Get 101 data security tips on mobile security, password security, secure browsing and more.

30 data security experts discuss the biggest mistakes companies make with data security.

Application whitelisting defined, how application whitelisting works, and more in Data Protection 101, our series on the fundamentals of data security.

New Report from the Federal Trade Commission Presents Key Findings from 2013 IoT Workshop

Insider threat defined in Data Protection 101, our series on the fundamentals of data security.

Minecraft is the latest company to be wrongfully accused of losing control of customer data. The real culprit: users, themselves.

Some important considerations for CISOs faced with the decision of whether to tackle security initiatives in-house or outsource to a managed security service provider.

Most businesses today are well aware of the need to have a comprehensive data security strategy to protect themselves, their employees and their customers from various security threats. And fortunately for many small to medium sized businesses, due to their size and simpler business structures, a standard data security plan will be enough to accomplish their data security needs. However, the same cannot necessarily be said about enterprise-level organizations, which tend to have much more complex business structures. Enterprise-level organizations often have structural challenges that other smaller businesses usually do not encounter, such as widely diverse clientele, multiple products and services offered across geographical locations, discrete internal departments or organizational units, and most importantly, significantly more business data. Since Digital Guardian provides data security solutions for organizations with complex business needs, we wanted to focus this post on big data security for enterprise-level businesses. We wanted to hear what data security experts from across the industry consider to be the best big data security breach protection strategy for enterprise-level organizations. To do this, we asked 24 data security experts to answer this question: "What's the #1 way an enterprise level-organization can protect itself from a big data security breach?" We've collected and compiled their expert advice into this comprehensive guide on enterprise-level big data security protection. See what our experts said below: Meet Our Panel of Data Security Experts: Gunter Ollman Russell Glass Steve Durbin Mark Shelhart Darren Guccione Rick Moy Mark Bower Fatih Karatash David Lewison Chris Rouland Michael Ricotta Patrick Oliver Graf Greg Kleiman Michael Fimin Robert W. Twitchell, Jr. Jeff Frankel Jeff Harvey Engin Kirda William C. Klusovsky Matt Carbonara Adam Roth Benjamin Caudill John Ottman Michael Pesochinsky Gunter Ollman @gollmann Gunter Ollman is the CTO of NCC Group's Domain Services and has almost three decades of experience in information security. During that time, Gunter has worked for a number of companies including IBM Internet Security Systems and IOActive, in a variety of cyber security consultancy and research roles in areas such as semiconductor security, hardware reverse engineering and hacking devices in the Internet of Things. Unfortunately there is no single thing an organization can do to protect themselves and their customers data from a breach. There are, however, a number of things that when combined, work together in limiting the value of the data that could be stolen: Trace each step and process within the organization that collects, views, and manipulates personal and confidential data, and ensure that it is encrypted at each point (preferably at the source). Any