Assuring data privacy has been a hot issue for years and the basic building blocks of a strong defense against cybercriminal data theft hasn't changed.
But how do we prevent these security breaches as they become increasingly more common? The five steps below were originally published by Neil Chesanow in an article for Medscape titled Why Your Patients' Data May Not Be Safe: 5 Steps to Protect.
Although written from a medical/healthcare point-of-view (I've substituted protected data for the original Electronic Health Records), the steps can be applied to help any business or organization think through some of the issues surrounding the protection of sensitive and confidential files and data. It applies to PCI (Payment Card Industry) data, Protected Health Information (PHI) and any type of Personally Identifiable Information (PII) your organization stores or processes.
A much overlooked attack vector for cybercriminals are the file transfer systems used to share data externally in the normal course of business. For banks it may be loan approval processing. For healthcare providers it is PHI data sent in the course of benefit eligibility determination and insurance claims processing. It could even be as simple as employee records.
Controlled access to protected data is of paramount importance. Access to sensitive files and data should only be granted to people that are required to use it as part of their job. Not every employee or external partner should have access to all company information.... And it’s easy enough to control and enforce access by applying simple rules and policies. Your file transfer system should integrate with internal authentication and directory servers to assure access control.
Collecting data transfer activities is key to assuring security and compliance with data protection regulations. The ability to see who accessed sensitive information, when and how many times they access it, whether they moved or sent it to another location or person, and if/how the transmission and file itself was secured and encrypted are important pieces of information from both an internal security policy as well as compliance perspective. You never want to find yourself with a request for an audit trail of a particular file or communication and not be able to provide it.
Encryption of data in transit should be obvious. It is way to easy for cybercriminals to intercept data traversing the public internet these days. Encryption makes the data worthless. But you should also be encrypting the data at rest in your file transfer servers and assuring that it is deleted.
Pay particular attention to your method of transfers. FTP servers are notoriously weak in security and provide an easy and valuable target for a cybercriminal. They provide a great command and control link to carry out their attack and transmit stolen data.
Kevin joined Ipswitch in 2015 and leads the company’s product and content marketing practices. He is widely recognized for his product marketing accomplishments in information technologies. He is a serial startup executive having played instrumental roles in the success of such companies as for Prelert, VKernel, Mazu Networks and Smarts, Inc. and has been instrumental to the success of these IT management technology companies. Kevin is also the co-host of the PICNIC Podcast live show (https://picnic-podcast.com/), sharing experiences and best practices, providing a voice of expertise, and educating IT professionals with the latest technology challenges.
Let our experts teach you how to use Sitefinity's best-in-class features to deliver compelling digital experiences.
Learn MoreSubscribe to get all the news, info and tutorials you need to build better business apps and sites