Townsend Security Data Privacy Blog

Those of us in the data security industry often wear technology blinders as we go about the business of trying to secure the sensitive data of the organizations we serve. Every organization has limited resources and it is hard to compete with line of business needs in terms of budget and human resources. It’s an ongoing struggle that comes with the territory.

Of course, any organization that has suffered a severe data breach quickly changes its attitude towards investing in security. The internal attitudes at Target, Anthem and Sony are different today than they were in the past, and for good reasons.

For those who’ve not experienced a data breach, the organizational costs remain vague and theoretical. I thought you might like to read how an attorney views the impacts of a data breach that involves the loss of credit card information. David Zetoony, an attorney with the legal firm Bryan Cave, has written several white papers discussing aspects of security. These are very readable works and well worth the time. Even if you are not processing credit card payments, I think this article is relevant to the loss of any sensitive data.

Here is his paper on the impacts of a data breach involving credit cards.

There is a bonus section in this paper about cyber insurance. In my eBook on Key Management Trends and Predictions I mention Cyber Insurance as an evolving industry. This paper by David Zetoony delves much deeper into the issues related to Cyber Insurance. He provides some very practical advice on how to think about Cyber Insurance and how to evaluate potential coverage. If you are new to the topic, or if you’ve not reviewed your Cyber Insurance policy for more than a year, you need to read the second part of David’s paper.

Neither I nor Townsend Security has any relationship with David Zetoony and the legal firm of Bryan Cave. I stumbled on this David’s work and thought you might find this informative. For those of you making the case for increased security, you might consider sharing David’s paper with your management team and legal counsel.

Patrick

Businesses leaders are becoming more and more scared of an impending data breach. Most IT security professionals agree that a data breach is no longer a matter of “if” but “when”. While major enterprises are now scrambling to implement strong encryption and encryption key management to protect customer data, for many companies, like Target and Home Depot, these efforts are too little too late.

These medium to large enterprise-sized businesses are now holding their vendors and partners to a higher security standard. As a B2B organization that would like to onboard these larger clients, you should consider learning how to implement strong data security into your hardware, software, and cloud applications.

Encryption is one of the best-kept secrets of companies that have prevented or mitigated the consequences of a data breach. Because encryption renders data unreadable, any unauthorized access to that data is useless to the person who sees it. If the encryption key is adequately protected and not discovered by the intruder, then there is no way to decrypt the data and the breach has been secured. Encryption and encryption key management are the most defensible technologies for data breach protection.

Today encryption and encryption key management is as easy as launching an AMI in Amazon Web Services (AWS) in just a few minutes. Developers can now launch Townsend Security’s key manager, Alliance Key Manager (AKM), in AWS, Microsoft Azure, or VMware and receive up to two free licenses to develop and test encryption and key management in their applications. Alliance Key Manager is FIPS 140-2 compliant and provides NIST compliant AES encryption services so that encryption keys never leave the key server.

Businesses are not only concerned with risk management. Meeting compliance using standards-based solutions is also a critical piece to building defensible data security. Especially for government organizations that must comply with FISMA, many CIOs and CTOs won’t even consider an encryption or key management solution that hasn’t undergone NIST certification.

The importance of NIST compliance is far-reaching. Implementing a solution that meets an industry standard means that your solution will stand up to scrutiny in the event of a breach. NIST compliant encryption and key management have been tested against accepted standards for cryptographic modules and are routinely tested for weaknesses. Can meeting compliance regulations still be a low bar? Of course, but following standards and then implementing accepted best practices is the only way to meet compliance and achieve the highest levels of security.

With the Townsend Security Developer Program, you can develop applications that not only meet compliance but exceed them to give your clients the highest levels of security, you can win enterprise clients that you haven’t been able to work with before, and gain access to a host of Townsend Security APIs that have been designed for easy integration into new development projects.

Language libraries we provide for Alliance Key Manager include: Java, C/C++, Windows .NET application source code, Perl, and Python. Also available are client side applications for SQL Server and Drupal CMS.

To learn more and to join our Developer Program, click here.

