Author Archive

Data Breaches Threaten Companies Worldwide

Posted by on Monday, 15 July, 2013

As technology staffs contend with ongoing changes to the data distribution landscape, it is important to keep abreast of data security risks and to understand the significant importance of properly managing customer’s private data.

data breachThe Ponemon Institute recently released its annual data breach report which provides stats on data security issues and trends.  With more than 277 companies involved and 1400 individuals interviewed, this report provides a current and unique perspective of potential security risks associated with even the smallest data breach.

Below are highlights of the report which indicates data breaches remain a difficult challenge.

  • The report identifies three key causes of data breaches worldwide:
    • Malicious Attacks – 37%
    • Negligence – 35%
    • System Errors – 29%
  • The average per capita costs of a data breach increased to $136 per capita over the $130 per capita from the previous year.
  • The US had the highest total per incident cost of $5,403,644.
  • In 2013 the average number of breached records was 23,647
  • Healthcare, Financial and Pharmaceutical industries continue to be the top industries with the highest per capita costs incurred.

Ironically, the report noted that organizations that notified victims too soon following a data breach actually incurred higher costs. This is an indication that an incident management plan should be in place to properly mitigate the data breach event.

It’s clear, based on the data in this report, that companies need to look beyond technology solutions that secure systems and communications.  It is important that the human factors are considered like employee training and creating an incident management plan to provide a full proof data security strategy.

Take a look at the full 2013 Ponemon Institute Data Breach report for more information on the top reasons that data breaches occurred and ways to decrease the risks and costs associated with them.

For information on how your company can build a better strategy to avoid data breaches, download our free white paper “Defending Against Data Breach: Developing The Right Strategy for Data Encryption.”

 

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a freelance writer for various technical and social media projects.

More Posts - Website

Simplify Field Encryption on IBM i

Posted by on Monday, 5 November, 2012

Now that corporate applications are easier to access via remote and mobile channels, it’s even more important to determine which sensitive data is accessible and where possible breaches may occur. Unfortunately, legions of hackers with Wi-Fi and mobile hacking tools make it imperative that organizations prepare for and defend against potential attacks with even more pervasive security procedures.

One step in creating a stronger defense is to employ field or column-level encryption to protect sensitive data at rest.

Implementing a custom field encryption project on IBM i used to be a notoriously long and painful process.  Programming code changes for field level encryption required a steep learning curve, costly programming resources, and even more time in testing, validating and updating the changed application source code. Most companies simply could not justify the additional strain on their budgets for this level of project development requirements.

In response to this challenge, IBM released its OS version 7.1 with DB2 field procedure (FieldProcs) in April of 2010 that greatly simplified the field encryption process.  With the new FieldProcs technology, encryption projects can be streamlined because the field procedures are invoked at the database level, making it transparent to the applications. The FieldProcs can be coded to automatically encrypt the field on Inserts and Updates, and subsequently decrypt the field only for authorized users on Read operations.  Subsequently, FieldProcs have become very important to those businesses that have legacy applications and limited budgets.

FieldProcs are a great step for improving the viability of field level encryption projects. But even with this, many companies don’t have the resources to integrate and manage the FieldProcs which is why third-party software solutions, like Linoma Software’s Crypto Complete, are valuable.  Crypto Complete will generate and manage the FieldProcs on the fields within the files.

Crypto Complete also includes the key management, audit logs and access controls needed for PCI DSS and data privacy compliance. The value of using Crypto Complete for field encryption cannot be understated as it can greatly minimize the learning curve and reduce the implementation resource requirements from weeks to hours.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a freelance writer for various technical and social media projects.

More Posts - Website

Is Disk Encryption Really the Silver Bullet?

Posted by on Thursday, 24 May, 2012

Disk encryption was introduced as a solution for simplifying the encryption requirements that most companies face for protecting sensitive data.  Now that the IT industry has gained a few years of experience, however, many have discovered that disk encryption is not an all-encompassing security solution.

disk encryption for laptop computersLaptops are one of the most popular targets for disk encryption.

[Download our white paper Defending Against Data Breach for details about the risks laptops and tablets present for IT staffs.]

However, companies have discovered that it requires a lot of planning and time to implement laptop encryption properly.

