Data leakage occurs due to the unauthorized but unintentional transfer of confidential or sensitive data. Data exfiltration is, on the other hand, the unauthorized and intentional transfer of confidential or sensitive data. Fortunately, DLP is designed to address these concerns in a concerted manner. Preventing Data-Related Incidences DLP solutions are primarily tasked with preventing data loss and data leakage. These are the ways DLP helps to achieve this objective. Providing Data Visibility Data visibility is a prerequisite for data security. You can’t monitor your data without knowing where it resides, its movement flow, and its chain of custody. Comprehensive DLP solutions typically provide insight into data at the three stages of the data lifecycle. Protecting IP and Competitive Advantage Business battles are increasingly waged on eCommerce front stores through digital products and the power of digital brand awareness. Data is increasingly the bedrock of building intellectual property, trade secrets, and product designs that drive corporate profits. Without DLP standing as a bulwark, the proprietary information, and the data that comprise it can be easily lost through theft and corporate espionage. Ensuring Regulatory Compliance Is Maintained The sensitivity of data and the risk it poses to people’s privacy have compelled governments around the world to enact legislation to protect personally identifiable information (PII), including health and financial records. Some popular ones include GDPR, HIPAA, PCI DSS, SOX, and CCPA. Complying with all these cybersecurity laws can be challenging for businesses. DLP software provides a mechanism to monitor data and ensure the right policies and data frameworks are applied. What are the similarities and differences between endpoint vs. network vs. cloud DLP? Although they each have different objectives, both network, cloud, and endpoint DLP are necessary to fortify an organization’s data security posture. Together, they ensure that all the bases are covered with regard to data protection, namely, monitoring movement and activity surrounding critical data, protecting in all phases of the data lifecycle, and controlling who and how it is accessed. Network DLP protects data traveling across the network. As a subset of network DLP, cloud DLP extends protection to cloud repositories for organizations that leverage cloud computing resources. In addition to protecting data in motion, endpoint and cloud DLP prevents data loss when it is being processed and in general use. Also, the common denominator across these three DLP processes is encryption. It is used to protect data, whether it is at rest, in motion, or in use. Network DLP vs. Endpoint DLP As its name implies, network DLP secures data transmitted across a network. It also protects data on web apps like email and other file transfer processes from being exfiltrated. These operate at the network periphery and act as agents of network transmission. Unlike network DLP, which is equipped to protect data in motion and data at rest, endpoint DLP protects data in all three data cycle phases: data in use, in motion, and at rest. Endpoint DLP mainly achieves this through the installation of agents. The prominent use case of endpoint DLP is protecting intellectual property and ensuring compliance to data policies are adhered to. Learn How Digital Guardian Secure Collaboration Helps to Extend Security in DLP Products (like Digital Guardian) to Safeguard Your Data Digital Guardian Secure Collaboration's ability to extend security in DLP solutions allows you to combine the best of breed data protection to include network and endpoint DLP along with digital rights management (DRM), and information rights management (IRM). These measures ensure your data is protected regardless of where, how, or who accesses it. To learn more about data loss prevention and how to bulletproof your endpoints, read about how we work with DLP solutions here.

This week saw the takedown of a cybercrime messaging platform, sanctions imposed on TrickBot members, the release of a recovery script for ransomware victims, and more. Catch up on the latest news in this week's Friday Five!

To help defenders close the gaps, we asked more than 30 experts what the most overlooked element of preventing cyberattacks is.

Aiming to be the next California, Virginia, or Colorado, Indiana has already introduced two new bills in 2023 to shore up how organizations treat and secure consumer data.