In a business world that is moving more towards virtualization and cloud environments, the need for strong encryption and proper key management is critical. Due to all the recent and well-publicized data breaches, we all know about the ways your brand can be damaged if you don’t encrypt your data. Let’s look at the benefits of encryption, and three of the ways it can have a positive effect on your business.

Customer Confidence = Loyalty: When it all boils down, building trust in your business is what will make or break relationships with your customers, business partners, and potential investors.  After major retail breaches in 2013, a study conducted on 700 consumers showed that the three occurrences that have the greatest impact on brand reputation are data breaches, poor customer service, and environmental disasters. These three incidents were selected ahead of publicized lawsuits, government fines, and labor or union disputes. By being transparent about the ways that you will store and protect their sensitive data (required to operate your business) you will build a level of confidence and trust with your current and potential clients and customers. Using encryption to protect your customers sensitive information is the best way to keep any unauthorized user from successfully using the data if it is accessed. Properly deploying encryption, means you will be sure to use an encryption key manager that separates and securely stores the encryption keys away from the encrypted data. Let your clients know you take data security seriously, and let the would-be thieves know “move along, there is nothing to see here”!

Cloud = Cost Savings: Encryption can help your business move successfully to cloud and virtual environments. Because of the multi-tenant nature, cloud solutions can offer a significant cost savings to most organizations… but what about those other “tenants”, are they able to gain access to your information? What about the treasure trove of information that is attracting more and more hackers? Encryption can make it possible to leverage the benefits and cost savings of the cloud while ensuring the privacy of your sensitive data.

• By using encryption, you can make sure your information is secure when it is “at rest” or “in motion”.
• By properly handling encryption keys with an encryption key manager, you make sure you are the only one able to access your encryption keys.
• By keeping your encrypted data and your encryption keys in separate locations, you remain in control even when your data has left the building.

Customer Compliance = Competitive Advantage: Keeping data secure is the law for many commercial and private organizations. If any sensitive information is stolen or lost, your company may suffer some serious consequences, especially if that information is not encrypted. Using industry standard encryption also helps you meet various compliance regulations and data security standards. Depending on what industry your business is in, different regulations will come into play. As an example, all companies that take credit card payments fall under the Payment Card Industry Data Security Standard (PCI DSS). We all use credit cards and we want assurance that our information is safe. Would you shop online with a company that didn’t take measures to protect your account information?

If a data breach occurs and personally identifiable information is lost, the breached company must notify all their customers who are impacted. Did you know that there are data breach notification laws in 46 of the 50 states? Some regulations have a safe harbor clause, protecting companies from public notification if the stolen data is encrypted and if the encryption keys are not compromised. Along with the frequency, the cost of these breaches continues to escalate: The average cost to an organization for a data breach is up 15% with an average cost of 3.5 million dollars (2014 Ponemon Report). So using encryption to protect data and properly handling key management could save you millions of dollars in the event of a breach. Given the high cost of breach notification doesn't encryption just make sense?

Whether you choose a designated hardware security module (HSM), something designed specifically for virtualized environments (VMware), or data storage in the cloud, encryption and key management solutions can help you:

• Gain competitive advantage and build loyalty by protecting your customers data against access by unauthorized users
• Reduce hardware costs by leveraging virtual environments in the cloud
• Significantly improve your data security strategy while satisfying data compliance and privacy requirements

Overall, data encryption offers many benefits and provides solid protection against potential threats or theft. In addition to the many benefits, encryption is also efficient, easy to use, and affordable! Want to learn more about encryption? Download our eBook “The Encryption Guide”:

Make sure you don't turn a blind eye to data security!

