• The Severity of Cyber security Threats

    by Veriato | May 09, 2018

    Across every major news outlet the topic of cyber security threats and data privacy are impossible to miss. From multinational companies being relieved of millions of credit card numbers, to foreign hacking, to the selling of user data via social media, digital security is clearly more important than ever. Threats are being realized by vulnerable organizations large and small. The fallout of these breaches has also been widespread and include everything from lasting negative impact on stock prices to loss of customers and even complete loss of consumer trust. Threats of hacking in are high, but organizations would be remiss to not make efforts to detect cyber security threats from insiders as well.

    Carelessness, negligence, or compromised credentials from inside an organization make up more than half of security threats when compared to malicious intent. In fact, the most common culprit, by far, of data breaches are accidental exposure by employees. Cyber security threat experts note that what’s known as “phishing” has become the largest vulnerability when it comes to an organization's digital security. Phishing attacks trick employees into sharing sensitive company information and can lead to catastrophic damages.

    Fallout, detection & prevention

    But how does one detect a cyber security threat from an insider exactly? It’s not an easy process — in fact, simply relying on human detection and intervention is archaic in today’s digital world. It’s far too easy for an employee to move information from an organization’s network to USB drives, cloud storage, or their own personal devices. It’s also possible that an employee simply forgot to log out, or logged into an unsecure network, or a multitude of other seemingly innocuous actions that could bring an entire organization to its knees.

    In recent cases, organizations that have knowingly failed to take preventative action against cyber security threats have found themselves in severe legal troubles, leading to a multitude of damages both financial and of reputation.

    Luckily there are tools available to assist in the detection, some smart enough to preemptively identify higher threat risks before they become a problem. When searching, make sure to look for a security tool that offers actionable intelligence into the activities and behaviors of users. As more and more information finds itself in a digital format, it's imperative to find the right software to detect and prevent insider threats.

  • Best practices for securing your data when terminating an employee

    by Veriato | May 02, 2018

    When and where to start

    Best practices for securing your data when terminating an employee actually start with the initial onboarding process. Every established organization looking to scale should consult legal counsel after first having drafted an employee handbook. Once created, every employee should be provided an employee handbook outlining the acceptable use policy related to any and all corporate IT resources. It is also imperative (and often overlooked) to have the employee handbook updated periodically as technology and employee responsibilities advance.

    Establishing and tracking risk within each department is also a key factor in setting up best practices for data & intellectual property (IP) security within the context of employee conduct in our digital world — this framework also proves itself useful if and when it comes time for terminating an employee. Each position within the company should have an assigned insider threat risk level, with a sufficient amount of activity monitoring within reason. Certain job categories require more active review than others, and it’s up to the organization to determine its own best practices for data & IP security based on information sensitivity.

    What to watch out for

    While the act of securing your data when terminating an employee may seem fairly straightforward, challenges do exist. For example, some companies still operate with an Employment At Will policy. Essentially, Employment At Will refers to the employee’s right to terminate his or her own employment relationship with the organization at any time and for any reason that he or she sees fit. This also means however that the organization has the right to terminate the employment of any employee at any time for any lawful reason. The employment relationship between the organization and its employees is At Will (the exception being employment covered by a contract.) Regardless of reasons for departure, employers often find themselves with limited time to thoroughly secure valuable data and intellectual property.

    Whether an employee resigns, or employment is terminated for cause, Human Resources should be notified and a thorough exit interview should be conducted as soon as possible. Share feedback with employees to ensure you are on the same page so the employee will not be surprised. An organization does not want the employee feeling that they have been discriminated against or terminated without valid reason — this could lead to retaliatory actions by the employee and could potentially put your IP at risk.

    Emotional awareness during the exit interview process is key. Be mindful of cues that could signal larger issues within the company.  An employee openly discussing their unhappiness with management or company policies can indicate a potential insider threat. Many employees have a sense of entitlement to company IP they helped to create and recent surveys show as much as 42% of employees have taken an employer’s corporate information when switching jobs — proving the just how important securing your data when terminating an employee truly is.

    Keeping your house in order

    It’s easier than ever for employees to move IP from a network to USB drives, cloud storage, or their own personal devices. Be exceedingly clear that employees are expected to return and destroy any copies of the organization’s intellectual property they may still have. Regardless of what gave rise to the employee’s departure, activity monitoring is a vital component of securing your data when terminating an employee to ensure the safeguarding of corporate intellectual property.

     

    Deployment of activity monitoring allows an organization to review digital goings on for as long as necessary. If an employee tenders resignation, deploying an active and intelligent monitoring tool allows for the collecting and archiving of digital activity. These tools can also help to analyze the digital activity. Additionally, consideration should be given to monitoring those associated with the departing employee for a period of time, recording their activity for potential insider threat.

    In the event that legal proceedings are necessary, properly recorded, organized, and cataloged digital evidence can help an attorney build a strong case. More than three quarters of cases that contain comprehensive digital evidence are settled faster and with far better results.

  • Employee Monitoring Ethics | Ethically Monitoring Employees

    by Larry Thompson - President, Veriato | Apr 19, 2018

    All employers want to create a workplace where employees feel safe, valued, and trusted. We know that work satisfaction breeds life satisfaction, and generates more productivity and engagement among employees.

    As leaders, we naturally question the ethicality of any system involving data and privacy, because we want to make sure our workforce feels protected and trusted. When it comes to employee monitoring, the practice can sound much more sinister than it actually is.