First of all, disk drives must be in good condition with no disk errors, and experts recommend that they be de-fragmented before installing the encryption software.

Once the time-consuming de-fragmentation task is completed, encrypting the drive will take an additional 2- 4 hours depending on the size of the drive.  Employing disk encryption for a large number of laptops in the organization will therefore result in some significant downtime for their users.

Some companies are touting disk encryption as their “end all” for meeting compliance requirements.  But it is not a silver bullet.  For instance, once a laptop is placed on the network, the data on the encrypted disks could potentially be accessed by savvy online hackers.  Once access is gained, all information on the compromised laptop could then be easily downloaded from the laptop by the hacker.

For those companies that deal with credit cards, PCI DSS compliance standards involve a complex series of requirements that disk encryption cannot solve on its own. Here are just two items from the PCI checklist:

  • A user’s access to protected data must be managed separately from his or her access to the operating system that the data resides on.  Therefore, if the secure data is stored on an MS Windows server, access control to the sensitive data must be managed by an application other than in Active Directory.
  • Cryptographic keys and cardholder data must be encrypted wherever it may be stored, including removable media such as USB drives, CDs, DVDs, or tape backups.  However, disk encryption does not encrypt data if it’s moved to other devices.

IT professionals are discovering that the best way to meet PCI DSS and other similar regulations is to keep sensitive data off of laptops whenever possible. Sensitive data can be more easily secured and controlled by IT professionals within centralized corporate database systems. The data can then be encrypted at the field level within these database systems.  Along with effective key management and audit trails, an effective database encryption solution will provide a much higher level of protection for this sensitive data.

To maximize their time and resources, many companies are turning to third party vendors, such as Linoma Software’s Crypto Complete, which provide an effective solution for field encryption without the need to make programming or database changes.

Keeping data secure is a constant battle, and given the high cost of data breach, it could be one of the most critical tasks a company tackles.  As hackers get more creative, relying on encryption best practices may be the best defense IT has.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a freelance writer for various technical and social media projects.

More Posts - Website

Tokenization: A Powerful Weapon Against Cyber Attack

Posted by on Thursday, 19 April, 2012

Tokenization in the data security world is the process of moving sensitive data from a company network to a separate location or sever, and replacing and referencing that data on the company server with a unique token.

If hackers attempt to access sensitive information like credit card numbers from a server, they’ll instead encounter the token which prevents them from finding the original data without a specific encryption key or knowledge of the tokenization system.

Linoma Software GoAnywhere Managed File Transfer SolutionFor example, say a merchant acquires a credit card number by swiping a customer’s card with a card reader.  If the merchant has implemented tokenization, this card number information is immediately replaced in the merchant’s database by a token number while the actual card number is sent and stored (in encrypted form) at a different location, along with the reference from the token.

Because the actual card number is never stored in the merchant’s front-end system, hackers have a much more difficult time stealing it. Customers can therefore be assured that it is safe to let that merchant use their card information because the actual credit card numbers are not stored in an easily accessible location.

All organizations that capture credit card data are required by the PCI DSS government regulations to secure and protect this data.  Originally, this presented a challenge to the payment industry until Shift4 Corporation presented tokenization solutions at an industry Security Summit in 1995.  The adoption of tokenization became a popular solution to meet the PCI DSS compliance regulations.

>>Check out these white papers discussing PCI DSS compliance issues, and data breach threats

Other industries are beginning to adopt tokenization to protect confidential information such as banking transactions, medical records, criminal records, vehicle driver information, loan applications, stock trading and voter registration.

Finding the most efficient way to implement tokenization is challenging, but the growing threat of cyber attack and the expense of data breach have motivated IT shops to research options in earnest.

A variety of third-party software solutions, such as Linoma Software’s Crypto Complete, deliver tokenization tools as well as additional options for managing encryption keys, audit logs, message alerts; storing tokenized data; automatically assigning token identifiers; and providing a central management platform for the entire tokenization process.

When a greedy hacker in anticipation of scoring a cache of customer credit card data finds instead a series of tokens, companies win another battle in the war against cyber thieves.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a freelance writer for various technical and social media projects.

More Posts - Website

1.800.949.4696  |  sales@linomasoftware.com  |  privacy policy
Copyright ©1994 - 2012 Linoma Software  |  All rights reserved