New Articles

How Can Organizations Ensure Data Security

data security

How Can Organizations Ensure Data Security

The cyber-security scene is advancing at a fast-paced rate and concurrently, advances in technologies are progressively becoming better at aiding cyber-criminals and hackers to take advantage of data security loopholes. The continuously growing scale of breaches and cyber-security attacks should be a major concern for all organizations. An example of such attacks is the WannaCry, a massive malware attack that affected over 150 countries, including the UK, Germany, India, and Japan. Considering all the sensitive data that organizations store online, including financial documents and customers’ private details, it’s evident that one breach could have a huge negative impact on their businesses. Here are a few measures organizations can take to ensure data security.

1. Protect the IT Infrastructure

Organizations need a secure and established IT framework to build a solid foundation for a healthy data security plan. As such, they should keep an eye on every component, including devices and systems. They should ensure all the computers and smart devices are adequately protected against advanced cyber-attacks and malicious hacks.

The IT team must ensure all systems are updated with the most recent operating systems and reliable anti-virus solutions. They must also put a configured firewall in place to ward off external attacks and unauthorized access on the network. NordVPN can be a great data protection tool, especially when browsing the Internet. By encrypting data, this VPN establishes an additional layer of security that keeps your browsing activity, financial information, and emails invisible to hackers.

2. Perform Comprehensive and Regular Audits

Data security measures can never be complete without thorough and regular audits. A regular audit is a practical approach that enables businesses to identify vulnerabilities in the existing security plan. Auditing data collected in the post-attack offers an organization a perfect understanding of the blunders that can result in similar breaches in the future.

This information can be instrumental in the creation of a more powerful data security strategy coupled with more reliable data security policies. So, businesses must perform comprehensive and regular audits to enhance compliance and get rid of potential risks.

3. Limit Data Access

Most companies give a few employees privileged access to their most valuable data. Consider who in the company has access to important customer information. Do you know everyone’s access rights? Knowing the details of every staff that has privilege access to data and reasons for accessing it can help you prevent data hacking, theft, and loss.

Organizations must limit data access. They should determine the kind of data that a staff member needs to access to carry out their work obligations effectively and make sure they have access to just what they require. In addition to safeguarding sensitive information from theft or loss, limiting access could ensure more efficient data management.

4. Remove Stale Information and Put Secure Backups in Place

Many companies in the healthcare, education, and finance sector handle sensitive data as an important part of their businesses. Having the right data disposal strategies in place can prevent redundant data from being stashed away and lifted at a later date.

Regular data backup is a fundamental part of a complete IT security strategy. Organizations should have robust backups in place to ensure they still have access to their sensitive information even after accidental file removal or a full ransomware lockdown. They should store their backup data in a safe, remote location far from their main places of business.

5. Change Your Mindset

Many organizations don’t give data security the seriousness it deserves. They have poor passwords, unencrypted sensitive files, and misconfigured AWS servers. Due to this sloppy attitude, it’s estimated that more than 4 billion data records with valuable information were breached within the first six months of last year.

Companies must change their attitude. They must view data security as their top priority. Everyone in the company must understand the value of data security, not just the top executives. They should embrace security best practices such as authenticating digital identities of all employees and customers as well as using up to date VPNs like the NordVPN.

The Parting Note

With cyber-security threats increasing rapidly in today’s world, it has become important to be armed with the right security tools and privacy improvements that are required to protect the organization’s most valuable asset, that is, the data. Data security should be given utmost priority and all staff members trained accordingly.

insurance

Understanding Cyber Liability Insurance: Securing System Access to Secure Coverage

Organizations purchase cyber liability insurance as a way to mitigate the impact of data security incidents. However, as with any liability policy, cyber risk insurance incorporates a set of exclusions that allow insurance companies to deny coverage. While most policyholders and insurance professionals assume that external monitoring acts as the only way to ensure coverage and reduce the likelihood of costly coverage litigation, digital transformation has shifted the perimeter away from external controls such as firewalls towards a more focused approach on identity and access.

Understanding Cyber Insurance Exclusions

Everyone reads the Insuring Agreement, or the part of an insurance policy that provides coverage. Typically, this section lists out all of the events for which an organization can submit a claim. For example, many cyber insurance policies will cover unauthorized access to systems, networks, and software that leads to a data security event.