In this era of heightened data privacy, organizations, especially those in highly regulated industries, need to maintain a PII compliance checklist to protect private data in their possession. What is PII compliance? PII refers to personally identifiable information. Unlike other personal data, PII can be used to identify an individual uniquely. As its name suggests, PII compliance involves the standards organizations must maintain to fulfill PII regulations. Since PII is at the center of PII compliance, it is essential to understand what constitutes PII. First, not all PII is created equal. PII can be split into sensitive and non-sensitive PII. Understanding Sensitive and Non-sensitive PII Examples Sensitive PII, such as someone’s full legal name, social security number, or driver’s license, can pinpoint an individual accurately. It also includes data that can be traced to an individual, like medical records, passports, credit cards, and bank account information. With non-sensitive PII, a person’s identity can be inferred. Non-sensitive PII examples include a person’s information liable to be found in the public domain, like their birthday or business phone number. Other examples of non-sensitive PII are email addresses, IP addresses, residential addresses, ethnicity, gender, and your mother’s maiden name. However, non-sensitive PII can be combined with other relevant information to expose someone’s identity. PII Compliance Standards The pace and breadth of PII regulation is genuinely remarkable. Gartner reports that by 2025, as much as 65% of the global population will have their PII data covered by regulations. One of the significant differences between PII and other sensitive private data like protected health information (PHI) is the broad array of regulations targeted at PII. On the other hand, HIPAA, which is a prime example of industry data protection standards, is exclusively regulated by PHI. Data Privacy Regulations in the United States Because of its sensitivity, many countries and government agencies protect PII data with legislation. One of the earliest data laws in the US was the Privacy Act of 1974. This law codified how federal agencies can collect, manage, and use personal information. Apart from the Privacy Act of 1974, the US lacks an all-encompassing federal law that governs data privacy. The Federal Trade Commission Act (FTC Act) allows the government agency to prevent deceptive trade with broad jurisdiction over commercial entities. However, it does have some role in enforcing privacy laws by imposing sanctions on companies for violating consumer data and failing to maintain appropriate data security measures. Here are some of the other data privacy laws in the US: The Health Insurance Portability and Accounting Act (HIPAA) The Children's Online Privacy Protection Act (COPPA) California Consumer Privacy Act (CCPA) California Privacy Rights Act (CPRA) New York SHIELD Act Data Privacy Regulations in Europe While the GDPR emanates from Europe, it is the most far-reaching and toughest data privacy law today. The power of GDPR is that its penalty violations are high, and it is written in such a way that it applies to you even if you’re not in the EU. PII Compliance Checklists to Follow To adhere to the growing number of data privacy laws, companies need to maintain a list of the PII requirements they need to satisfy under various data regulations. Here are some points to consider when creating a PII compliance checklist 1. Identify PII and Determine Where It Is Stored This is the first step in ensuring PII is adequately safeguarded. By locating and identifying its PII, an organization can determine whether the type and quantity of private data it collects are necessary or justified in the first place. Once you accurately identify the PII that needs protection, the next step is establishing its storage location. The challenge here is magnitude - with mobile and cloud computing, data can be stored in multiple files, file formats, devices, and endpoints. However, without the ability to maintain visibility into private data, sensitive PII is bound to fall through the cracks, resulting in inadvertent data leakage. After the location has been established, it is necessary to assess the risk to the PII due to where it is stored. One of the ways to mitigate these risks is by implementing the principle of least privilege. This grants only the minimal required access to the data needed to execute jobs. This is implemented with role-based access control measures that ensure access to data is only granted to required users. In addition to its storage location, identifying the states or lifecycle phase (data at rest, in use, or data in motion) in which the data exists is paramount to auditing its security protocols. 2. Classify and Categorize PII After discovering the presence of PII, the next stage is to create a system to classify it. This categorization requires a taxonomy system to organize the data into relevant types of PII. Most often than not, the best way to classify data is to qualify them based on the most harm and damage done if it is compromised or illegally exposed. The typical PII classification used are the following: Public: This is the broadest and least restrictive category because it primarily consists of non-sensitive data already in the public domain. Private: This is a notch higher than public data. Private data is more sensitive, and organizations require only their employees to view and process it. Restricted: Utmost discretion is required with restricted data because of the potential damage caused if it is leaked or falls into the wrong hands. 3. Creating compliance-based policies This phase involves the policies you must create to ensure PII compliance is followed. Organizations also need this framework for governance and risk mitigation strategies. There are many issues regarding proper data governance, but there are straightforward ways to start. One of these is to create a data map that enables DevSecOp engineers and infosec staff to track data flow through the organization. Most data privacy regulations have severe mandates concerning breach notification, so organizations must have reporting policies enacted. Periodically conduct vulnerability assessments and penetration tests to identify and plug security holes. Nevertheless, some of the best compliance can be created just by following GDPR practices:

To learn more about how to curb intellectual property theft, we reached out to a panel of intellectual property experts and business leaders for their best tips.

Getting personally identifiable information (PII) classification right is one of the first steps to having an effective data protection strategy. We break down four best practices in this blog.

