Application whitelisting defined, how application whitelisting works, and more in Data Protection 101, our series on the fundamentals of data security.

New Report from the Federal Trade Commission Presents Key Findings from 2013 IoT Workshop

Insider threat defined in Data Protection 101, our series on the fundamentals of data security.

Minecraft is the latest company to be wrongfully accused of losing control of customer data. The real culprit: users, themselves.

Some important considerations for CISOs faced with the decision of whether to tackle security initiatives in-house or outsource to a managed security service provider.

Most businesses today are well aware of the need to have a comprehensive data security strategy to protect themselves, their employees and their customers from various security threats. And fortunately for many small to medium sized businesses, due to their size and simpler business structures, a standard data security plan will be enough to accomplish their data security needs.

How did hackers manage to extract terabytes of data from the network of Sony Pictures without direct, physical access? It may have been easier than you would think.

Endpoint Detection and Response defined in Data Protection 101, our series on the fundamentals of data security.

Security luminary Dan Geer shares his thoughts on the need for collaboration in security.

Have you wondered why these attacks keep happening? Maybe you have a theory? Here are some ideas.

Endpoint security defined in Data Protection 101, our series on the fundamentals of information security, data loss prevention, and more.

Paying tribute to the infosec pioneer behind the reference monitor concept

Sony Pictures Entertainment is the most recent and, perhaps, the highest-profile victim of what might be considered a “Category 5” hack. But it’s hardly the only company to get digitally pants’d by hackers. Here is a list of some other notable victims and details of how they got hacked.

51 of our Favorite Data Protection Resources Businesses and organizations are creating and using data at unprecedented rates. With this boom in big data comes challenges and problems in information and data protection. Previously, enterprises emphasized perimeter security over things like endpoint protection, data-centric security and data loss prevention. Now, the rise of mobility and ever-expanding security perimeters make it necessary for companies to find data protection solutions that secure data from both internal and external threats, placing the focus on sensitive data as it travels within and outside of enterprise networks. The ever-changing landscape of data protection has resulted in a tremendous amount of knowledge sharing and thought leadership from technology experts, industry analysts, consulting firms, privacy lawyers, and others with a vested interest in data security and protection. These experts share their knowledge and advice in a wide range of formats, including blogs, white papers, videos, webinars, guides, and other online resources. With the sheer quantity of information and resources available online today, it can be difficult to sort through it all to find the most trusted and experienced sources that provide accurate insights and educated perspectives on relevant data protection challenges facing modern enterprises. So, we've compiled a list of 51 useful data protection resources to help you secure your data and feel more at ease about your company's valuable information. Our list includes reports from leading industry analysts, surveys, data protection blogs, white papers, videos, and more. The following 51 resources aren't listed in any particular order, other than by category. This list is not intended to imply that the resources included here are the best or only resources on the topic; rather, these are 51 data protection resources we think are worth a look, from analyst reports worth reading (or re-reading) to resource portals worth adding to your bookmarks. If there's something great that's not on the list, let us know in the comments! Table of Contents: Blogs White Papers, Studies, and Reports Slide Shows and Videos Infographics Handbooks, Tutorials, Guides, and Publications Blogs 1. ICO Blog @ICOnews The Information Commissioner's Office (ICO) upholds information rights that are in the public interest and promotes openness by public bodies but strives for individuals" data privacy. The ICO Blog focuses on those information rights issues, and especially data protection. Three posts we like from ICO Blog: Changing your name and gender: the data protection implications A CCTV code fit for 2014 and beyond NHS Trust visits show positive results 2. Chronicle of Data Protection @HLPrivacy The blog of Hogan Lovells, privacy attorneys and data security lawyers, Chronicle of Data Protection includes posts about consumer and financial privacy, cybersecurity and data breaches, and other topics of relevance to data protection. With the latest information on security news and trends, Chronicle of Data Protection is a useful read for those who need the most up-to-date data protection regulations and news. Three posts we like from Chronicle of Data Protection: German Data Protection Authorities Issue Resolution on Connected Cars FTC Reminds Broadband Providers of their Data Privacy and Security Obligations NIH Issues Rules on Genomic Data Sharing 3. datonomy, the data protection blog @Datonomy datonomy boasts a team of home, international, and guest bloggers to make it a well-researched data protection blog. Posts typically discuss data protection law and practice, as well as the problems and challenges associated with data protection. Three posts we like from datonomy: Draft EU proposals on cyber and data breach notification: where are we now? New ISO Code of Practice for Public Cloud Service Providers Processing Personal Data First of its kind CNIL sanction against a telecoms operator for data breach: wider lessons for the supply chain? 4. Data Protection Technology Blog @guardiantech The Data Protection Technology Blog is provided by the Guardian, which covers American and international news for its global online audience. Data Protection Technology Blog is frequently updated with the latest news and information about worldwide data protection issues and is a trustworthy resource. Three posts we like from Data Protection Technology Blog: Court sets legal precedent with evidence from Fitbit health tracker Four arrested in UK RATs anti-spyware raid against webcam malware US Senator Al Franken pushes Uber for answers on privacy fiasco 5. Privacy Matters @DLA_Piper Privacy Matters is written and maintained by DLA Piper's Data Protection and Privacy practice. Posts update readers about legal matters and regulations regarding data protection, plus include analysis of data protection happenings around the world. 6 . IT Security Expert Blog @SecurityExpert The expert behind the IT Security Expert Blog is Dave Whitelegg, a UK-based information security expert. Whitelegg makes his blog accessible to people at all levels of technology knowledge and provides his views on IT security, privacy, and data protection. Three posts we like from IT Security Expert Blog:

Data Governance defined in Data Protection 101, our series covering the fundamentals of information security.

