Financial services companies will have to retool their cybersecurity policies when the new version of NYDFS Cybersecurity Regulation, including a core risk assessment requirement, goes live.

New regulations are rolling out following the release of President Biden’s National Cybersecurity Strategy, but dangers still lurk. Catch up on all the changes in this week’s Friday Five!

This week saw the takedown of a cybercrime messaging platform, sanctions imposed on TrickBot members, the release of a recovery script for ransomware victims, and more. Catch up on the latest news in this week's Friday Five!

In this era of heightened data privacy, organizations, especially those in highly regulated industries, need to maintain a PII compliance checklist to protect private data in their possession. What is PII compliance? PII refers to personally identifiable information. Unlike other personal data, PII can be used to identify an individual uniquely. As its name suggests, PII compliance involves the standards organizations must maintain to fulfill PII regulations. Since PII is at the center of PII compliance, it is essential to understand what constitutes PII. First, not all PII is created equal. PII can be split into sensitive and non-sensitive PII. Understanding Sensitive and Non-sensitive PII Examples Sensitive PII, such as someone’s full legal name, social security number, or driver’s license, can pinpoint an individual accurately. It also includes data that can be traced to an individual, like medical records, passports, credit cards, and bank account information. With non-sensitive PII, a person’s identity can be inferred. Non-sensitive PII examples include a person’s information liable to be found in the public domain, like their birthday or business phone number. Other examples of non-sensitive PII are email addresses, IP addresses, residential addresses, ethnicity, gender, and your mother’s maiden name. However, non-sensitive PII can be combined with other relevant information to expose someone’s identity. PII Compliance Standards The pace and breadth of PII regulation is genuinely remarkable. Gartner reports that by 2025, as much as 65% of the global population will have their PII data covered by regulations. One of the significant differences between PII and other sensitive private data like protected health information (PHI) is the broad array of regulations targeted at PII. On the other hand, HIPAA, which is a prime example of industry data protection standards, is exclusively regulated by PHI. Data Privacy Regulations in the United States Because of its sensitivity, many countries and government agencies protect PII data with legislation. One of the earliest data laws in the US was the Privacy Act of 1974. This law codified how federal agencies can collect, manage, and use personal information. Apart from the Privacy Act of 1974, the US lacks an all-encompassing federal law that governs data privacy. The Federal Trade Commission Act (FTC Act) allows the government agency to prevent deceptive trade with broad jurisdiction over commercial entities. However, it does have some role in enforcing privacy laws by imposing sanctions on companies for violating consumer data and failing to maintain appropriate data security measures. Here are some of the other data privacy laws in the US: The Health Insurance Portability and Accounting Act (HIPAA) The Children's Online Privacy Protection Act (COPPA) California Consumer Privacy Act (CCPA) California Privacy Rights Act (CPRA) New York SHIELD Act Data Privacy Regulations in Europe While the GDPR emanates from Europe, it is the most far-reaching and toughest data privacy law today. The power of GDPR is that its penalty violations are high, and it is written in such a way that it applies to you even if you’re not in the EU. PII Compliance Checklists to Follow To adhere to the growing number of data privacy laws, companies need to maintain a list of the PII requirements they need to satisfy under various data regulations. Here are some points to consider when creating a PII compliance checklist 1. Identify PII and Determine Where It Is Stored This is the first step in ensuring PII is adequately safeguarded. By locating and identifying its PII, an organization can determine whether the type and quantity of private data it collects are necessary or justified in the first place. Once you accurately identify the PII that needs protection, the next step is establishing its storage location. The challenge here is magnitude - with mobile and cloud computing, data can be stored in multiple files, file formats, devices, and endpoints. However, without the ability to maintain visibility into private data, sensitive PII is bound to fall through the cracks, resulting in inadvertent data leakage. After the location has been established, it is necessary to assess the risk to the PII due to where it is stored. One of the ways to mitigate these risks is by implementing the principle of least privilege. This grants only the minimal required access to the data needed to execute jobs. This is implemented with role-based access control measures that ensure access to data is only granted to required users. In addition to its storage location, identifying the states or lifecycle phase (data at rest, in use, or data in motion) in which the data exists is paramount to auditing its security protocols. 2. Classify and Categorize PII After discovering the presence of PII, the next stage is to create a system to classify it. This categorization requires a taxonomy system to organize the data into relevant types of PII. Most often than not, the best way to classify data is to qualify them based on the most harm and damage done if it is compromised or illegally exposed. The typical PII classification used are the following: Public: This is the broadest and least restrictive category because it primarily consists of non-sensitive data already in the public domain. Private: This is a notch higher than public data. Private data is more sensitive, and organizations require only their employees to view and process it. Restricted: Utmost discretion is required with restricted data because of the potential damage caused if it is leaked or falls into the wrong hands. 3. Creating compliance-based policies This phase involves the policies you must create to ensure PII compliance is followed. Organizations also need this framework for governance and risk mitigation strategies. There are many issues regarding proper data governance, but there are straightforward ways to start. One of these is to create a data map that enables DevSecOp engineers and infosec staff to track data flow through the organization. Most data privacy regulations have severe mandates concerning breach notification, so organizations must have reporting policies enacted. Periodically conduct vulnerability assessments and penetration tests to identify and plug security holes. Nevertheless, some of the best compliance can be created just by following GDPR practices:

As organizations continue to rely on third-party technologies, third-party breaches have become common. One of the key ways to prevent third-party vendor breaches is to monitor your attack surface continuously. What Is a Third-Party Breach? As the name suggests, third-party data breaches are security violations caused by third-party contractors, vendors, and other businesses affiliated with an organization. In attacks like this, while the compromise comes from a third party’s computer system or processes, it’s the sensitive data from your organization that is exposed. As a result, your organization can suffer guilt — and damage — just by association with a third-party breach. The maxim of being as strong as your weakest link couldn’t be more accurate regarding third-party violations. This is because all it takes is just one application, device, firmware, or software component from a third party to get compromised for an attacker to get a foothold in your enterprise supply or value chain. What Kind of Attacks or Vulnerabilities Can Come From Third Parties? A third-party breach, oftentimes through a vulnerability in vendor software, can create a backdoor for hackers to access the host system. These underlying vulnerabilities are no different from general cybersecurity threats that can arise from cloud misconfiguration, the principle of least privilege not being implemented, poor coding practices, poor antivirus defenses, etc. These are just a few of the cybersecurity attacks that can result from third-party risks: Spear phishing Intellectual property theft Unauthorized network intrusion Data exfiltration Advanced persistent threats (APT) Login credential theft Ransomware attacks Malware and virus propagation Third-party breaches can create procurement and value-chain risks as well as lead to a supply-chain attack. What Is a Supply Chain Attack? A supply chain is a distributed system that provides the materials, resources, expertise, and technologies — typically through an array of vendor companies — required to create a product. Supply chains are necessary because no business is 100% self-sufficient. This is especially the case with software products and the constantly evolving complexity of modern software infrastructure. Many software developers typically use open-source components, including resources from third parties, which can open an organization to risk. A supply chain attack undermines an organization by targeting the vulnerabilities in poorly secured supply chain elements. As a result, hackers launch supply chain attacks by weaponizing the weaknesses in third-party vendor components to infiltrate a company. Simply being part of a supply chain can increase your attack surface, something that can unfortunately make it challenging to detect and prevent attacks involving them. As an example, in cybersecurity circles, although SolarWinds is a US information technology firm, it is now associated with something more pernicious. The SolarWinds hack, in which hackers infiltrated a backdoor in SolarWinds software and launched a malware attack, is already regarded as one of the most significant cybersecurity breaches of the 21st century. Attackers did this by compromising “Orion,” a widely used SolarWinds application. This consequently meant any company that used SolarWinds was automatically at risk. It’s estimated that about 18,000 SolarWinds customers were eventually exposed to the breach. The hack highlighted how devastating a supply chain attack can be now that global supply chains have become more complicated than ever. Supply Chain Regulations Supply chain attacks can disrupt and hinder businesses. In the aftermath of the SolarWinds cyber attack, policymakers have stepped up to provide more oversight. As a result, legislation and regulations have been crafted to provide adequate supply chain management. On February 24th, 2021, the Biden Administration issued an Executive Order to make America’s supply chains more secure and resilient. It tasked the heads of appropriate agencies to assess vulnerabilities and issue reports on critical supply chains for the US economy's vital industrial sectors and subsectors. On the first anniversary of the executive order, on February 24th, 2022, the White House issued The Biden-Harris Plan to Revitalize American Manufacturing and Secure Critical Supply Chains in 2022. Along with the capstone report, it emphasized the need to evaluate supply chain vulnerabilities across key product areas such as large-capacity batteries, semiconductors, critical materials, and minerals, along with pharmaceutical ingredients. In March 2022, the US Securities and Exchange Commission (SEC) unveiled proposed amendments to cybersecurity governance and risk management strategies. These were rules meant to enhance cybersecurity public disclosures, especially incident reporting by public companies. Supply Chain Compliance Standards These regulations compel organizations to adhere to specific compliance standards to maintain cybersecurity resilience. Some of these compliance standards and practices include: Maintaining up-to-date patch management. Clear audit and reporting procedures for transparency. Conducting third-party risk assessment and due diligence. Creation of standard operating procedures and policies for cyber incidents. Running penetration tests to evaluate the rigor of systems and their defenses. How to Respond to a Third-Party Breach Your organization needs to take steps in the event of a third-party breach. Preserve Evidence Having documented evidence is vital when it’s time to report the data breach to the relevant authorities accurately. Cybercriminals and malware have grown stealthier, making their activity more difficult to detect. Organizations may need to use forensic investigators to help uncover evidence depending on the scope. Respond Promptly Time is of the essence. The longer you take to respond to a security breach, the more time hackers have to burrow deeper into the corporate network and cause damage. Implement a Contingency and Incident Response Plan Develop threat models and contingency plans. In addition to enabling you to visualize potential threats, it gives you the latitude to respond nimbly when your supply chain is jeopardized. Provide Full Disclosure Data protection regulations like HIPAA and GDPR have reporting mandates to be upheld in a data breach. Ensure you have a notification toolkit that covers all the ground you need to cover in responding to policyholders, perhaps incorporating a data breach notification analysis. Security Best Practices To Prevent Third-Party Breaches Organizations must adopt a holistic approach to combat third-party breaches. A comprehensive third-party and supply chain management should include the following best practices:

Your organization is likely required to disclose data breaches to the proper authorities in your state, but sometimes going one step further is just as important.

Trying to find the right DLP solution for your organization? Learn how to get started with the latest tips for evaluating providers in this blog.

How long do you have to report a data beach? In many scenarios it depends what state your organization resides in.

Files and documents are the primary tools for chronicling and sharing information. While helpful, collaborating like this can raise privacy concerns for businesses because documents may contain business secrets, proprietary information, and personally identifiable information (PII). The most secure document collaboration tools for businesses prevent data loss, theft, and misuse while preserving their organization’s competitive advantage. What Is Secure Document Collaboration? Secure document collaboration enables individuals, typically workers, to share files, information, and sensitive data in a simple, safe, and protected manner. They foster collaboration by allowing several users to simultaneously work on a single document while maintaining its privacy restrictions. The Features & Capabilities You Should Look for In Secure Document Collaboration Tools Generally, any secure document collaboration tool should have a couple, if not most, of these features: Robust security features: The best document collaboration software incorporates security features like encryption and authentication processes to protect the integrity of its content. Tracking workflow changes: This allows team members to monitor progress, especially by seeing who has made what changes and holding people accountable. Document management: This includes the ability to draft, create, edit, save, and publish documents to a specified audience. Comments and feedback: This allows members to provide feedback that facilitates asynchronous collaboration and messaging. Consolidated data and communications: This centralization fosters quick task completion and eliminates the need to switch back and forth between multiple apps. Top 5 Document Collaboration Software 1. Digital Guardian Secure Collaboration As a secure collaboration tool, Digital Guardian Secure Collaboration incorporates the notion of perimeter-less, zero-trust security. Most secure document tools are adept at protecting sensitive information within the confines of the platform. However, unlike the product, they cannot offer protection once the data leaves the network or application platform. The product is different because it can track data once it leaves the confines of your network or endpoint. Users can also dynamically revoke access to leaked information or information mistakenly sent to the wrong user. Common Features and Use Cases The product can protect data when it leaves managed system environments. Facilitates zero-trust file sharing with portable, persistent data security and encryption. Documents are inspected for malware, cyber threats, and sensitive information before transfer is permitted. Allows granular security implementations that can be based on policy and classification. Pros Provides total control over documents wherever they travel. The product's Always-on File Security bundles encryption, data protection, and digital rights management into a secure document collaboration tool. Ensures your valuable data is safe throughout the document’s collaborative orbit. Cons The lack of a tiered pricing model disfavors small business enterprises. 2. Google Docs Google Docs is a free, cloud-based solution. It is also one of the most widely used document collaboration software. Its autosave capability is one of its most defining features, saving countless users from hair-pulling meltdowns due to the loss of critical information from unsaved work. Common Features and Use Cases Every change is automatically saved. Allows seamless online collaboration in real time. Provides ready-made yet customizable templates for various writing tasks. Facilitates the use of different permissions on the same document. Only browser, no special software required. Pros Allows users to sync changes from anywhere. Simple, intuitive interface with easy-to-use tools for editing and formatting content. Integrates seamlessly with other Google apps. Although web-based, it allows you to unlock offline editing on the Chrome browser. Cons While it’s good for commonplace editing tasks, it lacks advanced collaboration options. It doesn’t contain top-notch security features. 3. Microsoft Word Microsoft Word is a powerful word-processing software and part of Microsoft’s productivity suite. It is ideal for creating documents of the highest professional standards with visually appealing elements. Microsoft Word also comes with an extensive range of features. Common Features and Use Cases The ability to secure documents through passwords. Numerous templates and ready-made designs to choose from. The ability to incorporate graphic elements like 3D models directly into your document. Built-in language translator. Checking document readability scores. Pros A very user-friendly interface. Though there are alternatives in the marketplace, Microsoft Word still remains a top-notch product. Sophistication word processing features, including editing tools and a wide range of add-ons. Easy to create professional-looking documents. Cons

Learn about SOX compliance in Data Protection 101, our series on the fundamentals of data security.

Enterprise file sharing, or enterprise file sync and sharing (EFSS), can help secure your documents and data when shared throughout your company.