    Ethical vs. Legal

    First of all, ethicality is different than legality. Each state and country has different monitoring and privacy laws and regulations, which need to be observed. Talk with your legal team about considerations to keep in mind when it comes to instituting an information security policy.

    Right vs. Responsibility

    Organizations have a right to protect their data – and a right to use appropriate measures to do so. Beyond that, organizations have a responsibility to their employees, shareholders, and customers to keep that information secure. A secure system means employee information, customer records and data, and proprietary information are all safeguarded from threats. Additionally, this security protects an organization’s reputation and bottom line. To effectively provide a sufficient level of security, some level of employee monitoring is necessary in this digital day and age.

    Employee Monitoring Best Practices

    Monitoring employees should be done with clear parameters and accountability to maximize privacy. We suggest the following best practices for employee monitoring:

    • Transparency: Tell your employees they’re being monitored. Make it clear that what happens on corporate assets, including devices and networks, is subject to monitoring.
    • Keep it professional: Only monitor corporate data. Don’t monitor personal material such as social media or online banking access.
    • Minimize exposure: Don’t make data collected from monitoring widely available. Restrict that access to only those who need to review it.
    • Monitor broadly: Don’t single any person out. Monitor your whole employee base to make sure you cover all possible threats and avoid any discrimination or favoritism.
    • Use behavioral analytics: Behavioral analytics software takes human subjectivity out of the monitoring. It monitors and collects data and determines if there is a potential threat. If so, the technology alerts the security personnel that a review of information may be necessary. With this protocol, people are in contact with that data as little as possible, and only when it’s necessary for security reasons, which maximizes privacy.

    Employee monitoring is an effective way to protect your organization’s important data, which is a huge benefit to your employees. By following these suggested best practices, your organization can experience greater information security, ethically.

  • The Benefits of Starting A User Activity Monitoring System

    by Veriato | Apr 18, 2018

    Benefits of User Activity Monitoring

    If you’re on the fence about starting a user activity monitoring system across devices or networks, you’re probably wondering if it’s worth the investment, or if you should just be more trusting of your employees. After all, you don’t want them to feel like they’re being micro-managed or taint their opinion of management.

    The truth is, effective employee monitoring, or user activity monitoring (UAM) improves productivity and network security, provides an understanding of user behavior, allows for accurate billing, and brings issues to light.

    Make workers more productive

    Deploying UAM software can boost employee performance. Just knowing they are being monitored can positively affect your employees’ online activity. Maybe they’re not intentionally wasting time on non-work-related internet searches, and just being aware that someone can see their activity will make them think twice about their browsing activity.

    Additionally, it allows leadership to get an accurate picture of processes and make suggestions for improvement. UAM provides concrete data on user activity, rather than subjective opinion, to help with effective decision-making.

    Mitigate insider threats

    A strong firewall and secure network can keep hackers out – but what if they’re already in? UAM can help you detect insider threats to your sensitive data. The average organization experiences 4 insider leaks each year, costing $16.3 million annually – which is 12 times more than the cost of external attacks.

    With so much interaction (people, devices, systems) with sensitive data, your users are a huge liability. Though 87 percent of insider leaks are unintentional, such as clicking on a malware link or attaching the wrong file, the threat remains. User activity monitoring allows organizations to catch dangerous activity before a leak, or at least in time to minimize the damage.

    Establish a behavior baseline

    Nobody is completely productive 100% of the time at work. People take breaks, and most have some non-work matters to deal with occasionally during the workday. User activity monitoring lets employers establish a baseline of user behavior so they know what is reasonable to expect when it comes to their employees’ internet usage.

    With a baseline, leaders can approach those who are abusing internet usage and work to find a fix. On an individual basis, if a certain user’s behavior changes drastically, this could be a warning sign and UAM software can alert IT to investigate further.

    Plus, understanding what your employees do online helps you better understand them. You can communicate expectations, and even partner with HR to make sure benefits packages are in line with things that are important to workers.

    Accurate billing

    If you know conclusively where your employees’ time is being spent, you can bill your clients with improved accuracy. If a client questions the invoice, organizations will have data from a UAM system to support the bill. This ensures both parties are getting fair treatment – your organization isn’t accidentally under-billing, and the client is confident the charge is valid. It also protects your reputation and your bottom line.

    Spotlight issues

    Our research shows that user activity monitoring software can reveal serious problems within your organization. 20% of users surveyed, said the UAM software they deployed revealed sexual harassment issues among employees and 5% said drug abuse issues were brought to light. In these situations, monitoring actually protects employees, because an organization can quickly address the dangerous issues. Some issues may never surface to HR, but with user activity monitoring, the problems can be quickly resolved.

    Additionally, 11% of surveyed organizations said user activity monitoring made them aware of underutilized software. Knowledge like this can lead to a change in employee education to focus on program basics, or can lead to adjustments in software spending to help the bottom line.

    Boost your business

    With so much freedom network access brings and so much sensitive data at stake, employee monitoring is becoming a necessity for the modern business. You can protect your assets, improve your business, and understand your employees better by investing in user activity monitoring software.

  • GDPR Mandates Immediate Data Breach Reporting

    by Veriato | Apr 12, 2018

    GDPR Article 33: 72 Hours Is Not a Lot of Time

    According to the EU General Data Protection Regulation (GDPR) which goes into full effect May 2018, “...as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours…”. Failure to do so may result in severe financial penalty — not to mention potential damage to reputation. GDPR mandates that notification must be given when a breach is likely to “result in a risk for the rights and freedoms of individuals”. This means immediate data breach reporting to the proper authorities for any chance of a personal data breach within the allotted 72-hour time frame.

