When it comes to cyber security, sometimes the jargon can feel overwhelming. Ransomware, encryption, man-in-the-middle attacks… The Vaporstream blog has covered ransomware and encryption in the past, so today I wanted to focus on what are called the man-in-the middle (MITM) attacks.
As we come to the end of cyber security month – we must admit to ourselves that to err is human. You can employ the latest technology at your company to bolster defenses but you cannot always keep employees from making stupid and unintentional mistakes. This lone fact is why cybersecurity training, and repetitive training, is so important.
You might have heard about the ransomware attack against Atlanta this year. A ransomware attack had significant impact on the city, forcing police officers to file reports by hand and city workers to report via time sheets. Atlanta is currently facing more than $20 million in costs due to the attack.
As we enter into cybersecurity month it makes me think a lot about my own privacy, and how elusive it has become in the 21st century. It seems that everything we do is now tracked; whenever we visit a web page, call someone on our smart phone, visit the doctor, change the temperature on our smart thermostat or simple talk about a specific subject in our own household, our actions get recorded as data – in theory to make our lives better and more productive. However, in an age when digital privacy is practically an oxymoron, what can people do to protect their privacy?
HIPAA may be twenty-two years old but the HIPAA Security Rule—which assures the security of confidential electronic patient information—hit its twenty-year mark just this year. HIPAA was signed into law in 1996 to protect Americans from losing health insurance coverage when changing jobs or dealing with a lay off and to protect the privacy and security of individual health information. Rules that govern HIPAA’s implementation requirements include the Privacy Rule and the Security Rule, which followed the initial rule 2 years later, issued in 1998.
Being on the hook for free services to friends and family members is a well-known risk for many professionals. Doctors get called in the middle of the night to see sick nieces and nephews, attorneys advise their siblings on traffic violations and airline employees are hunted down by everyone for those free standby certificates. But as a technology professional, I can say that we have it arguably worse than anyone else; “Can you set up my Wi-Fi?”, “Do I have enough encryption?” And if you think that the barrage of requests is not bad enough, you haven’t heard the complaints! “That phone broke within three months!”, “I dropped my router while dusting and now my WiFi is out!”.
These days, it feels like everybody’s talking about encryption and privacy. Whether you work in healthcare, energy and utilities, financial services or some other enterprise—you’ve probably come across debates around privacy, encryption and how to securely communicate to maintain privacy. But with all the news reports and use of buzzwords being thrown around it’s easy to forget the basics. So what do terms like encryption, privacy and man-in-the middle attacks really mean?
The high-profile Golden State Killer case is causing experts to debate the privacy implications of using genealogical data from open-source sites, like GEDmatch.com, in criminal investigations. There are no laws prohibiting detectives from using the data, but law enforcement experts are concerned about potential abuses of this investigative method. Others have argued the tactic represents an invasion of privacy – but does it?
What started out as a novelty quickly spun into something ominous. In November of 2017, the San Francisco-based start-up fitness app Strava released a heatmap depicting the activities of Strava users across the world. What does the Starva leak mean for privacy and what can end-users do to secure their information?
Face ID is a facial scanner that will replace Apple’s Touch ID, allowing people to unlock their iPhone with their face. Sounds simple and convenient but it also has many privacy experts concerned. In fact, Apple’s embrace of facial recognition opens a whole can of worms over security, the idea of people’s faces as their password and where this technology may take us.
Do you have an emergency preparedness plan in your household? Many families do—whether because they live in an earthquake or hurricane prone area, or because they want to be prepared for a personal emergency just in case. A smartphone can provide critical support during an emergency but—like your emergency kit and home vehicle—it needs to be prepared. There are several ways you can prepare your smartphone for an emergency.
Encryption. It’s a word we hear frequently in the media. Encrypted applications should have backdoors, insists one popular publication. No, it should not, insists another. But what is it actually and why is it so important? Below, are some thoughts. Simply put, encryption is the translation of data into a secret code.
In March 2017 the nation’s first cybersecurity regulation became law imposing strict cybersecurity measures on financial institutions operating in New York. The new rules specify everything from naming a Chief Information Security Officer, to risk assessments, event notification, encryption, penetration and vulnerability testing, training and monitoring and audit logs.