PII requires protection for both legal and reputational reasons, but if a data breach occurs, will your company still be able to protect this sensitive data? What Is Considered PII? Personally identifiable information is any information that could be used to identify a specific individual; this includes Social Security numbers, full names, and passport numbers. These are typically regarded as the traditional forms of PII. However, with the increased digitization of society and with it our online identities, the scope of PII has expanded to include personally identifiable financial information, login IDs, IP addresses, and social media posts. PII Data Classification PII data classification is a central part of the PII identification process, and it can be used to broadly differentiate between sensitive and nonsensitive PII. Nonsensitive PII This is the type of PII that can be easily obtained from public sources like corporate directories, the internet, and phone books. It can also be transmitted in an unsecured form without harming the individual or exposing their identity. This type of data usually consists of the following: Gender Zip Code Date of birth Place of birth Ethnicity This obviously isn’t an exhaustive list. However, it underlines the type of information about a person that doesn’t pose any threat to their privacy when made public. Sensitive PII This consists of personal information whose public exposure can be harmful to the individual. The risk of exposure often results in identity theft that damages the individual’s credit or compromises their financial wellbeing. Examples of sensitive PII include the following: Social security number Passport number Driver’s license Mailing address Medical records Credit card information Banking and financial information Risk also extends to organizations when sensitive PII in their possession is leaked or compromised. The organization breached suffers reputational damage and is often burdened with noncompliance fines. As a result, sensitive PII needs to be stored securely, usually by using strong encryption mechanisms. What Are Non-PII Examples? There is some overlap between non-sensitive PII and what is generally considered non-PII. Though non-PII may relate to an individual, the information is so general it will not point to the individual’s identity. Non-PII examples include information such as race, religion, business phone numbers, place of work, and job titles. Although nonsensitive PII and non-PII may contain quasi-identifiers, this type of data alone cannot be used to confirm a person’s identity on its own. However, when nonsensitive data is combined or linked with other personal linkable information, it can be used to identify an individual. So businesses should still exercise caution with non-PII since reidentification and de-anonymization techniques can be applied on them. Especially through piecing together several sets of quasi-identifiers to distinguish individuals and reveal their personal identities. Therefore, organizations should ask themselves two questions regarding the sensitivity of their data: Identification: Can this specific piece of data on its own be used to identify an individual? Data combination: Can several unique pieces of data be pieced together to identify someone? PII is a very malleable term and the precise contours of its definition depend on where you live in the world. For instance, the United States government defines it as anything that can “be used to distinguish or trace an individual's identity,” such as biometric data, whether in isolation or in conjunction with other identifiers like date of birth or educational information. In Europe, its definition expands to include quasi-identifiers as listed in General Data Protection Regulation. Why Is PII Important? Identification mechanisms are crucial in a functional society to distinguish one person from another. The