However, as in life, all promises come with conditions. In the insurance world, conditions are called the exclusions, or the activities that are reasons allowing an insurance company to deny coverage. Generally located at the end of a policy, these may seem logical. For example, in a cyber-risk policy, an insurer does not need to cover the loss if the policyholder failed to enforce reasonable security practices and systems maintenance procedures.

In other words, if a data security event is the result of failure to enforce best security practices, the insurance company can deny the claim.

Why Identity and Access Matter to Data Security

As evidenced by the recent Twitter breach, cybercriminals increasingly target users as a way to gain unauthorized access to privileged locations in an organization’s IT ecosystem. This tactic makes sense in many ways because privileged accounts traditionally have universal access to an organization’s most important services and data.

For example, to do their job, IT administrators need nearly unfettered access to an organization’s ecosystem. They need to create accounts and grant access to other users. However, that also makes them a high-risk user. They could conceivably create fake accounts and grant themselves privileged access then engage in malicious data theft or credential theft, moving around in the organization’s systems and networks without looking suspicious.

Similar to the Twitter breach, this type of activity is hard to recognize unless the organization is actively monitoring who has access, how they use their access, what they access, and why they need it.

Enforcing Identity and Access Controls as Data Security Best Practices

Data security best practices pose problems for organizations as no set definition exists because cybercriminals continue to evolve their methodologies. With most organizations embracing remote workforces for the foreseeable future, on-premises security controls no longer provide the necessary protection. In order to secure data and protect privacy, companies should look to the Identity perimeter to limit access and monitor privileged access within their ecosystems.

Enable Zero Trust

Zero trust, aka “never trust, always verify,” is a cornerstone of enforcing identity. This is widely becoming not just best practice, but a table stakes identity and access management strategy – especially for users with elevated privileges. In a business application landscape overrun by phishing and brute force attacks, there is little confidence in usernames and passwords being the primary driver for identity and access management. That’s not to say that usernames and passwords don’t have their seat at the table, but they can’t be sitting alone. Combining them with dynamic controls that evaluate the context of access to determine risk is critical. Trusting the same access privileges, no matter what the circumstances, will lead to security threats. IT leaders must assume that cybercrime can circumvent their perimeter identity controls and be acting accordingly.

Apply the Principle of Least Privilege (PoLP)

The first step to creating best Identity and Access Management (IAM) practices is to ensure all users have only the access they need to fulfill their job functions and nothing more. For example, someone in human resources (HR) might need access to an employee’s address, but that individual may not need all the banking information attached to the record if they are not in the payroll area.

Enabling PoLP Using Attribute-Based Access Controls

For legacy business applications, PoLP is a non-starter because access governance is dictated by static, roles-based access controls (RBAC). For example, an HR manager needs a certain set of rights within the organization’s system. However, RBAC only limits access based on what the user does in the company (unless manually changed). With attribute-based access controls (ABAC), organizations can set additional contextual attributes such as geographical location, IP address, or time of day. This additional context allows the organization to limit access to high-risk resources on a more detailed level. With the explosion of remote work, ABAC provides a way to limit users’ access when the organization has determined that a location or time of day would be considered riskier. For example, someone using a public WiFi is at a higher risk of a man in the middle attack than someone using their home WiFi. If the organization sets trustworthy IP addresses, users cannot access sensitive information from public WiFis, reducing the attack surface.

Continuously Monitor Access

The same continuous monitoring mantra that exists at the network perimeter also holds true at the Identity perimeter. With user access monitoring, organizations can review the resources accessed to ensure they are appropriate to the users’ needs. Organizations need a way to detect suspicious access to sensitive information. For example, if an HR representative is accessing healthcare information at 2:00 AM, the organization needs to know whether that employee typically works late at night or whether this is an outlier signaling a potential data security incident. Without visibility into when and how users interact with data, organizations cannot prove that they enforced their access policies as a best practice.

Digital Transformation, Remote Work, and Securing Coverage

Digital transformation, accelerated by the rapid move to remote workforces, streamlines productivity but also increases risks. With more users connecting more devices from more places at less regular times, identity and access is an integral part of an organization’s data security.