It seems that every day we have a slew of new sensational cases and revelations that make us stop and think “Is our privacy over? Does anyone even care? What are we to do to protect ourselves?” I say, relax, the situation is bad, but it is not as bad you might think and probably not for the reasons you might think so.
Quick – when was the last time you used your smartphone to investigate a health issue? If you are like most people you are probably a “connected patient” using smart devices to take more ownership of your health. A 2015 Pew Research Center (PEW) report shows 62% of smartphone owners use their phone to look up information about a health condition. And many of us now also use our smartphones to correspond with providers.
Communication and effective collaboration within the healthcare industry is not always as easy as it should be. Care teams – from doctors and nurses to the patients and their caregivers – need the ability to communicate efficiently, effectively, privately and securely to ensure the highest level of service. Unfortunately, this is an ongoing challenge, particularly when it comes to long term and home based healthcare.
There is only one thing certain in today’s world, and that’s uncertainty. It was certainly driven home by the election results, where everyone was certain of the outcome, until they were not. It is disconcerting to live in this environment. From random terrorist attacks to unprecedented economic and geopolitical events, we need to almost block out the news cycle. In order to survive in this environment, it is important to make a list of things that are in your control and those that are not.
It is no secret that we are living in a digitally evolving world. The use of personal mobile devices continues to increase as constant advancements bring more and more convenience to our busy lives. With today’s smart phones you can do almost anything you want with just the tap of your finger. It leaves me wondering – what’s next?
“Whoever Wins the White House, This Year’s Big Loser is Email.” Thus, reads the headline in the NY Times on October 19, 2016. Indeed, in the current election cycle, month after month, the focus has been on hacked and released emails, on disappearing emails, on emails that reappear on various devices – not of the user’s choosing. It certainly seems that the people who sent those emails should have known better than to write what they actually wrote in the first place.
We are proud to announce that today we unveiled an entirely new web experience that better reflects our mission. We are driven to help customers better address privacy and security when collaborating with colleagues, partners and their clients. The ability to communicate with confidence directly impacts the speed of business.
Welcome back from what we hope was a happy and relaxing July 4th. Happy Independence Day! For us, July 4th is a particularly meaningful holiday. It’s an opportunity to spend time with family and friends and to appreciate the freedoms and liberties we have living in the United States of America.
With the recent approval of secure texting by the Joint Commission, finding a secure, HIPAA compliant messaging solution is imperative for hospitals and independent practitioners. Utilizing secure texting not only enables the safe transmittal of sensitive information but more efficient patient care team communications
People engage in conversations over phones in public areas without a thought to who can overhear, or about the potential consequences. There is a blind faith that privacy is somehow granted by being surrounded by strangers. That privacy is often valid, however strangers don’t always equal safety.
Author–Kristi Perdue Hinkle
On the heels of the largest data breach on record, it is easy to say that data breaches have become big, and all too common, news. We see it flash across the screen daily: legal firm—leak, hospital—ransomware, government agency—hacked. Cyber security is no longer something just for financial organizations to worry about—it’s become a necessity for any organization that handles private, valuable and sensitive information to prepare for – including those in higher education.
In the last few years, multiple universities have been the victim of data breaches—University of California Berkeley, University of Virginia, University of Maryland, to name a few. In 2014 alone, 30 educational institutions experienced data breaches, with five of those schools experiencing larger data breaches than the Sony hack. Universities face a unique set of challenges when it comes to a data breach. As Paul Rivers, UC Berkeley’s CISO noted, similar to a healthcare organization, schools cannot close if a major breach occurs and network security on campus cannot be treated like a bank or technology company. Schools by nature are an open community, with a network shared by students, staff and even visitors—so closing vulnerabilities can be especially difficult.
Unfortunately, a data breach or IT outage is not the only type of emergency that Universities must prepare for. In the wake of acts of terror, natural disasters and other reported campus safety concerns over the last decade, Universities have a heightened call to action to protect campus staff and students. The ability to securely, efficiently, and, when appropriate, confidentially correspond about emergencies is paramount to successful response and recovery.
So how can universities ensure that sensitive information and communications remain secure during an out-of-course event?