    Prepared for Immediate Data Breach Reporting?

    These new regulations apply to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach. Time is of the essence when it comes to reporting any misuse or breach of personal data security.

    With the ever increasing speed of technology, it’s more important than ever to properly and swiftly identify and mitigate the risk of any data breach. Organisations must become adept in identifying the potential risk of a breach, detecting the actual breaches, and defining the nature of the breach, as well as providing activity detail should a breach occur. Discover how the right technology can help with breach detection, potential breach activity, as well as provide the activity detail your organization needs to stay GDPR compliant.

  • General Data Protection Regulation Compliance Objectives

    by Veriato | Apr 09, 2018

    May 25th 2018 is coming fast. Do you have the audit detail necessary to meet General Data Protection Regulation compliance objectives?

    The EU General Data Protection Regulation (GDPR) is the most significant regulation regarding data privacy in over 20 years. Starting May of 2018 the new GDPR will be fully in effect and General Data Protection Regulations compliance will be strictly enforced for the good of all EU citizens. At its core, General Data Protection Regulation compliance is simply about protecting the personal data of EU citizens that is necessary and appropriate to collect.

    Currently, EU privacy laws apply to organizations located within the EU but with the GDPR will now also apply to organizations located outside the EU. This is possibly the largest and most radical change when compared to the previous privacy regulations. All rules concerning General Data Protection Regulation compliance will now extend to organisations offering goods or services to, or monitoring the behaviour of, EU data subjects –– meaning that the regulation applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Additionally, non-EU businesses processing the data of EU citizens may have to appoint a representative in the EU.

    Under the new  GDPR rules, organisations in breach of General Data Protection Regulation compliance can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). It is important to note that these rules apply to not only controllers but to processors as well. This means that 'clouds' or cloud-based organisations are not exempt from GDPR rules or enforcement. Each Member State will have the same effective powers, including powers of investigation, corrective powers and sanctions, as well as advisory powers, particularly in cases involving complaints from citizens, and under Member State law, will also have the power to bring any and all GDPR infringements to the attention of the judicial authorities and engage in legal proceedings.

    How to Generate General Data Protection Regulation Compliance

    The right monitoring software should easily keep organizations of all sizes compliant with GDPR rules and obligations. It’s important to ensure safeguards are in place, demonstrate in real time that access to data is appropriate, and provide context should a breach occur.

    Learn more about the new changes and the best technology to ensure General Data Protection Regulation compliance

  • The Growth of AI and Employee Monitoring In the Workplace

    by Mike TIerney | Apr 03, 2018

    Recently the Economist published two articles that discussed the increasing use of AI and employee monitoring in the workplace. 

    Veriato is pleased that we were referenced in both of these articles.  We feel they did a good job of presenting a balanced view of the benefits both AI and employee monitoring offer, as well as the potential downsides if they are not implemented and used wisely. 

    In the case of AI, there is a great deal of hype at present, which can lead some to give in to the temptation to rush a deployment.  Organizations should be very clear about their goals for any technology and be deliberate in ensuring that they are aligning its power to those goals. 

    In the article published on 28 March, the author gives some great examples of how employing AI can enhance organizational capabilities in areas of hiring, productivity, worker safety, and management (yes, even management is getting AI’ed – it isn’t just the proverbial little guy). 

    A key takeaway from all this is to remember that we are dealing with people.  Humans have bad days, make mistakes, and sometimes complain.  But, without a doubt, it is people that make great organizations great.  We must keep the human element involved in interpreting data produced by AI, and in determining how to act on it. 

    In the case of employee monitoring software, a more established technology, organizations should be transparent with their people about what data is being collected or generated and how it is used. Their benefits include increased productivity through improved investigations and the prevention of both insider and external theft of company assets.  Here again, the goal should dictate how the technology is utilized. 

    Transparency does not mean employers need to disclose exact methods. But going beyond the letter of the law and communicating intention is simply a best practice.  Once again, we are talking about people. 

    We should not seek to replace human decision making when it comes to employment offers, worker assessments, investigations, and the like.  We can and should seek to present additional sources of information to enable better human decision making.  In the same article referenced above, the author correctly points to Veriato as a firm that can capture, report, and alert on all activity occurring on an employee’s computer.  We have been providing benefits to organizations through this capability for 20 years, in more than 100 countries around the world.  And we consistently work to ensure our tools provide mechanisms to protect privacy, despite the seeming continuity our customers experience.  The author suggests that as voice-enabled speakers become more commonplace, employee monitoring could extend to listen in on conversations occurring in the workplace.  It is possible that some company may try and go down that path.  Veriato won’t.  And I believe that any organization that does move in this direction is in for some deservedly uncomfortable legal discussions. 

     

  • Internet of Things security practices for your business

    by Patrick Knight | Mar 22, 2018

    Wearables, smart speakers, remote security systems, connected cars, inventory trackers, smart headphones: these are just a handful of the connected devices in modern workplaces. The Internet of Things (IoT), or internet-enabled devices that collect and act upon data, is becoming more popular with ever-increasing applications. Far beyond a smart coffee pot that automatically gets the brew going to start the workday, the Internet of Things is changing business security and vulnerability in a big way.

    So, what’s the problem?

    IoT improves productivity, enables employees to work more effectively from home… and causes serious security concerns. Gartner projects there will be 20.4 billion IoT devices in use by 2020. With so many connected devices, the network attack surface is much larger and harder to secure.