Establishing and enforcing strict access policies is now more important than ever before. Malicious actors will continue to look for user accounts that act as back doors to organizations’ systems, networks, and software. In order to secure cyber liability coverage, companies need to be more actively engaged in monitoring access and mitigating potential threats arising from compromised accounts.

____________________________________________________________

Piyush Pandey, CEO at Appsian (www.appsian.com) is a technology executive with 19 years of global experience in strategy, sales, mergers & acquisitions, and operations within software companies. Over the last 10 years, he has worked with enterprise software companies including Oracle, Epicor, Concur, Citrix and Microsoft on various transactions. He has held various leadership positions at Procera, Deutsche Bank, Stifel, Wipro Technologies and a wireless startup.

data security

Why the Keys to Maintaining Data Security in a Remote Environment are Control and Visibility

Remote workforces are nothing new to most organizations. According to Buffer’s 2019 State of Remote Work report, 44% of respondents noted that at least part of their team was “full-time remote,” and 31% said that everyone on the team works remotely. Further, at the time of the report, 30% of respondents said that their entire company worked remotely. However, the COVID-19 pandemic accelerated the work-from-home model. By March 31, 2020, the percent of users working remotely had increased 15 percentage points since the start of the COVID-19 outbreak. With that in mind, organizations are assessing how they can maintain granular levels of control and visibility when business data is being accessed remotely.

Adopting Contextual Controls to Protect Data

Most organizations already leverage role-based access controls. These controls, which align data access privileges and job function resources, provide a baseline for data governance. However, they often lead to excessive levels of data access and, in turn, produce additional risks. Contextual controls enable an organization to dynamically control access to data during varying contexts of access, often aligning to least privilege best practices. Migrations to cloud applications are largely due to contextual controls being a business requirement, simply because the interconnected applications required a more dynamic approach.

With the move to a remote workforce, organizations need to create more detailed and more dynamic access controls. With attribute-based access controls (ABAC), a company can incorporate additional context such as geolocation, time of day, and IP address to both ensure the appropriate user is accessing the resources and prevent users from having more access than they need. For example, if the organization knows that an employee should be working from Connecticut, ABAC can prevent access to resources if the user’s location is suddenly California – or a foreign country.

Contextual controls provide both the prevention of access policy violations, along with alignment between business requirements and security protocols. Because the organization can limit access according to the principle of least privilege, it reduces the risk of data leakage and financial fraud. Meanwhile, by creating more granular, data-centric access privileges, an organization can ensure that users do not get too much or not enough access – limiting the potential negative effects of restricting access excessively.

User Activity Monitoring for Security and Managing Productivity

Monitoring user access to resources and tracking how users interact with data provides an additional benefit for many organizations as their workforces move towards a remote model. Most organizations recognize the benefit of monitoring user access – but not just instances of logging in and logging out of applications. Understanding data access and usage is now a key requirement when maintaining visibility over business data. Organizations are turning to analytics platforms that both include granular access details, along with a visualization element (for example, SIEM). Data is only as useful as the insights it provides, and rapid aggregation and visualization of user access data is a crucial requirement for data security.

Using “Virtual” Work Hours

Looking at a common security use case, many organizations leverage “virtual” work hours to detect anomalies. For example, an employee usually works between the hours of 8 AM and 6 PM but monitoring and alerting to activity around sensitive data at 3 AM, for instance, can be indicative of unauthorized behavior. This uncharacteristic behavior may be an anomaly, but the organization needs to monitor the user activity more closely. If the user denies accessing the information at 3 AM, then the organization needs to focus its monitoring and have the employee change their password. If the organization detects additional unusual activity, then it may need to review the employee’s activities or investigate a potential data breach.

Monitoring User Productivity

From a workforce management perspective, organizations can leverage these insights to review employee productivity. Two use cases present themselves. First, many organizations have contracts that stipulate late payments incur a late fee. If the organization knows that employees should be processing payments ten days prior to the payment date, then they can leverage these reports to ensure that employees meet their timelines, even from a remote location. Additionally, by tracking resource usage data, organizations can monitor whether workforce members are appropriately prioritizing their workdays. If the employees are only accessing a business application at the end of the month, then they are likely waiting until the last minute to input payment information. Preventing these potential revenue losses or rush projects in other areas by speaking with the employee enables the organization to stay on top of its financials.