As organizations continue to rely on third-party technologies, third-party breaches have become common. One of the key ways to prevent third-party vendor breaches is to monitor your attack surface continuously. What Is a Third-Party Breach? As the name suggests, third-party data breaches are security violations caused by third-party contractors, vendors, and other businesses affiliated with an organization. In attacks like this, while the compromise comes from a third party’s computer system or processes, it’s the sensitive data from your organization that is exposed. As a result, your organization can suffer guilt — and damage — just by association with a third-party breach. The maxim of being as strong as your weakest link couldn’t be more accurate regarding third-party violations. This is because all it takes is just one application, device, firmware, or software component from a third party to get compromised for an attacker to get a foothold in your enterprise supply or value chain. What Kind of Attacks or Vulnerabilities Can Come From Third Parties? A third-party breach, oftentimes through a vulnerability in vendor software, can create a backdoor for hackers to access the host system. These underlying vulnerabilities are no different from general cybersecurity threats that can arise from cloud misconfiguration, the principle of least privilege not being implemented, poor coding practices, poor antivirus defenses, etc. These are just a few of the cybersecurity attacks that can result from third-party risks: Spear phishing Intellectual property theft Unauthorized network intrusion Data exfiltration Advanced persistent threats (APT) Login credential theft Ransomware attacks Malware and virus propagation Third-party breaches can create procurement and value-chain risks as well as lead to a supply-chain attack. What Is a Supply Chain Attack? A supply chain is a distributed system that provides the materials, resources, expertise, and technologies — typically through an array of vendor companies — required to create a product. Supply chains are necessary because no business is 100% self-sufficient. This is especially the case with software products and the constantly evolving complexity of modern software infrastructure. Many software developers typically use open-source components, including resources from third parties, which can open an organization to risk. A supply chain attack undermines an organization by targeting the vulnerabilities in poorly secured supply chain elements. As a result, hackers launch supply chain attacks by weaponizing the weaknesses in third-party vendor components to infiltrate a company. Simply being part of a supply chain can increase your attack surface, something that can unfortunately make it challenging to detect and prevent attacks involving them. As an example, in cybersecurity circles, although SolarWinds is a US information technology firm, it is now associated with something more pernicious. The SolarWinds hack, in which hackers infiltrated a backdoor in SolarWinds software and launched a malware attack, is already regarded as one of the most significant cybersecurity breaches of the 21st century. Attackers did this by compromising “Orion,” a widely used SolarWinds application. This consequently meant any company that used SolarWinds was automatically at risk. It’s estimated that about 18,000 SolarWinds customers were eventually exposed to the breach. The hack highlighted how devastating a supply chain attack can be now that global supply chains have become more complicated than ever. Supply Chain Regulations Supply chain attacks can disrupt and hinder businesses. In the aftermath of the SolarWinds cyber attack, policymakers have stepped up to provide more oversight. As a result, legislation and regulations have been crafted to provide adequate supply chain management. On February 24th, 2021, the Biden Administration issued an Executive Order to make America’s supply chains more secure and resilient. It tasked the heads of appropriate agencies to assess vulnerabilities and issue reports on critical supply chains for the US economy's vital industrial sectors and subsectors. On the first anniversary of the executive order, on February 24th, 2022, the White House issued The Biden-Harris Plan to Revitalize American Manufacturing and Secure Critical Supply Chains in 2022. Along with the capstone report, it emphasized the need to evaluate supply chain vulnerabilities across key product areas such as large-capacity batteries, semiconductors, critical materials, and minerals, along with pharmaceutical ingredients. In March 2022, the US Securities and Exchange Commission (SEC) unveiled proposed amendments to cybersecurity governance and risk management strategies. These were rules meant to enhance cybersecurity public disclosures, especially incident reporting by public companies. Supply Chain Compliance Standards These regulations compel organizations to adhere to specific compliance standards to maintain cybersecurity resilience. Some of these compliance standards and practices include: Maintaining up-to-date patch management. Clear audit and reporting procedures for transparency. Conducting third-party risk assessment and due diligence. Creation of standard operating procedures and policies for cyber incidents. Running penetration tests to evaluate the rigor of systems and their defenses. How to Respond to a Third-Party Breach Your organization needs to take steps in the event of a third-party breach. Preserve Evidence Having documented evidence is vital when it’s time to report the data breach to the relevant authorities accurately. Cybercriminals and malware have grown stealthier, making their activity more difficult to detect. Organizations may need to use forensic investigators to help uncover evidence depending on the scope. Respond Promptly Time is of the essence. The longer you take to respond to a security breach, the more time hackers have to burrow deeper into the corporate network and cause damage. Implement a Contingency and Incident Response Plan Develop threat models and contingency plans. In addition to enabling you to visualize potential threats, it gives you the latitude to respond nimbly when your supply chain is jeopardized. Provide Full Disclosure Data protection regulations like HIPAA and GDPR have reporting mandates to be upheld in a data breach. Ensure you have a notification toolkit that covers all the ground you need to cover in responding to policyholders, perhaps incorporating a data breach notification analysis. Security Best Practices To Prevent Third-Party Breaches Organizations must adopt a holistic approach to combat third-party breaches. A comprehensive third-party and supply chain management should include the following best practices:

To gain some insight into recent ransomware attacks, we look at 50 different attacks from December 2021 to December 2022.

The Protecting American Intellectual Property Act, signed into law last week, authorizes sanctions for organizations and individuals who carry out trade secret theft that harms the United States.

26 Intellectual Property Experts & Business Leaders Reveal the Biggest Misconceptions Companies Have About Insider IP Theft

Your organization is likely required to disclose data breaches to the proper authorities in your state, but sometimes going one step further is just as important.

Phishing simulation training? Audits? Incentivizing training? We talked to 18 infosec leaders and asked them what the best tools and techniques for employee security awareness training are.

Panama’s data protection law, similar to the European Union's GDPR, regulates the processing of personal data in the country and requires data be kept confidential, in a secure database.

Trying to find the right DLP solution for your organization? Learn how to get started with the latest tips for evaluating providers in this blog.