    Smart devices are designed to connect immediately, and were built with ease of use, not security, as the priority. When employees utilize smart devices via company networks or connect devices storing company data to other networks, that information is at risk. There’s not much regulation demanding security of IoT devices, and companies have a hard time establishing their own protocols fast enough to keep up with the adoption of connected tech.

    What can I do about it?

    First, you need to prioritize the establishment of some device security guidelines. If employees haven’t cleared all their devices they use for work with IT, start there. Then, determine which security measures you will require, and help your employees set them up across all devices. Make sure your employees know who owns the data on their tech. Set up standards for downloading and storing information. For example, you may want to restrict access to sensitive information by preventing offline access or only allowing access while connected to the secure corporate network.

    You also need to restrict permissions by user and by device. Determine who should be able to access which information and who should be able to manipulate it – and from which devices. Then set up network parameters accordingly.

    With so many access points across so many devices and networks, relying on your human capital to implement security measures is just not sufficient. As IoT expands, the need for security software increases. Investing in a security program(s) to monitor user activity and devices vastly improves a company’s cybersecurity. Businesses can rely on such software to enforce company network regulations, detect suspicious activity, and discover IT weak spots. Doing so will allow businesses to take full advantage of the possibilities that come with IoT without compromising data security.

  • 5 employee cyber security training questions you need to ask

    by Patrick Knight | Mar 15, 2018

    Chances are your organization already addresses cyber security to some extent in new employee onboarding. Whether that’s traditional training videos on cyber security that employees watch on their own time, presentations by IT, or brochures, most employees know that their companies have cyber security protocol and best practices. But how many of your employees actually know what the protocol and practices are?

    In 2016, the average cost of a data breach was $3.62 million. And according to a study by the Poneman Institute, careless workers are the leading cause of data breaches in small and medium-sized businesses. If you want to improve your business’s cyber security, it’s time to get serious about employee education and cyber security training. You can start by asking these questions about your employees’ training:

    1. Is your information relevant?
      Everyone should be familiar with the basics of cyber security, but not all employees need a complete cyber security education. HR professionals, for example, generally have access to sensitive data such as social security numbers and bank numbers, so they will need special training on how to safely handle that information. But to a new marketing team member who can’t even access those SSNs – that security training wouldn’t be applicable. Tailoring your cyber security education to specific jobs will help your employees stay engaged throughout the training – and hopefully remember and implement what was covered.
    2. Is your information understandable?
      The cyber security world is chalk full of jargon. To the average employee the words “Ransomware,” “DDoS,” “patch” and “worm” just don’t have any context when it comes to their job. Not only will they not understand you if you launch into cyber-speak, they might feel unintelligent, and just tune you out. Speak their language, not yours. A Forbes article also suggests keeping your cyber security training short; try a few quick 10-minute sessions instead of an hour-long training. If you break the training up, it will be easier to digest and remember.
    3. Have you told them WHAT TO DO with this information?
      The basics of cyber security are great, but make sure you are sharing how to implement the security measures. Do you want employees to go change their passwords? Tell them some good rules of thumb for creating strong ones. Do you want everyone to update software? Tell them about auto-updates and show them how they can set it up. Giving employees action items turns cyber security from an abstract idea into a goal they can work to achieve.
    4. Do your employees understand why it’s important?
      You know how costly security breaches can be. You know the consequences of employee negligence. So tell your employees. If they see how simple steps to improve their security can impact business operations, they’re more likely to take those steps. All of us are more likely to do something if we understand why we are supposed to be doing it. It won’t bring about 100% compliance, but it will help your employees to know you aren’t making demands just to make their lives more complicated – you’re asking for help in making a real difference in the business.
    5. Have you covered the basics?
      Everybody could use a refresher on the fundamental rules of cyber security. Even if a few employees do roll their eyes, chances are some of them have been using the same password for years – so they really should be hearing it again. In an interview with Fortune, the CEO of the Computing Technology Industry Association said, “Behavior changes really only happen through repetition, follow-up, and emphasis. It takes a long time to instill new habits.”

    If we want to mitigate our employees’ risk, then we need to get serious about how we educate them about information security. If we honestly evaluate our cyber security training methods, we could probably all make some improvements. And that could make a real difference.

  • Why Zero Trust Is Not As Bad As It Sounds

    by Patrick Knight | Mar 01, 2018

    What is Zero Trust?
    “Zero Trust” refers to a network security strategy that calls for all users – internal and external – to be authenticated before gaining access to the network. Zero Trust means organizations never implicitly trust anyone with their sensitive data. Instead of using a blanket network perimeter, Zero Trust networks implement a series of micro-perimeters around data so only users with clearance to access certain data points can get to them.

    It essentially makes sure that users are given the least amount of access possible to still achieve what they need and are supposed to. Zero Trust also means logging all traffic, internal and external, to look for suspicious activity and weak points.

    Why are companies adopting Zero Trust?
    Security breaches are getting more common and more expensive – despite increased security budgets. Zero Trust is more than a software platform; it’s an attitude about users and data. Rather than trusting internal network users and focusing on external hackers, organizations are wising up to the reality of malicious insiders and the need to play it safe by protecting information from all users.

    Security strategies are becoming an important part of the business conversation, and new measures and attitudes are being introduced. In an interview with CSO, Chase Cunningham from the firm who coined the term “Zero Trust,” says that many companies are undergoing a digital transformation. As you move to the cloud, “there’s where you start your Zero Trust journey.”