One way is the use of encrypted, secure, ephemeral messaging. Secure messaging enables executives, board members and staff (as well as students for that matter) to communicate in a way that ensures that any sensitive information is protected. This is because at the core the sender is in complete control of anything he or she sends out. Messages cannot be forwarded, shared, saved, printed or screenshotted by the recipient, eliminating the risk of reputational damage or diminished trust. As an example, if a communication needs to be kept to a specific area of the campus to avoid panic during an emergency response – it can be; if a communication needs to be kept confidential to avoid media coverage during an emergency response – it can be; and if a hacker needs to be kept out of discussions concerning an emergency response to a breach – that too can be done.
For additional security, ephemerality means that any messages received and sent are automatically removed from the sender or the receiver’s devices per a pre-defined time period for expiration, removing the risk caused by BYOD device loss and theft. With secure messaging Apps that also support compliance, such as Vaporstream, a copy of the message can be archived in a single repository of record and stored behind a firewall for safe keeping to meet business and regulatory requirements.
In case of an emergency, secure messaging keeps sensitive communications ongoing. This is especially critical for universities, given that schools cannot close when an incident occurs. Secure messaging provides a means to continue crucial conversations and to discuss mitigation, emergency response and recovery plans. In case hackers or even terrorists may have access to certain university information or communications, employees can rest assured that whatever conversations they are conducting via secure messaging are uncompromised.
In short, encrypted, secure, ephemeral messaging protects high level communications for universities at every step of the way—during day-to-day business communications for such things as discussing HR and IP as well as during out-of-course events where emergency response plans need to go into action. If you would like to learn more about secure messaging and Vaporstream’s solution you can download our white paper or contact us.
Author–Kristi Perdue Hinkle
The revelation last week that 11.1 million confidential client documents were compromised at a Panamanian law firm is a mammoth triggering event for the legal industry. Legal is next up to feel the hot glare of the cybersecurity spotlight, following on the heels of healthcare, retail, banking, entertainment and government headline-making cyber-attacks. At 2.6 terabytes of data on business transactions of global public figures, the Panama Papers leak is the largest data breach ever.
A Call to Action.
The notion that law firms are soft targets for hackers is not new. In 2012, the FBI warned major US law firms: hackers see attorneys as a back door to their corporate clients’ valuable data. According to the head of the FBI’s New York cyber division, “[a]s financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it’s a much, much easier quarry.”
Despite this warning, many law firms have been complacent in taking action to develop a cyber security plan for their firm. Unlike other industries, most law firm breaches have been kept private in the past, however it does not mean they have not occurred. In fact, some estimate that 80% of the AmLaw 100 firms have been breached. Recent headlines revealed that hackers gained access to networks at Cravath, Swaine & Moore and Weil, Gotshal & Manges, two prominent New York firms. Cravath acknowledged a “limited breach of its IT systems” in 2015. Law firms holding client healthcare information, banking information and personal information such as social security and license numbers and credit card numbers are prime targets for hackers. In the last few years, Chinese hackers have infiltrated major law firms to gain advantages in M&A and trade export matters, for example. Law firms, similar to the healthcare industry, have experienced ransomware attacks, where bad actors break into networks and encrypt files, demanding money for the key to decrypt the files. Ransomware attacks have become so common that we recently blogged on the outbreak in 3 Ways to Avoid Becoming a Cyber Hostage.
The Panama Papers however, just shattered the delusion that the law firm and its clients could remain in the background of the cyber breach media frenzy. With a breach at this scale, and the associated scandal, you can bet that it is creating a new level of awareness and lighting a fire under managing partners across the globe.
In order to remain competitive, law firms will be required to beef up their security and governance programs and to do it now. “I want an assessment of your cyber-security program on my desk by Friday,” is a phrase likely uttered by many general counsel to their law firms this past week. How law firms react to this call for action will make or break many firms as they move forward under this new post-Panama Papers world.
With the “breach of all breaches” highlighting law firm security, law firms must act now to secure all client content and forms of communications, including mobile communications. Those that don’t jeopardize the sensitive data that their clients entrust to them. At a time when cyber-criminals are targeting law firms, a lackluster response can expose clients to identity theft, loss of intellectual property, personal embarrassment, harm to corporate brand and, as we are seeing in the Panama Papers, government investigation and litigation risks. Clients will demand better.