sensitive data that must be stored or is "at rest" needs to be encrypted and the keys can't be stored at the same location as the data. All access and manipulation of data must be logged. These logs must be audited regularly (on a weekly or less period), and ideally the logs should be automatically monitored by anomaly detection systems for inappropriate usage and unexpected patterns. Use automated scanning technology to constantly monitor the network and applications for vulnerabilities and malware. Monitor network egress for anomalies in traffic (in particular large files going to poor reputation or unverified IP addresses). Create a number of "false flag" data repositories or seed your data storage systems with records that will automatically alert your security team if they are accessed by anyone or any system within the organization, and utilize web search engines to frequently query the unique seed data to identify public leaks. Russell Glass @glassruss Russell Glass is the Head of Marketing Products for LinkedIn. A seasoned technology entrepreneur, Russ founded and then served as president and CEO of Bizo, a B2B audience marketing and data platform, which was acquired for $175 million by LinkedIn in 2014. Russ has also founded or held senior positions at four venture-backed technology companies. He is a big believer that great cultures equal great companies, and has integrated this philosophy into all of his roles. Despite data security breaches potentially costing tens of millions of dollars - not to mention the public relations cost - far too many businesses are lackadaisical in their data security practices. The number one way that corporations can protect themselves from data security breaches is to... Acknowledge the seriousness of the issue and to redouble their commitment to protecting the consumer information in their databases. Corporations have sensitive data on consumers: credit card numbers, Social Security numbers, healthcare histories. There is a social contract between consumers and the companies they do business with that this personal data will be secure. Too often, this is not the case. A study by Verizon and the U.S. Secret Service Agency found that almost 90 percent of the companies that experienced a data breach in 2010 were not in compliance with the Payment Card Industry Data Security Standard. Companies need to commit to mastering the basics to protect the data consumers have entrusted them with: businesses must patch and secure the databases, give only select employees access, and place the databases behind firewalls. They also need to encrypt and tokenize the individual data behind the firewall. Corporations must commit to constantly improving and refining security efforts, because the cybercriminals are constantly honing their skills in this computer security arms race. As part of their elevated commitment to security, businesses should also join together to ask for legislation to help ensure improved data security. This legislation should make the penalties tougher for companies that don't meet data security standards. It should also raise the penalties for cybercriminals. As Todd Davis, CEO of Lifelock, has pointed out, cybercriminals receive mild sentences compared with bank robbers, for committing essentially the same crime. "That's crazy," Davis said. "We don't have the right deterrents in place." Steve Durbin @stevedurbin Steve Durbin is the Managing Director of the Information Security Forum. Mr. Durbin's main areas of focus include the emerging security threat landscape, cyber security, BYOD, big data, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