Enabling Visibility for Business Applications Has Never Been More Critical

Creating trust within and across distributed workforces ensures productivity. However, continued status update meetings across multiple time zones decrease workforce member efficiency. Organizations already monitor user access to their systems, networks, and applications. As part of a robust security posture, organizations should apply protections at the new perimeter – user identity. Rather than micromanaging employees via emails or chats, managers can gain valuable insight into how users are accessing resources and prioritizing work schedules by reviewing data and resource usage.

In an unprecedented time, companies need to find ways to enable their levels of control and visibility over business data. Whether a business application is on-premise or in the cloud, enhancing these solutions should be a mission-critical objective.

Risks against an organization are prevalent in a remote environment, whether those risks are security-related or employee-related by fraud, theft, and error. The keys to maintaining data security ultimately lie in your ability to provide oversight for your data, and the time to act is now.

_______________________________________________________________

Piyush Pandey, CEO at Appsian (www.appsian.com ) is a technology executive with 18 years of global experience in strategy, sales, mergers & acquisitions, and operations within software companies. Over the last 10 years, he has worked with enterprise software companies including Oracle, Epicor, Concur, Citrix and Microsoft on various transactions. He has held various leadership positions at Procera, Deutsche Bank, Stifel, Wipro Technologies and a wireless startup.

digital

Digital Collaboration: Get ahead, fast.

Recently at a conference for freight forwarders everyone jointly agreed: if you’re the fastest to quote, you win the customer. What astonished me was what I heard in a conversation afterwards! “We are working in shifts now, 16 hours per day, to make sure we can quote fast and win new deals,” said one of the present forwarders. I was surprised that putting in more hours to send emails back and forth is a better solution for shipping companies than digitizing collaboration and automating tasks. The banking system solved this issue years ago with the introduction of the SWIFT system: a standardized banking system that enables companies which had never worked with each other before to transfer money on a global scale at no risk. 

In shipping, we’re still way behind the curve. The newly formed Digital Container Shipping Association has taken the first timid steps to promote data standards in shipping because they believe in close collaboration between the different stakeholders. The underlying rationale for this collaboration is typically 2-fold: (a) Margins are still depressed due to overcapacity and (b) customers demand more and more streamlined services. Although costs for technology are consistently decreasing, our industry is generally considered to have been slow to adopt digital approaches. Of course, companies collaborate across company borders, mostly through emails and networks; but isn’t it extremely inefficient and unscalable, especially in times where this could be automated to be done within seconds instead of days? 

What holds SMEs back from digital collaboration? 

We have noticed that especially small and medium-sized companies are either stuck in their traditional mindset or simply don’t know how to start with digital collaboration. Why is that so and how do companies overcome this conundrum? 

Companies are afraid to share their data 

People have to overcome their traditional industry mindset first, as a highly competitive attitude makes collaboration with competitors exceedingly difficult. Most companies don’t want to share their data because they think it’s their secret and crucial for their business – but most “data” is non-sensitive. Consider container movements, position updates forecasts and contact information of local agents. Of course, crucial information about e.g., my commercial terms with my vendors should not be openly shared! However, sharing operational data means exchanging information that you can leverage to increase service offerings, internal processes and ultimately create quotations in less time. 

Even if companies are willing to collaborate, they don’t know how to get started 

Lack of existing data standards, limited capacity or scary data security questions – the list of potential challenges of data sharing is long (as for every new project!) and only a limited number of people in logistics have “been there, done that”. 

However, in the end, it comes down to what you want to achieve/solve in the first place: How do you get your customers love working with you? How do you create quotations in less time to win more business? We suggest defining your most important targets and metrics first, and reverse engineer a good solution from there. 

Now: How can you get started? 

To get started with data sharing, finding out what you want in the first place is only the beginning of a long journey. To make it a little bit easier for you, try to answer the questions below for your own business (take a screenshot or copy into a word doc): 

-What are my main pain points?

-What is particularly crucial for my customers?  

-What data describes the problem the best? 

-How well is my data organized? 

-What data is non-sensitive? 

-What additional data do I need? 

-Who has it? How can I get that data? 