individual markers that PII provides are necessary to acquire and disseminate goods and services in a market economy. Not to mention its importance for ownership and acquisition of capital. For instance, without PII, it would be impossible to have meaningful medical records to facilitate public healthcare or grease the wheels of commerce with credit and banking information. PII is also important to criminals who can sell it for a handsome profit on the black market. Why Is Safeguarding PII Important? As highlighted in the last section, PII is necessary for the flow of goods and services in a society. However, if left unprotected, PII leads to identity theft and other forms of fraud. This is because hackers find PII to be an extremely valuable target due to the variety of criminal activity it allows them to perpetrate. Some of the potential harm suffered by individuals may include embarrassment, theft, and blackmail. Data breaches not only create legal liability for the organization but also reduce public trust in the organization. Due to these risks, PII should be protected from unauthorized access, usage, and disclosure to safeguard its confidentiality. However, PII creates privacy and data security challenges for organizations that collect, store, or process it. Therefore, the importance of PII also stems from its impact on the information security environments of organizations and the legal obligations this demands. PII Security Best Practices PII has become so valuable to enterprises and bad actors alike that it needs a special security framework to protect it both at rest and in transit. In addition to the traditional methods of encryption and identity access management, this framework also encompasses document security measures such as data loss prevention, digital rights management, and information rights management. DRM includes data security measures that protect PII within the boundaries of the corporate network or firewalls. But while DRM is important to PII, its overriding objective is locking down data, intellectual property protection, and the monetization that goes with it. IRM, however, is based on zero-trust security, which essentially means an implicit distrust of the user or platform that has access to the data. To achieve this, IRM accompanies the data wherever it goes. Here are the six practical ways to ensure the PII collected by your organization is secure: Discover and classify PII: This starts with identifying and classifying all the PII an organization collects, accesses, processes, and stores. It also involves locating where this data is stored, especially sensitive PII, to better understand how it can be protected. Establish an acceptable usage policy: This involves creating a framework of policies that guide how PII is accessed. One of its key benefits is serving as a starting point for enacting technology-based controls to enforce proper PII usage and access. Create the right identity access and privilege model: Enforcing usage rights and access controls with identity access management. Establish least-privilege models so users only access the data they need at a given moment. Implement robust encryption: Deploy strong encryption algorithms to protect PII at all times. Delete PII you no longer need: Ensure you don’t store PII you no longer need because it can pose compliance and vulnerability risks. Therefore, create a system for safely destroying old records without accidentally destroying viable ones. Create training procedures and policies for handling sensitive PII: Use training and policies to emphasize how various types of PII should be stored and protected. How to Safeguard and Enforce PII Compliance One of the first points of order to safeguard PII is to understand where it is located. Once a business knows where its PII resides, it can subsequently embark on the necessary mechanisms to prevent its unauthorized disclosure.