How did hackers manage to extract terabytes of data from the network of Sony Pictures without direct, physical access? It may have been easier than you would think.

Endpoint Detection and Response defined in Data Protection 101, our series on the fundamentals of data security.

Security luminary Dan Geer shares his thoughts on the need for collaboration in security.

Have you wondered why these attacks keep happening? Maybe you have a theory? Here are some ideas.

Endpoint security defined in Data Protection 101, our series on the fundamentals of information security, data loss prevention, and more.

Paying tribute to the infosec pioneer behind the reference monitor concept

Sony Pictures Entertainment is the most recent and, perhaps, the highest-profile victim of what might be considered a “Category 5” hack. But it’s hardly the only company to get digitally pants’d by hackers. Here is a list of some other notable victims and details of how they got hacked.

51 of our Favorite Data Protection Resources Businesses and organizations are creating and using data at unprecedented rates. With this boom in big data comes challenges and problems in information and data protection. Previously, enterprises emphasized perimeter security over things like endpoint protection, data-centric security and data loss prevention. Now, the rise of mobility and ever-expanding security perimeters make it necessary for companies to find data protection solutions that secure data from both internal and external threats, placing the focus on sensitive data as it travels within and outside of enterprise networks. The ever-changing landscape of data protection has resulted in a tremendous amount of knowledge sharing and thought leadership from technology experts, industry analysts, consulting firms, privacy lawyers, and others with a vested interest in data security and protection. These experts share their knowledge and advice in a wide range of formats, including blogs, white papers, videos, webinars, guides, and other online resources. With the sheer quantity of information and resources available online today, it can be difficult to sort through it all to find the most trusted and experienced sources that provide accurate insights and educated perspectives on relevant data protection challenges facing modern enterprises. So, we've compiled a list of 51 useful data protection resources to help you secure your data and feel more at ease about your company's valuable information. Our list includes reports from leading industry analysts, surveys, data protection blogs, white papers, videos, and more. The following 51 resources aren't listed in any particular order, other than by category. This list is not intended to imply that the resources included here are the best or only resources on the topic; rather, these are 51 data protection resources we think are worth a look, from analyst reports worth reading (or re-reading) to resource portals worth adding to your bookmarks. If there's something great that's not on the list, let us know in the comments! Table of Contents: Blogs White Papers, Studies, and Reports Slide Shows and Videos Infographics Handbooks, Tutorials, Guides, and Publications Blogs 1. ICO Blog @ICOnews The Information Commissioner's Office (ICO) upholds information rights that are in the public interest and promotes openness by public bodies but strives for individuals" data privacy. The ICO Blog focuses on those information rights issues, and especially data protection. Three posts we like from ICO Blog: Changing your name and gender: the data protection implications A CCTV code fit for 2014 and beyond NHS Trust visits show positive results 2. Chronicle of Data Protection @HLPrivacy The blog of Hogan Lovells, privacy attorneys and data security lawyers, Chronicle of Data Protection includes posts about consumer and financial privacy, cybersecurity and data breaches, and other topics of relevance to data protection. With the latest information on security news and trends, Chronicle of Data Protection is a useful read for those who need the most up-to-date data protection regulations and news. Three posts we like from Chronicle of Data Protection: German Data Protection Authorities Issue Resolution on Connected Cars FTC Reminds Broadband Providers of their Data Privacy and Security Obligations NIH Issues Rules on Genomic Data Sharing 3. datonomy, the data protection blog @Datonomy datonomy boasts a team of home, international, and guest bloggers to make it a well-researched data protection blog. Posts typically discuss data protection law and practice, as well as the problems and challenges associated with data protection. Three posts we like from datonomy: Draft EU proposals on cyber and data breach notification: where are we now? New ISO Code of Practice for Public Cloud Service Providers Processing Personal Data First of its kind CNIL sanction against a telecoms operator for data breach: wider lessons for the supply chain? 4. Data Protection Technology Blog @guardiantech The Data Protection Technology Blog is provided by the Guardian, which covers American and international news for its global online audience. Data Protection Technology Blog is frequently updated with the latest news and information about worldwide data protection issues and is a trustworthy resource. Three posts we like from Data Protection Technology Blog: Court sets legal precedent with evidence from Fitbit health tracker Four arrested in UK RATs anti-spyware raid against webcam malware US Senator Al Franken pushes Uber for answers on privacy fiasco 5. Privacy Matters @DLA_Piper Privacy Matters is written and maintained by DLA Piper's Data Protection and Privacy practice. Posts update readers about legal matters and regulations regarding data protection, plus include analysis of data protection happenings around the world. 6 . IT Security Expert Blog @SecurityExpert The expert behind the IT Security Expert Blog is Dave Whitelegg, a UK-based information security expert. Whitelegg makes his blog accessible to people at all levels of technology knowledge and provides his views on IT security, privacy, and data protection. Three posts we like from IT Security Expert Blog:

Data Governance defined in Data Protection 101, our series covering the fundamentals of information security.

The definitive guide to developing and deploying data loss prevention strategy, from tips for quick wins to DLP software and tools.