    Zero Trust isn’t as harsh as it sounds
    The Zero Trust strategy isn’t saying, “no user is safe, ever.” Obviously companies can’t function with that mindset. Rather, it means that when it comes to sensitive data, people should have to prove they are authorized to see it before they’re granted access.

    60% of network attacks are by insiders – three-quarters of which are done with malicious intent. If the majority of network attacks are done by people who are traditionally trusted network users, why not start putting some restrictions on their access? That’s all Zero Trust says to do. It prioritizes privacy by making sure sensitive data is only accessed on a need-to-know basis.

  • 4 reasons why cyber security deserves a larger chunk of your hospital organization’s budget

    by Veriato | Feb 22, 2018

    In the medical community, the patient is paramount. There are countless methods employed to treat people and protect their health. But when it comes to their patients’ safety, most hospitals need a higher dosage of cyber security.

    Currently, health organizations are allocating less than half of what other industries budget for Information Security. This is no longer sufficient for a field with such high-value assets, and many factors play into the need for increased cyber security in the medical arena.

    1. Evolving healthcare technologies: Just in the last decade, health records have gone from mostly paper to totally electronic – and the digitization is continuing. Now employees access patient data via mobile devices and remote networks. Data sharing and cloud storage are necessities. Additionally, many medical devices themselves are now internet-enabled and some providers are embracing wearable tech for patients. Precision medicine, an emerging approach that customizes treatment based on patient-specific factors, also relies on the Internet of Things, and generates more sensitive data. As digital treatments, methods, and devices become more widespread, the opportunities for cyber attacks also increase. The AHA suggests that organizations put a scalable security plan in place now that can grow and adapt with the changing landscape.
    2. Increase in threats: With more online data, come more cyber threats. In 2015, around 100 million health care records were stolen. In 2016, organizations experienced on average one cyber attack per month. The value of EHRs has increased on the black market, enticing more cyber criminals. Organized crime rings target information systems to steal and sell specific information (social security numbers, billing info) or entire EHRs. Political groups and hacktivists seek to expose high-profile patient data to embarrass or discredit their enemies. Nation-state attackers try to seize groups of EHRs for mass exploitation of people. Even your own employees are security risks – from malicious insiders to those uneducated about cyber security best practices. The threats to patient data are diverse, dangerous, and escalating.
    3. Costly consequences: The Poneman Institute reports that the average cost of a data breach for healthcare organizations is estimated to be more than $2.2 million. In another study, 37% of respondents reported a DDoS (distributed denial of service) attack that disrupted operations about every four months, totaling an average of $1.32 million in damage per year. In addition to huge monetary penalties, data breaches hurt organizations’ reputations, which can have ripple effects in business. Intellectual property such as research findings and clinical trial information can also be stolen and sold, negating years of work and monetary investment.
    4. Physical risk: A medical facility exists to help people heal. Even though cyber attacks are online, they can cause physical damage.  In a Poneman Institute study, 46% of respondents said their organization experienced an APT network attack that caused a need to halt services. This shutdown can seriously impact the treatment of patients. Additionally, attacks using Ransomware are on the rise, in which hackers make a network inaccessible until the organization pays a ransom, usually in Bitcoin to make it untraceable. In the meantime, health care records can’t be accessed, meaning treatment may be delayed – resulting in health consequences or even death (and lawsuits). In this day and age, protecting patients means protecting your network. As Theresa Meadows, CIO of Cook Children’s Hospital, said in an interview for NPR: "The last thing anybody wants to happen in their organization is have all their heart monitors disabled or all of their IV pumps that provide medication to a patient disabled."

    Hospital organizations always put the patient first. An important – and undervalued – way to do that is to give cyber security the priority it deserves.

  • 3 ways cyber security is changing business operations

    by Veriato | Feb 15, 2018

    Businesses understand the importance of cyber security, and most are taking steps to ramp up their protection game. In fact, the International Data Corporation has projected worldwide spend on cyber security software, hardware, and services will reach $101.6 billion by 2020. That’s a 38% increase from the $73.7 spent in 2016.

    But cyber security is changing more than just budgets in the business world. Here are three ways companies are changing their business operations and models to improve cyber security.

    1. IT is taking a more prominent place in the Core Business. Gone are the days of a basement IT crowd whose main job was to tell you to try turning your computer off and back on again. With cyber security’s heightened priority, IT is taking a more prominent place in the core business. Hacks can stop business operations, harm corporate image, and of course, cost million of dollars – proving cyber security is way more than an IT problem.

      IT departments are starting to align security spending with business objectives, proving that security isn’t a cost; it’s an investment. Savvy business leaders rope their tech team into operational planning, using the department as a business partnership to achieve goals. If a business is serious about succeeding, they’re getting serious about cyber security.
    2. Regulations are rising. The first compliance date for the New York Department of Financial Services’ cyber security regulation was last August. This legislation was the first of its kind in the nation, requiring financial institutions to report attempted data breaches, hire a CISO to handle employee cyber security, and enforce their third-party providers to improve security as well. Though not as extensive as the New York regulation, 42 states introduced 240+ cyber security bills or resolutions in 2017 according to the National Conference of State Legislatures

      On a global scale, China and Singapore have similar regulations, and the EU adopted extensive regulation with the GDPR in 2016. Many of these bills impact not just native businesses, but companies who do business in that country. With the increase in regulation, businesses need to change structures, communications, and policies to stay compliant. Companies need to invest in a robust legal team that can handle managing the upcoming regulations that will affect their operations.
    3. Subscription software is the new norm. By 2020, more than 80% of software will be sold via subscription, rather than the traditional model of licenses and maintenance, according to Information Week. This drive makes sense from a bottom line perspective, but also from a cyber security perspective. The longer the same software is in use, the more time hackers have to expose and exploit its vulnerabilities. With a subscription model, the software is always current, making it more secure. 

