Global workforce is heading towards Work From Home (WFH) as the new norm post COVID-19 Lockdown. Is your host data loss prevention strategy ready for it? Are you protected against:
- Data theft by a disgruntled employee
- Data breach by a long term employee
- Sensitive corporate data shared on public domain
- Sensitive corporate data shared with third parties
Why Host Data Loss Prevention Matters The Most Now
HDLP is the process of monitoring and blocking intentional and unintentional exfiltrating company’s data by employees or third parties through host systems. Every company holds on to sensitive and confidential data based on user role. If the data is logically or physically transferred from the organization, it might result in a substantial loss to the organization and eventually with-in a short period of time ends up with a breach and online disclosure.
With lockdowns in progress across the world, employees across the world are working from their home. This situation is rife with possibilities for potential data misuse. Possible scenarios of data can be:
- Employees sharing data via their personal email
- Employees sharing data via their personal drives like Google Drive and Dropbox
- Employees performing data transfers through SSH, FTP and RDP outside the organization’s purview
- Employees storing the confidential data such as customer details on USB drives
- Employees sharing the information like access credentials with third parties with malicious intents
- Employees deleting the data by accident
- Employees storing the details via Screenshots
- Employees sharing the details with third parties like freelancers and agencies without understanding security implications
- Employees giving their mail access to third party platform (like OAuth Logins)
- Employees using social media to share information with other parties
According to Information Age, accidental data leaks by staff are now a primary security weak point. Their research indicated that there is a decreasing trend in data lost due to security vulnerabilities, which currently stands at 20% of the participants in the survey. This is in line with the growing sensitivity towards security across the world. However, the same research sample indicated that the threat of staff accidentally leaking the data has been growing steadily and now stands as the primary security weak point. This currently stands at 22% of all the companies who were part of the survey.
Some of the types of data categories that can be leaked by employees are:
Intellectual property data
Protected health information
Personally identifiable information
Customer transaction data
- Price/Cost Lists
- Target Customer Lists
- New Designs
- Source Code
- Process Advantages
- Pending Patents
- Intellectual Property
- Unreleased Merger/ Acquistion Plans and Financial Reports
- Legal Documents
- Employee Personal Data
- Bank Payment
- B2B Orders
- Vendors Data
- Sales Volumes
- Purchase Power
- Revenue Potential
- Sales Projections
- Discount Ratios
Personally Identifiable Data
- Customer List
- Spending Habits
- Contact Details
- User Preferences
- Product Customer Profile
- Payment Status
- Contact History
- Account Balances
- Purchase/Tranaction History
- Payment/Contract Terms
- Full Name
- Birthday, Birthplace
- Biometric Data
- Genetic Information
- Credit Card Numbers
- National Identification Number, Passport Numbers
- Driving License Number, Vehicle Registration Number
- Associated Demographics Preferences
Approach to Solving the Challenges of Data Loss
Cloud4C encourages enterprises to adopt the following approach to secure their data even when most of their workforce is working out of home.
Policies and Standards
Identifications and Vulnerablities
Risk Assessment And Clasification
DLP Strategy and Information Security
Possible Vulnerabilities with Hosts
The first step to data loss prevention is to understand the leakages. Security teams need to have a control over the IT infrastructure that leads to these vulnerabilities. Some of the most popular ways a host can be exploited are:
- Email clients and personal email accounts
- FTP/RDP Servers
- Personal drives such as Google Drive and Dropbox
- CMS platforms like Wordpress, Joomla and Drupal (Free CMSs are highly vulnerable to such attacks)
- Social media platforms
- Removable media like USBs and CDs
How can Cloud4C help in Host Data Loss Prevention?
Cloud4C provides cutting edge HDLP solutions using the best products in the market. We bring our decades of understanding of providing enterprise security to help define, deploy and maintain these solutions.
- Control user’s capability to transfer sensitive data
- Control the user’s capability to send information to other domains via various communication tools including email
- Arrest data transfer to employee’s personal cloud drives like Google Drive and Dropbox
- Arrest data transfer through SSH, FTP and RDP outside the organization’s purview
- Continuous monitoring of user desktop through periodic screenshots
- Restrain user from accessing predefined category of websites like gambling and social media
CLOUD4C SECURITY EXPERTISE: A SNAPSHOT
For many companies, compliance to the guidelines is critical. If you are any of those industries, you will appreciate the gravity of the situation. For companies that are affected by various compliance guidelines, here is what you should know.
The General Data Protection Regulation is a regulation in European Union and European Economic Area. This act came into existence after calls for citizens’ privacy and is meant to protect the privacy of all the citizens of European Union. Every company that handles the data of the user/customer must adhere to the rules of GDPR. This includes companies that are located outside Europe but serve the citizens of European Union.
Companies that deal with such sensitive data must extend their security to providing Host DLP to adhere to GDPR. Companies need to deal with a whole host of vulnerabilities to successfully deploy the DLP in this case. Unlike HIPAA, GDPR covers all and every data of the citizen. This means every company that caters to the EU region in every industry falls into this gamut. These companies must deploy DLP to adhere to the GDPR compliance or risk paying hefty fines or even lawsuits.
Compliance to Health Care Insurance Portability and Accountability Act (HIPAA) helps protect the privacy and security of the patient information. This act is designed to protect patient information like social security number, medical ID numbers, drivers’ license numbers, home addresses phone numbers and other related information. This covers a whole array of companies that handle this data including IT companies, accounting firms, law firms, insurance firms and of course, hospitals.
Host DLP is vital for companies that handle this data. Violation of this compliance might lead to companies paying hefty fines. It is important that companies restrict the access of this information to employees who are working from home or outside the company’s purview. There are a comprehensive set of features that are needed to handle the host DLP requirements in this scenario.
While PCI has been around for quite some time now, most companies that comply with PCI still report data leaks. One primary reason for this is lack of comprehensive security to all the endpoints of the network.
Companies that adhere to PCI must make sure their employees do not misuse the customer's payment data. While companies enforce strong on-premise security, many companies simply do not enforce enough DLP solutions for their end employees. With the increase in card payments across the world, this has evolved into a global challenge.
Pre-met Global Compliance needs
Cloud4C is a compliance first company. Everything we do on a daily basis revolves around meeting security and compliance standards. We employ full-time Quality Management & Security Teams whose main responsibility is to ensure that our facilities are compliant with the many standards, certifications, and accreditations we adhere to and to ensure all our customer deployments are managed appropriately. Many compliance standards require different security and operational control sets, so we work with each of our clients to understand what’s needed to meet theirs specifically. Cloud4C’s managed compliance service includes continuous auditing, asset discovery and monitoring, reporting, and audit support.
By deploying Cloud4C HDLP solution, enterprises can rest assured that they instantly become compliant to all the global, regional and industry specific standards.
Productivity Monitoring with Cloud4C HDLP solutions
With work from home increasingly becoming the new norm, companies are concerned about employee productivity more than ever before. With work from home being the only option in certain scenarios, companies must brace for the impact of this on the employee productivity.
Cloud4C helps enterprises add a few tracking features to the HDLP solution and extend the functionality to achieve just that. With these features they can:
- Understand how many hours the laptop was in locked and unlocked state
- How productive the employee was during a given time period
- Know what time the employee logged in and logged out
- Know how much time was spent on a particular application
- Know how much time was spent on browser