Law firm InfoSec and IT teams must rapidly establish a strategy and security protocols to satisfy increased client concerns and scrutiny of document and client communications. Your cyber security strategy should include security protocols that reinforce client confidentiality, governance policies, back-up and recovery as well as breach notification.
Firms must secure documents, emails, desktops, mobile devices (such as smartphones, laptops and tablets); and of course the network, systems and applications. Encryption is now a must for data at rest and in transit, as are annual third party security assessments and information governance policies. Vendor security protocols should be double checked, especially if they touch personally identifiable information (PII) or personal health information (PHI) – both considered extremely valuable on the black markets where hackers reap profits.
Firms must implement breach incidence response plans, intrusion monitoring and detection and technology to track unusual downloads. Importantly, firms must constantly update and educate lawyers and staff on hackers’ ploys such as phishing, back door attacks, bots, denial-of-service and other threats, including a rise in malicious browser extensions that collect data every time a user opens a compromised webpage, according to the Cisco 2016 Security Report.
“Our external-facing Internet sites are probably getting hit 400 to 500 times a week” by third-party bots or denial-of-service attacks. That kind of activity is the new normal and it’s hitting everybody.” CIO, AmLaw100 firm, 2014
Not all law firms are new to the expectation of increased security. Banks have audited Big Law firms on security protocols for a number of years now, often sending thick questionnaires and onsite auditors to inspect the firms’ data centers and protocols. Afterwards, the law firms are often required to implement new security measures and investments. Many firms now include security requirements in “outside counsel guidelines” that their firms must sign and execute. An ABA article offers key steps to survive a client cyber-audit and is a good place to start when planning for future requirements.
Heed the Spotlight.
The Panama Papers breach has put an intense spotlight on law firm data security that will not fade anytime soon. Like the Snowden revelations, the fallout from this ethical hack will go on for months to come if not years. As public figure resignations, tax evasion investigations and litigations mushroom, we will continue to uncover the depth of this breach and its cause. Every time a corporate counsel hears another news bite, they will ask their law firm for a security update and stricter guidelines for audits will be created.
Firms need to get ahead of the curve and invest in policies and technologies to increase its security posture. The risk to your clients’ and your firm’s reputation is simply too huge to ignore.
To find out how Vaporstream can help law firms better address their security posture, contact us.
Today’s workforce has gone beyond mobile. It is fluid. The physical mobility of devices has improved so drastically that the lightest devices from 20 years ago would be the heaviest devices today. People aren’t just working in different places because they have to, they are working everywhere because mobility enables them to. The freedom to get things done instantly, without having to rearrange your life, has taken hold of today’s workforce. With it come efficiencies and benefits to the organization, employee and consumer, but also risk that must be considered.
Moving with the fluid workforce are their devices; laptops, tablets, phones and everything in-between are constantly being pulled out at soccer games, doctor’s offices, coffee shops and airports. Everywhere you look, someone is connecting. The problem is that interruptions in the real world are often sudden, abrupt, and urgent. Devices may be quickly put down to address a disruption. It is in that moment that the security of the device and everything on it matters the most.
The devices that enable our freedom contain valuable information. When they are lost, stolen, or simply misplaced, that information becomes vulnerable. What’s more, despite the best efforts of IT professionals to educate people about the importance of securing their device, it doesn’t always happen. With almost every security measure that IT forces onto a device usability is degraded a bit. Degrade usability too much, and users simply move to another device. Even enforcing the use of a passcode on a phone causes consternation:
“Do I use a 4-digit pin or a complex password? I need to take pictures of my kids quickly before the moment passes. Maybe I should disable the code on family days so I don’t miss anything? Not having a code will also make it easier for my kid to play games on it when we’re in the car.”
In fact, studies show that despite the need for security, alarmingly, only 46% of users set a screen lock using a four-digit PIN, password or fingerprint. This means that over 50% of mobile device owners still do not take the basic step of password-protecting their devices. And password protection is just the first step; device encryption is equally important. Without it, a moderately sophisticated attacker can simply access device storage directly, sidestepping password protection altogether.