The majority of successful companies of today are well aware of common data security issues and put a great deal of trust into their own efforts towards preventing a data security breach. However, as demonstrated by recent security breaches of several large, tech-savvy companies such as Target, LivingSocial, Facebook, Gmail, and Twitter, no set of security measures is completely infallible to a breach. What businesses of today have to then consider is: what is your plan of action after a data breach when your security and data loss prevention measures have failed? We set out to get some pro tips from data security experts on what they would consider to be the best practices for after a data breach has already occurred. To do this, we asked 30 data security experts to answer this question: "What's the most important next step you should take following a data breach?" We've collected and compiled their expert advice into this comprehensive guide on what to do after a data breach. See what our experts said below: Meet Our Panel of Data Security Experts: Oleksandr Maidaniuk Jay Botelho Andrew Avenessian Jason Maloni Stephen Ward Robert Ellis Smith Eran Sinai Arnie Bellini Nasir N. Pasha Scott Dujmovich Jibey Asthappan Darren Guccione Andrea Eldridge Reg Harnish Johnny Lee Engin Kirda Michael Fimin Alan Baker Greg Kelley Fred Menge Adam Roth Matt Malone Jason Nielsen Ashish Mohindroo Lee McKnight Anne P. Mitchell Edsard Ravelli Bill Rosenthal J. Wylie Donald Jon Schildt Oleksandr Maidaniuk Oleksandr Maidaniuk is the Head of Quality Assurance Solutions of Ciklum Interactive Solutions with rich experience of dealing with various types of software solutions including client-server enterprise applications, real-time systems and educational desktop software. He has a strong background in such testing methodologies as Agile model and V-model and is especially capable in analysis of business requirements and test planning. His expertise is in applying wide range of software testing methods and test design techniques (static and dynamic: structure-, experience-, specification-based). The key step to manage the data breach if it already took place is... COMMUNICATION: both internal (inform employees and involve everyone able to help, i.e. tech specialist, client service managers, PR & communication team, etc.) and external (direct mailing to the clients, official media release - and, if necessary, also interview to the profile press). Basic rules in this case are: Be open and sincere. Admit if the fault was on company's side and accept responsibility. Provide details. Explain why the situation took place. Mitigate. Make conclusions out of the disaster and describe solutions for affected users. If possible, prepare a special offer for the affected audience. Educate. Explain how to prevent similar issues in the future. Invite to dialogue. Involve your clients, industry experts, analysts, media people and general public to the broader discussion about the source of the problem. Usually, such approach will allow you not only to minimize the negative impact of an IT security accident, but (when implemented correctly) will show your company as the reliable and transparent partner, which is able to operate correctly even during the crisis situation. Jay Botelho @wildpackets Jay Botelho is the Director of Product Management at WildPackets, a leading network analysis solutions provider for networks of all sizes and topologies, and has been with the company for more than nine years. His key areas of expertise include wireless networking, handheld devices, database software and applications, embedded software and network management software. The most important step to take after a data breach is... To understand the root of the issue. Engineers can use forensics to analyze traffic and instantly determine the root cause of an event, entirely removing guesswork and problem reproduction from the equation. Effective forensics provide these four key capabilities: Data Capture: Capture all traffic, 24x7, on even the fastest links Network Recording: Store all packets for post-incident, or forensic analysis Search and Inspection: Enable administrators to comb through archived traffic for anomalies and signs of problems Reporting: Through data capture and analysis, results of investigations are logged and network vulnerabilities are reviewed and analyzed post-mortem. Perhaps most importantly, forensics solutions capture data 24/7 and automatically analyze all data collected in real time, which means all the data you need for analysis is available at a moment's notice. Whether the problem with your mission-critical app is across the room or across the world, forensics gives you immediate access to the most detailed analytics available to get to the root cause of an issue. Andrew Avanessian Andrew Avanessian is the Executive Vice President of Consultancy and Technology of Avecto, a security software company that sees security as an enabler. Nearly half of security leaders believe a major security breach will happen in the future, yet the post-breach plan that IT decision makers have in mind is fundamentally flawed. Why? These plans are reactive when they should be proactive... I recommend spending less time trying to close the door after the horse has bolted and instead move to a proactive security model. While it might seem like a complex and arduous process, it can actually be quite simple. Many organizations fail to meet even the very basic security steps recommended by the SANS 'First Five' or the Australian Department of Defense, which highlight tactics that create a more defense-in-depth approach to security. For instance, while perimeter technologies like firewalls can prevent against certain types of external attack, it cannot block malware that has already found its way onto endpoints within an organization. Organizations should instead create a multi-layered strategy that incorporates solutions like patching, application whitelisting and privilege management, which will help limit the pathways for malware to obtain sensitive data. Implementing these proactive technologies is crucial, but organizations must ensure they do not come at the expense of worker productivity. It's a difficult balance to strike - the Internet ultimately creates a gateway for malware to enter organizations, yet users require constant connectivity to do their jobs. Here is where solutions like sandboxing come into play, isolating Web browser threats behind the scenes, while employees are able to work freely and without compromising the organization.

Endpoint protection defined in the first installment of our Data Protection 101 series.