Having a Digital Rights Management tool can help your team collaborate in the cloud while meeting compliance needs and adhering to your organization's data security policies.

What Is Document Security? Document security is the procedures and storage protocols set up to protect either a physical or digital document which includes how it will be stored, shared, and discarded. This security is important so the owner can control who has access. Document security seeks to protect documents and comply with regulatory requirements for privacy and safety. It involves a file management process to restrict access, especially to sensitive or private content. File security entails managing these files securely however they are stored, processed, or transmitted to mitigate security threats. Why Is Document Security Important? Documents face a myriad of threats from many malicious actors. Thieves, cybercriminals, and organized crime syndicates want to steal identification details to gain access to financial gateways like bank account logins and credit card information. Confidential data provided to businesses by their customers and employees needs to be kept under tight privacy protocols. Businesses risk lawsuits and reputational damage if this information is compromised. Intellectual property is a competitive advantage on which the prosperity of companies and nations depends in an increasingly global marketplace. Therefore, organizations don’t want their business secrets and intellectual property to fall into the hands of competitors through espionage. All this valuable and sensitive information is invariably stored in digital documents. Document security seeks to prevent these incidents by protecting files from unauthorized access and reducing the risk of data loss, leakage, and exposure. Types of Document Security Different documents require different levels of protection. Overall, the type of security documents require are the five pillars of information assurance: Confidentiality: Confidentiality means the information in the file remains private. The secrecy required to shield the file’s content from those who aren’t authorized to view it is enforced with encryption. Integrity: Integrity ensures a file hasn’t been inadvertently or intentionally modified, whether at rest or during transmission. Hash functions use a hash value to verify the integrity of the data within the document. Availability: Adequate security measures ensure documents are available to authorized users when needed. This means that threats, like denial-of-service attacks, have to be thwarted to ensure documents on websites are available to those who need to access them. Authentication: Authentication compels those who attempt to access documents to prove that they are who they say they are. This requires robust identity management. Most organizations now implement multi-factor authentication to strengthen authentication. Nonrepudiation: This ensures that the parties involved in a transaction cannot deny their participation. Hence, a security system should be able to prove that someone sent, viewed, or modified a file. Nonrepudiation is achieved through digital signatures, logging, and audit trails. Components of Document Security A document protection system contains several components that facilitate its mission to protect documents. Some of these help to restrict access to only authorized users, while other components control permissions on who can modify a file. Here are the security components typically used in these security systems: Encryption and license controls: Encryption uses cryptographic algorithms and keys to scramble or encrypt a file’s content so that it becomes unreadable. Hence, only valid users and recipients, who possess the correct cryptographic key, can decrypt and view the file’s contents. Document rights management: DRM is a perimeter-based security model that seeks to protect documents and content from copyright infringements and intellectual property violations. Its objective is to restrict the access of digital content to only those who have assumed rightful ownership, typically through purchase or authorship. Document tracking: For a document to be truly protected, both within and outside the corporate perimeter, a business needs to have full visibility into its movement and chain of custody. One of the ways this visibility is achieved is through tracking the document to know who has accessed and viewed it and for how long these transactions have occurred. Password protection: From a user access perspective, enabling password protection is the first step in document protection. It is the first security barrier to prevent unauthorized access to files. Moreover, it is relatively simple to implement, although not entirely foolproof. Document expiry, restriction of access, and