Assuring data privacy has been a hot issue for years and the basic building blocks of a strong defense against cybercriminal data theft hasn't changed. The five steps below were originally published by Neil Chesanow in an article for Medscape titled Why Your Patients' Data May Not Be Safe: 5 Steps to Protect.
- Develop a strict-but-realistic security policy
- Control access to patient data
- Monitor (protected data) activity
- Require more complex passwords
- Encrypt all outgoing files
Although written from a medical/healthcare point-of-view (I've substituted protected data for the original Electronic Health Records), the steps can be applied to help any business or organization think through some of the issues surrounding the protection of sensitive and confidential files and data. It applies to PCI (Payment Card Industry) data, Protected Health Information (PHI) and any type of Personally Identifiable Information (PII) your organization stores or processes.
Controlled Access to Protected Data
A much overlooked attack vector for cybercriminals are the file transfer systems used to share data externally in the normal course of business. For banks it may be loan approval processing. For healthcare providers it is PHI data sent in the course of benefit eligibility determination and insurance claims processing. It could even be as simple as employee records.
Controlled access to protected data is of paramount importance. Access to sensitive files and data should only be granted to people that are required to use it as part of their job. Not every employee or external partner should have access to all company information.... And it’s easy enough to control and enforce access by applying simple rules and policies. Your file transfer system should integrate with internal authentication and directory servers to assure access control.
Collecting data transfer activities is key to assuring security and compliance with data protection regulations. The ability to see who accessed sensitive information, when and how many times they access it, whether they moved or sent it to another location or person, and if/how the transmission and file itself was secured and encrypted are important pieces of information from both an internal security policy as well as compliance perspective. You never want to find yourself with a request for an audit trail of a particular file or communication and not be able to provide it.
Encryption to Prevent Privacy Breaches
Encryption of data in transit should be obvious. It is way to easy for cybercriminals to intercept data traversing the public internet these days. Encryption makes the data worthless. But you should also be encrypting the data at rest in your file transfer servers and assuring that it is deleted.
Pay particular attention to your method of transfers. FTP servers are notoriously weak in security and provide an easy and valuable target for a cybercriminal. They provide a great command and control link to carry out their attack and transmit stolen data.