      Thanks to the cost-saving benefits of subscription software, businesses can use the extra budget room to implement more cyber security measures or invest in new data protection services. IT is embracing the subscription software model, and it’s having rippling effects across the entire business.

    As cyber security becomes more of a concern, businesses are changing to prioritize it. Spending is adjusted, objectives are aligned, and services are adapted to keep businesses secure, and therefore more successful.

  • Technical safeguards for HIPAA at the administrative level.

    by Veriato | Jan 25, 2018

    This is the 3rd post in a 3-part series on HIPAA data security.  Here we discuss ways Veriato can assist organizations reduce the cost associated with HIPAA compliance reporting while increasing data security.

    Requirement 164.308

    Administrative Safeguards

    Veriato acts as a core part of your implementation and maintenance of security measures and administrative safeguards to protect patient data, specifically around monitoring and reviewing the conduct of you workforce in relation to the protection of patient data.

    Below are some examples of how Veriato can assist in addressing some of HIPAA’s Administrative

    • Risk Analysis (Required) § 164.308(a)(1)(ii)(A) – Veriato’s visibility into how users access, interact with, and use patient data can be utilized to assess the confidentiality, integrity, and availability of patient data, regardless of application used.
    • Information System Activity Review (Required) § 164.308(a)(1)(ii)(D) – By providing per-user activity detail and reporting, Veriato supplies the most comprehensive and contextual activity review possible, showing when patient data is access, as well as the actions performed before and after the access in question.
    • Log-in Monitoring (Addressable) § 164.308(a)(5)(ii)(C) – Veriato facilitates the monitoring of and reporting on log-ins which can be used to identify suspect activity.
    • Response and Reporting (Required) § 164.308(a)(6)(ii) – In cases where the suspected or known security incident involves a user’s application-based interaction with patient data, Veriato provides the activity detail necessary to document the security incident and outcome in almost.

    Requirement 164.312

    Technical Safeguards

    Veriato’s advanced user activity monitoring and behavior analysis technology can be leveraged to define advanced policy and procedures designed to establish and ensure patient data remains protected giving you HIPAA technical safeguards at the highest level.

    Below are some examples of how Veriato can assist in addressing some of HIPAA’s Technical Safeguards:

    • Audit Controls (Required) § 164.312(b) – Veriato not only empowers security teams to record an examine user activity within systems containing protected patient data, but also within any other application, providing unmatched visibility into actions taken around patient data access.
    • Mechanism to Authenticate Electronic Protected Health Information (Addressable) § 164.312(c)(2) – Because Veriato records and can playback all user activity involving protected patient data, it provides the ability to demonstrate that patient data has not been altered or destroyed in an unauthorized manner.

    Requirement 164.414

    Administrative Requirements & Burden of Proof

    In an organization’s time of need, when demonstrating either HIPAA compliance – or the lack thereof – is necessary, the determining factor will ultimately be the answer to the question “Was patient data improperly used?”. This will require an ability to review the exact actions taken by one or more users, both within and outside of an EHR application.

    Below are some examples of how Veriato can assist in addressing this HIPAA requirement:

    • Administrative Requirements § 164.414(a) – Veriato’s ability to record, playback, and report on detailed user activity can help demonstrate compliance with the Safeguards portion of the Administrative Requirements § 164.530(c).
    • Burden of Proof § 164.414(b) – In the event of a suspected breach, Veriato uniquely facilitates the playback of specific user activity to either demonstrate the lack of a breach, or to help define the scope of one.

    Requirement 160.308

    Compliance Reviews

    Whether as part of suspected violation or other circumstances, compliance reviews of administrative provisions around appropriate access to, and usage of, patient data can be simplified by demonstrating enforcement of policies and procedures through Veriato’s activity reports and activity playback.

  • Security concerns and solutions for staying HIPAA compliant

    by Veriato | Jan 23, 2018

    HIPAA Security Challenges for Key Stakeholders

    While HIPAA itself isn’t broken out into separate objectives for each stakeholder in the organization, stakeholders each have different needs around the goal of adhering to HIPAA:

    • CEO – Needs a proactive approach leveraging people, processes, and technology that ensures adherence to HIPAA requirements around safeguarding patient data.
    • CFO – Can’t afford the cost of a breach in compliance. Would rather spend budget on preventative measures, than on responding to a breach.
    • CCO – Wants a plan in place of how to easily and quickly demonstrate
    • CSO – Desires for patient data to remain secure, and a way to know patient data isn’t being misused.
    • IT Manager – Needs to provide a means of visibility into exactly how patient data is used, regardless of application.

    What’s needed is a technology that cost-effectively addresses HIPAA security challenges and requirements directly by monitoring the access to patient data, aligning with established policy and processes, providing visibility into how patient data is used or misused, and providing context around either demonstrating compliance or determining the scope of a breach.