self-destruction: Limiting access to documents based on time duration and permissions provides immense advantages for security. Watermarking: Watermarking has several applications beyond the use as a trademarking device. One of its basic functions is to clearly communicate the document’s classification. Hence, it leaves the recipients with little doubt as to how the document should be treated. A document marked with a “confidential” watermark signals a certain degree of secrecy. Information rights management: Information rights management is a subset of DRM and it focuses on zero-trust security for collaborative files. Information Rights Management security travels with the document wherever it goes, equipped with identity access management techniques to ensure user permissions are enforced. Implementing Document Security at Each Stage of the Document Life Cycle There are several phases involved in document protection. At each stage of a file’s life cycle, organizations face the danger of the document being stolen, lost, or compromised. Therefore, businesses need to have full visibility into how their documents are produced, processed, stored, and consumed—i.e., throughout the entire document life cycle: 1. The Capture Phase This is the equivalent of the “onboarding” of information to produce the document. This phase encompasses creating and saving files in an application. Activities at this stage also include scanning to transfer hard copy documents to electronic format. 2. The Storage Phase Electronic-based document storage provides a lot of opportunities for centralized record management and better oversight. For instance, storage in database systems provides the capacity for search capabilities and normalization to reduce redundancy. 3. The Management Phase One of the most important things for file protection, especially in a distributed system is adequate management. Management helps to provide supervision and control over the document protection system. What facilitates security during this phase are user roles, permissions, version control, and audit trails. These elements have a way of reinforcing one another to provide all-around document protection management. Ultimately, without this phase of a document security system, elements like user permissions will be difficult to enforce. 4. The Preserve Phase Document preservation requires monitoring and maintenance of the digital repositories where they are stored. In most cases, file retention is required by law. And in some instances, documents are legally required to be preserved for a couple of years. 5. The Delivery Phase The delivery phase emphasizes sharing and collaboration. The delivery phase is important when it’s necessary to share information between contractors, allies, and other business partners. 6. The Integration Phase In the current digital economy, it’s imperative for applications and documents to be able to “play well” and collaborate with others. This is because there’s a certain specialization of roles and division of labor since a single application can’t supply all the expertise needed to support user aspirations. This is why there’s a proliferation of application program interfaces in software to facilitate integration between applications. Likewise, the integration phase allows files to communicate and exchange information with other applications. Document Security Measures That Every Business Needs Remote work and "bring your own device" have increasingly become part of the fabric of the modern workforce. Along with these paradigm shifts come more security risks because of an organization’s increased surface of attack exposure, thereby making their documents more vulnerable. Here are some of the security measures organizations can implement to address the challenge of workforce mobility: 1. Intrusion Detection Systems Malicious actors are using more sophisticated attack vectors that can operate in stealth mode. Most businesses don’t have a clue they have been breached, sometimes even months after the fact. Therefore, an added layer of document protection is justified by investing in an intrusion detection system to monitor your network. These systems alert you to suspicious behavior that is indicative of a system breach.

Organizations need to keep in mind international data protection law developments and how they affect compliance demands.

Hospitals and healthcare providers in the state have been failing to report ransomware attacks that impact health data belonging to patients.

The cost of data breaches continues to rise; according to this annual report, the global shift to remote work is partly to blame.

Recent changes to Nevada’s privacy law, effective October 1, 2021, give residents a broader right to opt out of sales and puts the onus on "data brokers" to respond to such requests.