One obvious reason to care about mobile device security is the sad fact that some of your organization’s mobile devices will be lost. Make no mistake about it: No matter how diligent your staff may be, devices are going to be lost or stolen – eventually. In New York City alone, 73,000 mobile devices were left in taxi cabs in 2014. A lost device should always be regarded as a security breach. Whether the finder attempts to extract information with intent to steal intellectual property, or with the benign intent of identifying the rightful owner, unauthorized access will occur. Unlocked phones and unsecure apps can leave your organization open to a data breach. And this risk certainly is not limited to smartphones – laptops and tablets, while larger, are misplaced every day as well. Unfortunately, there are numerous examples where organizations have been fined for failing to encrypt lost laptops containing PII or PHI. Just this month, Premier Healthcare reported that a non-encrypted laptop was stolen from its billing department, exposing over 200,000 patient’s PII; almost 2000 of those records including social security numbers and/or other financial information.
Simply stated – lost devices are a security breach waiting to happen. With higher local storage capacity and access to cloud storage, lost phones and tablets are next to hit the news for breach of information. No amount of diligence can completely prevent the loss of devices. The best you can do is focus on mitigating the potential fallout and make sure that a lost device does not lead to a data breach.
Beyond securing devices, however, the applications that employees use to share information and communicate vital business information also need to be secure. While many organizations may think that deploying secure apps is excessive given their phone security requirements, those requirements are only as good as the hardware provider’s capabilities and are susceptible to human error.
Apps that encrypt their information prevent sharing, saving or forwarding of information and restrict the extraction of information without proper authorization. This can help mitigate the risk of information leaks or larger breaches. It is a mental shift from only protecting the device to protecting the information that flows between devices and better controlling what can be done with that information. Apps that securely leverage the convenience of mobile devices for rapid information exchange, collaboration and decision making can have a dramatic positive impact on employee workflow efficiency and experience.
Employees just want to use their devices in a way that makes their lives easier and helps them get their jobs done. The introduction of ephemerality has also changed the way we look at collaboration via our mobile devices. Corporate data can now be stored in a secure, fire-walled repository, while removed from devices alleviating much of the risk created by lost or stolen devices.
This is not to say that device security should be ignored. Far from it. Even the most conscientious person might leave valuable information in unsecure locations on their devices, where device security is the last line of defense. On top of reasonable device security, the applications themselves can further protect information on devices and in transit, achieving a deeper level of security and confidence. Secure applications help ensure that the privacy of information belonging to your organization, employees and customers is protected.
In our ever-evolving, technology-rich and breach-heavy world, the need to increase the security on BYOD devices has grown significantly while empowering employee efficiency is just as important. It is incumbent upon every organization to understand the impact of their mobile workforce upon security and compliance mandates in order to minimize the likelihood and impact of data loss or breach. The inclusion of secure apps such as secure mobile messaging help you protect vital information from breach while leveraging the efficiencies of the mobile device. Providing, or enforcing, an option for secure information exchange and collaboration that does not jeopardize privacy or compliance should be included in every organization’s mobile enablement strategy.
To find out more about the benefits that can be realized through secure mobile messaging, contact us.
Contributor: Avi Elkoni
Author–Galina Datskovsky Ph.D., CRM, FAI
As I look back on the year, I can’t help but marvel on the incredible ups and downs that it has brought with it. Although there are many to speak of, both personally and professionally for most of us, cyber security has been front and center throughout 2015 and has become an increasingly prominent topic among companies, families and individuals.
Although an unfortunate reality in the world we now live in, I see the increased interest in cyber security and information security as something extremely positive for our country and all businesses alike. As with many forms of safety, cyber security has developed and grown as a result of incredible technological progress. We have seen firsthand how technology has and continues to improve lives—from smart household gadgets, to healthcare IT, to innovative ways that companies and organizations can now communicate. With great innovation, we also must consider changed behaviors and the impact on how we as human beings interact with each other For me, the increased focus on cyber security in 2015 has been indicative of the extent to which technology has progressed in the last year, how much progress is still yet to come .
At Vaporstream®, we continue to find ways to provide more secure environments to do business, protect sensitive information and communicate. I have been thrilled to see the Vaporstream team grow. I am proud of their talent and look forward to the opportunities ahead.