-Who (of my partners) would need my data to become better? 

-Does it make sense to work with them? 

-What integrations and/or technology would that require? 

There is no one-size-fits all solution as you can see! It’s about you and your specific business model. Only after you’re able to answer these questions you can think about the next steps: design use-cases/MVPs (Minimum Viable Products), and test setups and data integrations. 

With missing IT capabilities or resources, building integrations can oftentimes be hard because you need to manage numerous data standards and interfaces. In most cases, a 3rd party technology provider can help you as a connector in the industry. Such technology companies can not only translate different data formats into one language, but they also anonymize data to increase trust and reduce perceived risks for you: You still own your data and it is 100% up to you what part of your data you want to share to reach a certain goal. Moreover, working with 3rd party technology providers has another advantage for you: they help you develop a proof of concept at low costs! 

Of course, it requires a certain level of commitment, but working with a connector lets you test with a well-defined problem and a limited group of stakeholders to develop a workable solution. For freight forwarders, it could be the integration with a selected list of carriers to enable instant online quotes/ bookings for their customers. For equipment managers it could be integrating their equipment management system with a tracking provider to automatically receive container status updates such as pickups, drop-offs, delay warnings and ETAs. 

Once the proof of concept has been demonstrated, the collaboration could then be expanded by bringing in additional stakeholders or addressing related problems with similar approaches. Being able to create quotations faster is only one challenge – several other topics including internal organization, equipment management or communication with external stakeholders can also be targeted with an open mindset and the courage to test new things. We encourage you to start right now! 

________________________________________________________

Christian Roeloffs is the founder and CEO of Container xChange – an online platform that creates transparency on supply and demand in container logistics. More than 300 container users and owners such as Seaco and Kuehne+Nagel use the neutral online platform to find SOC containers in 2500 locations and identify partners to avoid empty container repositioning. 

10 Things to Look for in an IaaS Tool

Nearly 30 years after the emergence of its widespread use, the internet has evolved from a novel in-office communication tool to a sprawling information network that businesses can’t live without. We are practically swimming in data. Luckily, cloud computing – a technology service that offloads files to external servers located around the country – has stepped in to help ease the burden of terabytes of sensitive company data.

A new form of data management tech has also recently emerged onto the scene: Cloud Infrastructure as a Service, or IaaS. Compared to traditional cloud computing services, IaaS takes care of the nitty-gritty details normally located in your own office infrastructure, such as servers, software, data centers and security. To put things into perspective, traditional cloud computing is like having a big storage drive somewhere else in the country, while IaaS is the storage drive and your workplace’s nervous system safely stored miles away – but directly networked with your office nonetheless. This frees up your business to devote its resources to the tasks that matter while another company takes care of the heavy lifting.

Several major players have quickly taken up the IaaS mantle – namely, Microsoft Azure, Amazon Web Services and Google Cloud Platform. Choosing the right cloud IaaS for your business isn’t a clear-cut task. Once you’ve wrapped your head around how IaaS works, your brain will likely be swirling with a maelstrom of other questions: How can I guarantee that I’m getting the most storage out of what I’m paying? Should I invest in an IaaS provider that controls most of my data’s storage? How much do I want to customize my network?

These 10 tips will cover the key points to consider when choosing the cloud IaaS for you:

Public and Private Platforms

IaaS companies typically offer two different platforms for your business: public and private. Each offers its own distinct advantages for different types of businesses.

Public platforms give you and your team the opportunity to quickly access IT resources. This ease-of-use allows you to make changes to your work environment on the fly. Public platforms also come pre-configured, meaning that businesses with less IT experience or with teams that are already stretched thin might do better with this option.

Private platforms grant your business maximum security within your data center. These servers are also typically faster since they operate on a closed circuit. Moreover, private platforms allow you to customize your network and security features to a greater degree than public platforms. IT-savvy businesses can use a private IaaS platform for greater control over their data management.

Customization

Depending on how comfortable you are with IT, you’ll want your IaaS platform to have at least some degree of customizability. Your business might require multiple channels through which to exchange data, for example, or it might require the IaaS to act as a test server for a new website.

Other examples of customization features include website layout templates, user interface storage and the ability to upload your own HTML and CSS files, like those included with Microsoft Azure. The apps and operating systems that different IaaS platforms offer should play a role in determining how well they will serve your business.