On Wednesday May 12, the Biden administration took a critical step towards addressing security issues that have come to light after several recent, high profile cyberattacks. The extensive Executive Order (EO) described the government's plan to increase cybersecurity protection across the public and private sectors as well as secure the nation's digital infrastructure against the type of attack that recently shut down the Colonial Pipeline, a critical source of fuel for the entire East Coast. The 30-page Executive Order on Improving the Nation’s Cybersecurity covers a plethora of cybersecurity issues. It describes how government agencies should evaluate the software they buy. It mandates that executive branch agencies deploy multifactor authentication, endpoint detection and response, and encryption. And it calls for these agencies to adopt "Zero Trust" architectures and more secure cloud services. Let’s take a look at three of the key areas in the Order: Prioritize Zero Trust The EO mandates that executive branch federal agencies create "Zero Trust" environments. The administration says this is key to ensuring security when implementing cloud computing environments and services and modernizing the IT infrastructure of the federal government. The document notes that within 60 days, the agencies must update plans to prioritize the adoption and use of cloud technology as well as develop a plan to implement zero trust architecture. Adopting a Zero Trust mindset is not only a critical element of a robust cybersecurity posture, but also a popular one. This is primarily because it doesn’t innately trust any user or application until verified by multi-factor authentication (MFA) and also doesn’t require much CapEx to get off the ground. Zero Trust compliance ultimately rests on two main pillars: Strong identity and access management, and a mature data identification and classification framework. That means that to implement a true Zero Trust framework, organizations need to know everything about their sensitive data (including personally identifiable information, payment card information, intellectual property, and other sensitive data types): When it is created and by whom, where it is stored, and how and with whom it can be shared. Related reading: Why Zero Trust is So Hot Right Now - And How Titus Can Make it Happen Address Supply Chain Risks The EO notes that the commercial software used by federal agencies often lacks adequate controls to prevent attackers from gaining access and states the federal government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software. Within 30 days of the order's signing, the secretary of the Department of Commerce - acting through the director of the National Institute of Standards and Technology (NIST) - must solicit input from federal agencies, the private sector and academia. The government will then use this information to develop guidelines and criteria to evaluate software security and the best practices software developers must use. From recent events we know that no organization is immune to the risk of supply chain cyberattacks and data breaches, and those with especially large and complex supplier ecosystems are even more vulnerable. This has been exacerbated in recent months due to the pandemic and the expanded attack surface as a result of a more widely dispersed workforce. The main challenge here is that smaller organizations have neither the resources in personnel nor the capital to protect themselves and therefore the other organizations in the chain. Creation of a Cybersecurity Review Board The EO calls for establishing a "Cyber Incident Review Board" modelled on the National Transportation Safety Board. The positive is that the board’s membership shall include Federal officials and representatives from private sector entities. Therefore, in theory, this board should encapsulate the best of the public and private sectors, be unafraid to ask the ‘tough questions’ following a significant cyber incident and make concrete recommendations for improving cybersecurity. The challenge, however, is that the board will have to walk a fine line of complying with the Federal Advisory Committee Act, which forces boards like this to be "objective and accessible to the public," while also keeping the information it collects safe. Minimizing and Preventing Cyberattacks The goal of the EO is to modernize the government's IT infrastructure while creating a set of standards to help minimize the damage caused by cyberattacks. With aggressive timelines in tow and a clear directive to securely move to the cloud, this EO is arguably the most important step the President could have implemented. The three areas that we have highlighted in the EO all require organizations to take a more robust approach to data security. This is where Fortra data security platform can help, as our suite of products is designed to bring an organization’s data security policy into this modern hybrid reality with multiple ways of working with a highly distributed workforce. We have data security solutions that help ensure intellectual property and sensitive data is kept safe and secure. Our products run right across the various data protection requirements from classifying data inside the organization at the outset, through to detecting and preventing leaks of sensitive information outside the organization. As cyberthreats around the world continue to increase I am sure we will see more legislation and orders, like the EO, coming to the fore, therefore, demonstrating that you have a solid data security foundation in place and that you have layered security to help mitigate risk is going to be paramount. Keep your most sensitive data in the right hands​ SCHEDULE A DEMO