As we look towards 2016, I anticipate exciting new developments in the world of cyber security, information security, secure mobility and information governance. I wish you the best for 2016. Have an incredible holiday season with friends, family and colleagues. Have a healthy, happy, and peaceful new year!
We are seeing much discussion about encryption and encrypted communications in the news in the wake of the Paris attack. The intelligence community did not intercept the communication between the attackers leading up to the attack, and this leads many to believe that encrypted communications must have been used.
The days of working at a company and receiving a new cell phone on your first day have started to fade away. Market researcher Gartner Inc. predicts that almost four in 10 organizations will rely exclusively on a policy of Bring Your Own Device (BYOD) — meaning they will no longer provide devices to employees– by 2016, and 85 percent of businesses will have some kind of BYOD program in place by 2020.
Why is BYOD a Hot Trend?
The BYOD trend is popular amongst employees who bring their personal smartphones, tablets and laptops to the office, or use them offsite as they take their work home. Businesses benefit from BYOD programs shifting costs to the user – including costs for the hardware, taxes, voice and/or data services, and other associated expenses.
The Good Technology State of BYOD Report states that 50 percent of companies with BYOD models are requiring employees to cover all costs — and they are happy to do so. Why? Many employees don’t want to carry two cell phones to work.
Users prefer their own devices and they’d rather use the devices they love rather than being stuck with laptops and mobile devices that are selected and issued by the IT department. BYOD devices tend to be more cutting edge, and users also upgrade to the latest hardware more frequently than the painfully slow refresh cycles at most organizations.
Risks to Company Privacy
So the switch to mobility is in full swing and must be embraced by most organizations. But the risks to company privacy are high as employee’s access email and other potentially proprietary data on their own devices.
- Small and medium-sized businesses have been at the forefront of the BYOD trend, with almost 62 percent of American SMBs having an official BYOD policy in place as of 2013, according to research conducted by iGR, a wireless and mobile communications consulting firm.
- At least another 10 percent lack an official policy but allow employees to use their personal devices to perform work-related tasks.
- Data security and regulatory compliance are big issues with BYOD environments. SMBs often must absorb more risk than larger enterprises out of necessity. They can’t afford a security team, a chief information security officer, and all that this entails. SMB’s and Enterprise companies need to approach device and data management in a manner that secures corporate and their customer’s data, but doesn’t hinder productivity. Furthermore, when a worker is let go, or leaves the company of their own accord, segregating and retrieving company data can be a problem.
Solutions to Consider
- For both SMB and Enterprise customers, Mobility Device Management (MDM) Solutions, like IBM Maas360, VMWare Airwatch, Good Technologies and Mobile Iron, do a good job of managing the segregation of the data on the mobile device and protecting it with encryption and pin codes. They also enable clearing this business data if the phone is lost or employee is terminated. However, when it comes to mobile communications, the text messages, emails and chats are sent to recipient devices that are out of the control of the sender’s organization and devices, beyond the reach of the MDM policies.
- Ephemeral messaging applications such as Vaporstream are designed for the BYOD world. They have the power and ease of use of email and text messaging without the liability of it. Ephemeral messages cannot be shared or stored and disappear after use. Regardless of the device, users can exchange messages securely across the enterprise, yet those messages do not remain on any devices and cannot be shared by any device, even those beyond the control of your MDM solution.
- Compliance is important in heavily regulated industries like Healthcare, Insurance, Legal, and Finance just to name a few. Keep that in mind as you shop around for an ephemeral messaging solution that will address your needs. Consider vendors that uniquely allow companies to opt for a Governance Module where they can archive messages, in a secure on premise store. These can be tagged as transient messages with a short term retention or for as long as required in regulated industries, while leaving nothing on the BYOD devices. The only copy is in your secured archive for e-discovery, no exposure on BYOD devices or copies on unintended recipient devices and servers. Vaporstream covers these requirements and helps customers meet their regulatory requirements.
As companies embrace BYOD programs, they can also meet the unique privacy challenges by taking one simple step, in addition to implementing MDM – adopting a secure, ephemeral, compliant messaging platform. Enable efficient communication without sacrificing control over confidential information. If you currently do not have a solution that addresses privacy, security and compliance for mobile messaging download a FREE trial of the Vaporstream® App today (available in the APP Store and Google Play).