User Friendliness

Above all, the IaaS you choose should be easy to understand for you, the end user, especially since third-party apps will take care of the hardest IT work for you. Responsive customer support is another factor to consider, as are transparent documentation and neatly organized client-side interfaces.

Relativity

Cloud computing may be a marvel of information management, but, for the time being, our networks are still bound to the physical limits of cable. Ensure that the IaaS you choose operates with an extensive infrastructure or at least manages servers located close to your business. This will ensure that you can easily and quickly transfer data to and from your IaaS servers.

Usage Charges

Ensuring that an IaaS will lower costs for your business is key. Though the prospect of placing your workplace’s vitals in the care of a trusted IaaS is attractive, keep in mind that each company offers different pricing models. An IaaS platform might require you to pay by the hour, week or month based on the number of gigabytes you use. Some charge only by data upload (hot storage), while others charge for data you aren’t currently using (cold storage). Still, others will charge you for each service you use. Be prepared to see many different entries for different services on your first IaaS bill.

Also consider scalability, or the IaaS’ ability to adapt to your changing data requirements, when deliberating on a company’s pricing model. Microsoft Azure, for example, forgoes an upfront charge for a pay-as-you-go model. Businesses that project rapid growth may wish to consider this pricing model.

Support

Even the best IaaS will pose problems at one point or another. Glitches, misaligned services or any number of issues may prevent you from fully managing your data. When researching IaaS providers, be sure that the services you choose offer friendly and responsive chat or call centers so that you can resolve issues quickly. Ask about what support is available as you get started with an IaaS and how you can resolve issues once you’ve started upscaling your use of the service.

Server Infrastructure

Similar to the relativity issue, an IaaS provider with many servers will also increase its computing power for quick data access. Make sure that the IaaS you choose can handle your data requirements. Also, keep in mind that you aren’t the only company using your IaaS’ servers – an even larger company than yours could require massive amounts of data use at any time, causing bottlenecks and slowdown for the entire service.

Data Security

At the end of the day, your IaaS of choice should be able to securely store your data. Remember that an IaaS server is your data center and your workplace’s nervous system; you wouldn’t hang either out in the open. Not only should it ensure that prying eyes can’t peek into your cloud-stored documents, but your IaaS should also have the capability to reliably back up your data in case of an outage. Microsoft Azure, for example, will migrate your virtual machine’s data to another physical machine if it detects a Microsoft software update or a malfunction in its original hardware through a service called Live Migration.

Service Levels 

Get to know your IaaS provider. Consider arranging to meet with a representative in person and aim to establish a strong rapport between your business and theirs. Doing so will allow you to familiarize yourself with the provider, determine their trustworthiness and receive more thorough support due to your established relationship.

Manageability

Every organization operates in its own unique way, but some require more niche infrastructures than others. Make sure that the IaaS you choose will be able to easily integrate with your workplace and that it addresses all of your unique needs. If you would like to tailor the IaaS to your specifications, ensure that the provider offers a great degree of flexibility. If not, ensure that the provider is willing to help you with every step of the integration process.

Choosing the Right IaaS For You

Once you’ve decided on an IaaS that you’d like to explore, the next step is finalizing your choice and integrating it with your workplace. With nearly 40 years of expertise in the computing industry, Ingram Micro is prepared to answer your questions and help you transition your business to cloud IaaS. For inquiries, please contact a representative at 800-705-7057 or uscloud@ingrammicro.com. To place an order or learn more, please visit our cloud marketplace here.

About the author

Jason has held sales, pre-sales engineering, business development, and sales leadership positions for resellers, professional services organizations, and distributors over the last 20+ years. Jason earned an undergraduate degree in International Finance and a MBA in pursuit of his educational goals. He has also earned many technical certifications including a Cisco Certified Network Associate (CCNA), Cisco Certified Network Design Professional (CCDP), Cisco Certified Network Professional (CCNP), and Citrix Certified Administrator (CCA) in additional to numerous sales and licensing focused certifications. In his current role, Jason is focused on developing sales enablement strategies designed to help channel sales professionals promote the adoption of Azure by focusing on the positive business outcomes unlocked by cloud computing.