    How Veriato Helps Address HIPAA Security Challenges

    Veriato helps organizations of all kinds satisfy their HIPAA obligations by offering technical solutions through detailed, contextual, rich logging of all user activity – both inside an EHR as well as any other application – combined with robust screen recording and playback. This level of visibility into user interaction with patient data provides comprehensive evidence for compliance audits. Activity data is searchable, making it easy for an auditor, security teams, or IT to find suspect actions, with the ability to playback activity to see before, during, and after the activity in question. Reports can be produced in minutes – typically a fraction of the time needed – and don’t require pulling critical resources from other tasks.

    Veriato assists in meeting a number of specific requirements, leveraging its deep visibility into user activity to provide context around access to patient data, showing what was accessed and what was done with the data. 

    In our next blog post, the last of a three part series, we will walk through a few of these requirements and illustrate how Veriato helps further address some of the HIPAA security challenges faced today. 

  • Expert advice on HIPAA data security

    by Veriato | Jan 18, 2018

    The biggest challenge in ensuring HIPAA data security is people.

    At its core, HIPAA compliance is simply about maintaining patient privacy by ensuring the appropriate access to and use of patient data by your users. Electronic Health Record (EHR) solutions provide detail around when patient data is accessed, but without visibility into what users do with sensitive patient data after they access it, the risk of data breaches, compliance violations, and the investigations, fines, and reputational damage that comes with them, is significantly increased. 

    Organizations seeking to meet HIPAA requirements for data security and technical compliance are expected to demonstrate proper use of patient data through appropriate administrative and technical safeguards. While most organizations focus their efforts on implementing safeguards that revolve around an EHR system already designed to be HIPAA compliant, today’s computing environments facilitate the ability to repurpose accessed patient data in an unauthorized fashion, quickly, easily, and conveniently.  Webmail, cloud-based storage, USB storage, web-based collaboration tools, and even printing are just some of the ways users can improperly save, steal, and share patient data – making the watching of activity only within an EHR a shortsighted strategy, if the goal is to truly be able to demonstrate compliance.

    The penalties for a HIPAA data security breach are severe – ranging from hundreds of dollars per record, up to $1.5 million, depending on the tier of the infraction. Avoiding these penalties depends solely on an organization’s ability to ensure proper controls concerning HIPAA technical compliance are in place, and that access to patient data is properly secured.

    HIPAA Tier

    So, what’s needed is a means to have complete visibility into every action performed by a user with access to patient data – every application used, webpage visited, record copied, file saved, printscreen generated, and page printed. Only then will a covered entity truly know whether patient data has been appropriately accessed and used.

    But, compliance to HIPAA isn’t just a technical battle; it’s one filled with policies and procedures that, in conjunction with technology, ensure users are trained, access to patient data is correctly granted, use is appropriate, and compliance can be demonstrated.

    In the following 2 blog posts, we will discuss challenges to key stakeholders and ways that Veriato can help address HIPAA data security and technical compliance challenges.
  • Defense Against Enemies, Foreign and Domestic

    by Patrick Knight | Nov 09, 2017

    “I, _, do solemnly swear (or affirm) that I will support and defend the Constitution of the United States against all enemies, foreign and domestic; that I will bear true faith and allegiance to the same…”

    This is a portion of an oath I took many years ago when joining the United States Army and afterwards in government service. Its origins point to Article VI of the US Constitution and is codified in Article 5, US Code 3331 as an oath of federal service.

    Although I left government service nearly twenty years ago, I had never given the entirety of the wording of this oath much thought. It is easy for most people to visualize defending against foreign enemies. It is against external known and unknown threats where we devote most defense assets in nearly all aspects of life.

    The inclusion of defense against domestic threats in this oath points to our Civil War and the desire to keep intact something that is fragile and worth defending against internal attempts to break our union apart – to protect against insurrection or destruction from within.

    The service I gave willingly undeniably led to my career fighting against cyber threats. In fact, I have spent my entire adult career in a security profession in one manner or another and continue to do so to this day.

    This weekend our country will celebrate our veterans who served mainly to defend against foreign enemies but who stood ready and swore also to protect against domestic threats as well. It is my sincerest desire that we must defend against neither but that we are prepared to defend against both.

    I want to thank our veterans and those currently serving their country. In an uncertain and dangerous world, that service is something to be proud of and very much needed.

  • Malware Evading Some Antivirus Using Invalid Certificates?

    by Patrick Knight | Nov 03, 2017

    Many antivirus and endpoint security technologies fight a two-front battle. On the one hand, they must block malware threats from executing on the system. On the other hand, they need to avoid falsely detecting legitimate software so they don’t cripple the system or their users’ abilities to use valid software.

    One technique antivirus scanners may use to avoid blocking legitimate software is to trust files that are digitally signed by certificates that the security software trusts. For example, most executable files distributed as part of a Windows installation by Microsoft would be digitally signed by a Microsoft certificate. As new versions of software are released through updates or patches the antivirus scanner might check and skip the file thus preventing falses as long as the file is validly signed by the trusted certificate.

    A study by University of Maryland Computer Science students, “Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI” observed that many unsigned ransomware files that were detected by major antivirus products were no longer detected once invalid digital certificates were appended to the files. The authors believe that “this is due to the fact that AVs take digital signatures into account when filter and prioritize the list of files to scan(sic)…”

    This may be correct. It implies that the antivirus scanner isn’t verifying the validity of the certificate on the file and is trusting merely due to its presence in the file. The authors don’t state if the resulting ransomware evasion was verified to be due to a digital certificate trust in the PKI model.

    Another possibility is that certain malware detections are specific to exact file hashes (e.g. MD5, SHA256) and thus a modification to the file in the slightest bit – such as appending an invalid X.509 digital certificate to the file – alters the file’s hash and thus will also potentially break the detection.

