One key step:
Stick with trusted IT vendors to implement encryption
Feb 27, 2017 | By Ed
McCarthy
How safe is your data?
It’s a question that financial services regulators are asking advisors more
frequently, and it’s not just a compliance issue. If your clients’ data files
are breached, they could become identify theft victims, as
could your employees if their personnel records are hacked. A significant data
theft can damage your business’s reputation, as well.
An effective cybersecurity program requires constant diligence. Two steps
you should consider are encrypting your data, and managing user permissions
more actively. These actions can help improve your cybersecurity quickly and
inexpensively.
When it comes to technology implementation, independent insurance agencies
lag behind the financial services industry.
Cracking the code?
Many financial services firms use a hybrid data storage model in which data
are stored both in the cloud and on-site, depending on the application and the
data. Even with the growing shift to cloud-based storage and software as a
service (SaaS), however, it’s likely that some sensitive data still resides
locally in your office network. These records could include clients’ health
records, financial information, or Social Security numbers and you may be
storing employees’ personnel records locally, as well. There’s also other
confidential information about your business: financial and tax information,
client lists, correspondence and marketing plans, for instance.
Local data are at risk from internal sources — think disgruntled employee
who wants to start his own firm — and external sources who are trying to
penetrate your network. Encrypting your local data adds a layer of protection,
says Ryan Castle, executive vice president with Trace Security in Baton Rouge,
Louisiana. “Even if they are able to steal the data, they aren’t going to be
able to read it unless they can decrypt it.”
The mathematics behind encryption technology is complex, but the result is
straightforward. Encryption uses a formula to scramble (encrypt) data so they
look like random characters. Unscrambling (decrypting) the data requires the
use of an alphanumeric key; without the key, unauthorized persons can’t decrypt
the underlying files.
Encryption strategies
You can take multiple approaches to encryption. At the hard disk level,
users must enter a password or key to decrypt the device before they can use
it. This method protects the disk’s data in case the hard drive is stolen, says
Castle, and he typically recommends this method for organizations with laptops
or other take-home devices. David Damiani, CFA, chief financial officer with
wealth managers Balentine LLC in Atlanta, Georgia, says that his firm generally
avoids storing data locally. As a safeguard, though, the firm’s laptops use
BitLocker encryption software that is included in Microsoft Windows 10.
Another protective measure is to additionally protect specific files, a
method known as encryption at rest, says Castle. This provides two layers of
protection: Users must first decrypt the hard disk when logging in and then
provide the file-specific password or key to open the file. “If you left your
computer on and unlocked and someone walked into your office and said, ‘I want
to open up this file that has customer information,’ it would prompt them for a
password or some way to have to decrypt it,” Castle explains. “Or if someone
was to hack your system and get remote access and the hard disk was unlocked,
they still couldn’t read that specific file.”
Running through the complicated mathematics to provide encryption does
decrease a computer’s performance, but the impact usually isn’t significant
with today’s processors, Castle notes. For example, when an encrypted laptop
drive is unlocked, it functions as an unencrypted drive.
Don’t get permissive
A second good practice is to actively track user permissions on your network.
This involves deciding which staff members should have access to which files
and then monitoring and reviewing their usage. Castle recommends adopting the
principle of least privilege. If a user needs access to data or some other
elevated privilege, what is the minimum level of privilege required to do the
tasks and how long will they need that privilege?
Castle cites the example a network administrator or other IT staff member
who requires permissions to modify routers, firewalls or other networking equipment.
But that person probably doesn’t need the ability to install software on a
user’s workstation or access details in the human resources database, for
instance. Applying that approach to each staff member’s access permissions for
local and cloud-based data can help block attempts — both internal and external
— to steal sensitive data.
This approach integrates well with encryption. Even if an unauthorized user
gains access to sensitive data files at the system level, if the files are
encrypted, that access will be worthless unless the user also has the
decryption key. For example, network administrators can need the ability to
move files around the system but they don’t need to decrypt those files.
One school of thought on integrating encryption and permissions is to limit
privileged users’ access to only encrypted data. That tactic isn’t intended as
a judgement on the user’s integrity — it’s a recognition that hackers regularly
target privileged accounts because they are the golden ticket for undetected
network access. Should an unauthorized user gain access to a privileged user’s
account, an encrypted-file-only access policy can mitigate the breach damage.
The second part
of permissions management is to regularly monitor and audit user accounts to
determine who is accessing privileged accounts and how they are using them. If
an employee changes jobs within the organization, does she still need the same
level of permissions or can it be scaled back? Firms should regularly “conduct
these audits of these privileged accounts to make sure that not only are they
only providing the least amount of privilege necessary, but that they’re
actually assigned to people who actually have a need for that access,” says
Castle.
Balentine LLC
implements the least privilege approach through compartmentalization, says
Damiani. Employees’ network access is limited to what they need and the firm
uses software to monitor usage. If an employee downloads an amount of data
significantly greater than her normal volume, for instance, management receives
an automated alert.
If an employee
“has been here three years and has never once downloaded more than six
megabytes of data in a given day to do her work, (and) all of a sudden there’s
17 gigs going out overnight, we’re going to be alerted… there’s an outlier,”
Damiani explains.
Doing it right
Castle shares
two other suggestions for better encryption and privileged account management.
The first is to ensure that all users, and especially privileged accounts,
maintain strong passwords and change them regularly. He also cautions against
do-it-yourself encryption programs, maintaining that it is “really hard to do
right.” Stick with trusted IT vendors to implement encryption, he suggests,
otherwise its use can convey a false sense of security.
http://www.lifehealthpro.com/2017/02/27/how-to-protect-your-client-and-business-data?eNL=58b41416150ba0e67c8f9d29&utm_source=LHPro_NewsFlash&utm_medium=EMC-Email_editorial&utm_campaign=02272017&page_all=1
No comments:
Post a Comment