Welcome to InteliSecure’s Cyber Security Awareness Month Education Center! For the month of October, we will be providing resources regarding cyber security and critical data protection, including:
White Papers/Case Studies
This page will be updated every week with new resources and educational opportunities to learn more on how your organization can protect its most critical data assets. Additionally, we will be tweeting links to cyber security-focused articles throughout the month.
We hope you find the information useful as you continue your role, or interest, in learning how organizations can protect their information assets in today’s world of persistent and ongoing threats.
Blanket perimeter security programs are outdated. The sheer number of threats organizations face on a daily basis, from both outside and inside its confines make such an approach impractical. You cannot protect everything equally. As an example, you probably have differing levels of security for household and personal items. For the majority of items, most people simply use locks on doors or a security service. For more valuable items, chances are people have a safe for added protection.
The fact is, some organizational data assets have more value than others. The protection you give them should be the same as you give to your personal items. Doing so allows you to extend budget and focus resources on protecting the organization’s most critical data assets, those assets that if stolen or otherwise exposed would cause serious and possibly irreparable harm to the organization.
InteliSecure’s CTO, Jeremy Wittkop, explores the importance of identifying one’s most critical data in his blog “Why Identifying and Protecting Critical Information Assets Should be a foundational Element of your Security Program.”
Learn why effective cybersecurity begins with identifying and prioritizing critical data assets in this whitepaper.
Learn how one healthcare organization implemented a Data Loss Prevention (DLP) program based on protecting its most critical data assets in this Case Study.
Classification of data also helps organizations include end users part of the solution for cybersecurity. As creators of data, it is important for employees to understand the corporation’s security stance relating to how content should be marked and used to ensure that an effective and proportionate level of security is in place. Once information is labelled according to its relevant classification, organizations can restrict who has access to that information by user group, classification marking, method of transmission, or through sanitization.
Data classification technologies and programs can also be combined with other technologies such as Data Loss Prevention (DLP), Email and Web Gateways, and Security Information and Event Management (SIEM) to enhance overall security programs.
Learn the basics of Data Classification, including what it is and isn’t in this 25 minute webinar.
The public is more aware than ever about data security, with high profile breaches continuing to hit the news on a regular basis. One of the ways in which many organizations test their security is by conducting security scans, assessments and penetration tests, however there remains confusion about what constitutes a penetration test. Penetration tests not only include technology attempts at getting to secured data, but also test physical controls to keep people who don’t have proper access away from areas where sensitive data is stored.
The Differences Between Audits, Security Assessments and Penetration Tests blog post helps explain what constitutes a full penetration test and how to set expectations when someone decides, “We need a penetration test.”
Threats don’t exclusively come from outside an organization. While external hacks, phishing attacks and malicious code often grab the headlines and media glory, most organizations face an even greater threat from inside their business. Whether malicious or accidental in nature, trusted, internal employees are more often than not, the ones that expose or steal information.
Developing Insider Threat security programs, while similar to traditional security programs, have distinct differences organizations should be aware of. Insider Threat programs are also sometimes difficult to implement depending on local laws. For example, in the United States, it is fairly easy set up a program to monitor internal employee actions, however, in certain parts of Europe, such as Germany and Switzerland, organizations must often work with Works Councils to justify and implement the same types of programs.
InteliSecure’s Building Effective Insider Threat Programs blog post looks at the basics of building such programs including the identification of critical data assets, enterprise monitoring and incident investigation. For a more in-depth look into programs, be sure to watch our Insider Threat webinar which not only looks at programs and the use of User and Entity Behavioral Analytics (UEBA), but some of the technology now available to help identify malicious activities.
Finding the right MSSP for your organization is not as simple as it seems. Available services, costs and support models vary widely between MSSPs. From coverage hours, global locations, experience and an MSSPs ability to outsource your services, selecting the right MSSP is critical in today’s world of advanced persistent threats.
There are numerous examples of support being provided from at-home employees with no baseline security controls or sub-contracted work where an organization’s data ends up being stored and monitored in a facility in a foreign country with less-skilled workers. Depending on the type of data you wish to have monitored, these may be acceptable outcomes.
Ultimate responsibility for the security of your data falls squarely on your organization’s shoulders. Most contracts also limit an MSSP’s liability to material service failures. To ensure a healthy and long-lasting relationship, there are 10 fundamental questions any organization should ask of their current or prospective MSSP.
There aren’t any right or wrong answers to the questions. They are designed to help you during the discovery process regarding expectations, risk levels, and overall handling of your critical data. Any responses to the questions listed below that have a material impact on your organization’s decision on which MSSP to choose should be clearly defined and documented within your contract.
Many people think that the only organizations outside of the European Union (EU) that need to be concerned with the Union’s General Data Protection Regulation (GDPR) are large, multi-nationals. That is not the case. The fact is, anyone who has any contact and stores or processes the information of a citizen of the EU is subject to the Regulation. In an extreme case, to demonstrate how broad the Regulation is, even a hot dog vendor in Chicago who sells a hot dog to someone from France, Italy, Poland or any of the other countries within the EU who uses a credit card would need to be in compliance.
The penalty phase for GDPR comes into effect on May 28, 2018. Are you prepared?
The whitepaper Operationalize Your Organization for the General Data Protection Regulation reviews the regulation, its ramifications, and creating a support framework.
Learn about effective methods for GDPR compliance by watching this InteliSecure webinar hosted by Alastair Parr, InteliSecure’s Director of Operations, EMEA. Along with CTO, Jeremy Wittkop, Alastair will cover Security Program Design, the Right to Be Forgotten Statute, Privacy Impact Assessments and Mapping and Enforcing Data Flows.
You can also read more in the Understanding GDPR blog post by InteliSecure’s CTO, Jeremy Wittkop.
Data Loss Prevention (DLP) technology was first introduced in the early 2000’s by Vontu. Since that time, the technology has dramatically evolved to help organizations of all sizes protect critical data assets from malicious and accidental exposure. Like any security technology to be successful, policies must be configured correctly as part of a well-designed and policed security program. Download this infographic to learn about the top 10 tactics every DLP program should have to help ensure successful critical data protection.
One of the first concerns clients and prospects mention to us when we meet with them regards securing data in the cloud. Cloud Access Security Broker (CASB) technologies combined with Data Loss Prevention provide a powerful combination to protect critical data assets. Learn how they can help protect data in the Cloud by watching Extending DLP to the Cloud.
There are several misconceptions regarding the cloud and data security. The three main ones we see are:
Transfer of Risk – Organizations thinking that when they store their data in the cloud, the risk associated with the loss or theft of that data is transferred to their provider.
Data Regulations Do Not Apply – Many assume data regulations, such as the EU’s General Data Protection Regulation to not apply to Cloud data.
The Cloud is a Location with Rented Space – There is no cloud. It’s just someone else’s data center. It is someone else’s computer, in someone else’s data center and you don’t have control over it.
InteliSecure CTO, Jeremy Wittkop, penned this blog post on Protecting Data Going to and From the Cloud that discusses the three main misconceptions, defining the cloud security problem, why cloud-focused security programs are necessary and the role of Cloud Access Security Broker (CASB) technology.
Cyber Security Month Weekly Topics