    Either way this does highlight an antivirus evasion technique. Files that contain an invalid digital certificate for a variety of reasons are still allowed to run on a Windows system and the user in most cases would be unaware. The one major exception would be native system drivers which operate in kernel space and are required to have a valid and trusted digital certificate in order to execute.

    I altered a tool of my own (not malware) by copying a digital certificate from another valid file and setting the fields in the file header to recognize that certificate structure. A certificate validation check of the file resulted as invalid (TRUST_E_BAD_DIGEST) but the tool still executed with no errors.

    Had this been a detected piece of malware, it is possible that the malware would still execute but no longer be detected unless the antivirus rule was more generic. Generic signatures against many modern malware families are difficult to create due to the sophistication of techniques used by malware authors to evade antivirus detection. Detections against many known variants of malware are often very specific. This is how ransomware and other malware often will still get though the strongest of endpoint defenses.

    This type of antivirus evasion is not new but does illustrate how modifying any piece of malware in a way that doesn’t affect its original operation can result in its undetected reuse, signed or not.

    If an antivirus product is trusting digitally-signed files with invalid certificates, this has additional ramifications. Malware could trivially append a Microsoft, Adobe or Oracle certificate and masquerade as legitimate software with impunity. For most antivirus products, the evasion or change in detection may only be the result of a change in the file’s hash after the modification and unrelated to digital certificates specifically.

     

    Sources:

    Hackers abusing digital certs smuggle malware past security scanners

    http://www.theregister.co.uk/2017/11/01/digital_cert_abuse/

    Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI

    http://www.umiacs.umd.edu/~tdumitra/papers/CCS-2017.pdf

     

  • Insider Threats Are the Greatest Risk to Your Data—Here’s How to Stop Them

    by Veriato | Oct 23, 2017

    From an article by Stephen Voorhees, CISSP and Senior Sales Engineer at Veriato, published on SmallBusinessToday.com:

    Most companies have already hunkered down to prevent hackers from stealing proprietary data. Their security teams have almost certainly installed powerful firewalls. Some companies may have acquired robust security systems to protect themselves against ransomware, the malicious code that cyber criminals use to encrypt your data and hold it hostage until you pay a hefty ransom.

    The trouble is, there’s a far greater threat to your company’s data from people inside your organization.

    To read the full article, click here.
  • U.S. Elevates Cyber Command to Combatant Status

    by Patrick Knight | Aug 30, 2017

    On August 18, the United States Cyber Command was elevated from a subordinate component of the NSA to that of equal status with other combatant commands such as USSTRATCOM (U.S. Strategic Command), USSOCOM (U.S. Special Operations Command), and USCENTCOM (U.S. Central Command).

    This substantial move – originally proposed by former President Obama – is long overdue and recognizes the enormous importance of protecting the U.S. from cyber attacks by foreign adversaries attempting to disrupt the U.S. government, military, infrastructure and industries. Responses to attempts by foreign agents to spread ransomware, disrupt critical infrastructure, hack servers and databases or spread disinformation designed to confuse or negatively influence public opinion in the United States will now fall under a command which has the same seat at the table as a command that deploys Special Forces units worldwide to fight terrorism.

    A “combatant” command is distinguished by being comprised of more than one military branch and receives full funding and support commensurate with its area of responsibility to complete its mission. In other words, it is not marginalized but has the authority to execute its mission and is adequately staffed and funded.

     

    Where is your cyber command?

    Whether with national security or your enterprise security, cyber security should not be marginalized on the sidelines. Whether your industry is in the financial sector, public health sector, education, government agencies or defense contractors, you have much at risk from cyber threats and the risks are growing. A 2017 survey of 1900 cyber security professionals from these and other major industries shows that the three major cyber security concerns for enterprises are email phishing attacks, insider threats and malware.

    Take a look at your enterprise. What data do you stand to lose? Are you prepared to react to an internal or external data breach? A security strategy must first recognize what damage could occur from an external or internal attack. This includes downtime due to a denial of service (DOS) or other external attack, loss of intellectual property (IP) or customer data from internal or external threats and loss of data due to ransomware, advance persistent threats (APT) and other malware.

    You must make a full evaluation of which resources you have available and a plan to address resources that are still needed to fully protect intellectual property, customer data, employees and other users. You must have an incident response plan to react to any breaches of security and exercise it.

     

    What is your cyber strategy?

    The security model you enact must appreciate the great risk to your enterprise today and your ability to respond and recover. The emphasis you place on who in your enterprise governs your security strategy and at which level this responsibility lays will say a lot about your readiness to deal with a breach when it happens and the importance you place on protecting IP, customer data and other sensitive information.

    Any modern enterprise should have their own cyber command: an information security organization and a response plan with a scope and necessary authority to impact other organizations.

     

    Sources:

    Wired: The US Gives Cyber Command the Status It Deserves

    Veriato Cyber Security Trends 2017

     

  • Additional Insight into Quantifying Insider Risk

    by Veriato | Jun 29, 2017

    From an article by Veriato's CSO published on infosecurity-magazine.com:

    Never before have there been so many platforms that let a growing number of people touch, manipulate, download, and share sensitive data.

    But there’s a dark side to all that access: It exposes a company to malicious intent and theft of information worth thousands, sometimes millions, of dollars. More alarming is the fact that less than half (42 percent) of all organizations have the appropriate controls in place to prevent these attacks, according to the Insider Threat Spotlight Report.

    To read the full article, click here.