The definitive guide to developing and deploying data loss prevention strategy, from tips for quick wins to DLP software and tools.

The majority of successful companies of today are well aware of common data security issues and put a great deal of trust into their own efforts towards preventing a data security breach. However, as demonstrated by recent security breaches of several large, tech-savvy companies such as Target, LivingSocial, Facebook, Gmail, and Twitter, no set of security measures is completely infallible to a breach. What businesses of today have to then consider is: what is your plan of action after a data breach when your security and data loss prevention measures have failed? We set out to get some pro tips from data security experts on what they would consider to be the best practices for after a data breach has already occurred. To do this, we asked 30 data security experts to answer this question: "What's the most important next step you should take following a data breach?" We've collected and compiled their expert advice into this comprehensive guide on what to do after a data breach. See what our experts said below: Meet Our Panel of Data Security Experts: Oleksandr Maidaniuk Jay Botelho Andrew Avenessian Jason Maloni Stephen Ward Robert Ellis Smith Eran Sinai Arnie Bellini Nasir N. Pasha Scott Dujmovich Jibey Asthappan Darren Guccione Andrea Eldridge Reg Harnish Johnny Lee Engin Kirda Michael Fimin Alan Baker Greg Kelley Fred Menge Adam Roth Matt Malone Jason Nielsen Ashish Mohindroo Lee McKnight Anne P. Mitchell Edsard Ravelli Bill Rosenthal J. Wylie Donald Jon Schildt Oleksandr Maidaniuk Oleksandr Maidaniuk is the Head of Quality Assurance Solutions of Ciklum Interactive Solutions with rich experience of dealing with various types of software solutions including client-server enterprise applications, real-time systems and educational desktop software. He has a strong background in such testing methodologies as Agile model and V-model and is especially capable in analysis of business requirements and test planning. His expertise is in applying wide range of software testing methods and test design techniques (static and dynamic: structure-, experience-, specification-based). The key step to manage the data breach if it already took place is... COMMUNICATION: both internal (inform employees and involve everyone able to help, i.e. tech specialist, client service managers, PR & communication team, etc.) and external (direct mailing to the clients, official media release - and, if necessary, also interview to the profile press). Basic rules in this case are: Be open and sincere. Admit if the fault was on company's side and accept responsibility. Provide details. Explain why the situation took place. Mitigate. Make conclusions out of the disaster and describe solutions for affected users. If possible, prepare a special offer for the affected audience. Educate. Explain how to prevent similar issues in the future. Invite to dialogue. Involve your clients, industry experts, analysts, media people and general public to the broader discussion about the source of the problem. Usually, such approach will allow you not only to minimize the negative impact of an IT security accident, but (when implemented correctly) will show your company as the reliable and transparent partner, which is able to operate correctly even during the crisis situation. Jay Botelho @wildpackets Jay Botelho is the Director of Product Management at WildPackets, a leading network analysis solutions provider for networks of all sizes and topologies, and has been with the company for more than nine years. His key areas of expertise include wireless networking, handheld devices, database software and applications, embedded software and network management software. The most important step to take after a data breach is... To understand the root of the issue. Engineers can use forensics to analyze traffic and instantly determine the root cause of an event, entirely removing guesswork and problem reproduction from the equation. Effective forensics provide these four key capabilities: Data Capture: Capture all traffic, 24x7, on even the fastest links Network Recording: Store all packets for post-incident, or forensic analysis Search and Inspection: Enable administrators to comb through archived traffic for anomalies and signs of problems Reporting: Through data capture and analysis, results of investigations are logged and network vulnerabilities are reviewed and analyzed post-mortem. Perhaps most importantly, forensics solutions capture data 24/7 and automatically analyze all data collected in real time, which means all the data you need for analysis is available at a moment's notice. Whether the problem with your mission-critical app is across the room or across the world, forensics gives you immediate access to the most detailed analytics available to get to the root cause of an issue. Andrew Avanessian Andrew Avanessian is the Executive Vice President of Consultancy and Technology of Avecto, a security software company that sees security as an enabler. Nearly half of security leaders believe a major security breach will happen in the future, yet the post-breach plan that IT decision makers have in mind is fundamentally flawed. Why? These plans are reactive when they should be proactive... I recommend spending less time trying to close the door after the horse has bolted and instead move to a proactive security model. While it might seem like a complex and arduous process, it can actually be quite simple. Many organizations fail to meet even the very basic security steps recommended by the SANS 'First Five' or the Australian Department of Defense, which highlight tactics that create a more defense-in-depth approach to security. For instance, while perimeter technologies like firewalls can prevent against certain types of external attack, it cannot block malware that has already found its way onto endpoints within an organization. Organizations should instead create a multi-layered strategy that incorporates solutions like patching, application whitelisting and privilege management, which will help limit the pathways for malware to obtain sensitive data. Implementing these proactive technologies is crucial, but organizations must ensure they do not come at the expense of worker productivity. It's a difficult balance to strike - the Internet ultimately creates a gateway for malware to enter organizations, yet users require constant connectivity to do their jobs. Here is where solutions like sandboxing come into play, isolating Web browser threats behind the scenes, while employees are able to work freely and without compromising the organization.

Endpoint protection defined in the first installment of our Data Protection 101 series.

"Because that’s where the money is."

27 Data Security Experts Share The #1 Most Cost Effective Way a Startup Can Protect Itself From a Data Breach