The basic concept of converting sensitive data into a form that could not be easily understood if it was to be seen by the wrong audience goes back as far as 500 BC (Atbash Cipher), some would even argue that in 1900 BC a simple hieroglyphic substitution was the first form of cryptography. While technology has made great advancements in recent years, it has also created an even greater need for privacy of sensitive information. Whether you are the Chief Security Officer, IT personnel, or database administrator; you should know how your company is handling sensitive data. In fact, security is the responsibility of every business owner and employee. Not using secure passwords can lead to a data breach just as not following key management best practices can provide access to people with malicious intent. When awareness around data security reaches every department and individual, then the company can not only meet compliance regulations, but can benefit from effective data security. Compliance regulations require (or strongly recommend) all industries following best practices for encryption and key management . Do you know which of these apply to you and your company? For example, if you take credit cards for any reason, you fall under Payment Card Industry - Data Security Standards (PCI-DSS). Other common regulations are:

• HIPAA/HITECH ACT requires security of Protected Health Information (PHI) in the medical sector.
• GLBA/FFIEC sets regulations for banks, credit unions, credit reporting agencies, and anyone in the financial industry.
• FISMA is for Federal US Government Agencies.
• The Federal Trade Commission (FTC) also gets involved with anyone who issues a privacy statement.
• More than 45 states also have their own privacy rules, in addition to the ones listed above, that strongly recommend encryption of any personally identifiable information (PII).

So, beyond compliance with regulations, why should you care about encryption… First of all, your customers, clients, and suppliers all expect you to protect their sensitive data. Effective encryption and key management can provide your company with a number of other benefits as well. Here are just a few basic benefits of effective encryption key management:

• Peace of Mind - While hackers and identity thieves are getting smarter and regulations are getting more complex, data protection technology is also improving at a rapid rate. Encryption and key management options are now available in virtual machines and cloud environments as well as hardware security modules(HSMs). How well would you sleep at night if you kept your house key under your welcome mat?
• Reputation - Whether information is lost due to a hacker or a hurricane, if a company loses all of it’s important data, the whole business could be ruined. However if sensitive data is lost because mechanisms for protecting it are not in place, then an organization has even bigger problems. The most effective way to secure data and ensure the integrity of a company is to deploy encryption and properly manage the encryption keys.
• Credibility - Beyond audit requirements, organizations need to consider the security of their customers Personally Identifiable Information (PII). Being able to protect your clients with strong key management practices can add a level of trust and confidence that will help grow your business.

Mobility is also great benefit! As more people move their data to the cloud or virtualized environments the need for encryption increases, and the importance of key management becomes even more evident. In order to maintain control over your data, and the privacy of your customers, information must not only be encrypted but kept secure while in motion, in use, or at rest. By properly managing your encryption keys, you are still in control of your data no matter who is sharing your infrastructure.

In this complimentary eBook, "Turning a Blind Eye to Data Security”, authors Kevin Beaver, CISSP; Patrick Townsend, and Todd Ostrander will teach you about:

• Tools and resources to begin the discussion about data security in your company
• 5 Common misconceptions about data security
• 6 Questions to ask your CIO

What do business executives need to know about encryption key management best practices? As it turns out, CEOs don’t need to know every tiny detail about encryption and the tools used to protect encryption keys, but they do need to know enough to protect their business and mitigate major risks.

Just like financial and legal best practices that business executives are tuned in to and monitor weekly, if not daily, business leaders need to have a heightened awareness of how their IT departments are handling both their own and their customers’ sensitive data. Sensitive data such as credit card information, social security numbers, protected health information (PHI), and other personally identifiable information (PII) such as names, addresses, email addresses, and passwords needs to be protected as mandated by industry regulations and many state laws. Unencrypted data or encrypted data with poorly protected encryption keys is a ticking time bomb that could lead to a major data breach.

I recently sat down with Patrick Townsend, Founder and CEO, to discuss the critical security risks executives face, how to start a conversation on data security with your IT team, and the encryption and key management best practices that will save your company from a data breach.

Patrick Townsend explains the importance of protecting encryption keys:

“Executives need to know that A.) they might not be encrypting the data that they need to, and B.) if they are encrypting that data, they might not be protecting their encryption keys, which are the core secret that have to be protected the right way. When you leave the house in the morning and you lock your door, you don’t tape the key right next to the lock. Your house key would be easy to find when you come home, but we all know that’s a bad practice. In a similar way, a lot of organizations are not implementing best practices around protecting encryption keys and are putting their business at risk.”

The major risks associated with unencrypted or poorly encrypted data are these:

• A data breach is no longer a matter of “if,” but, “when”
• The average cost of a data breach is $5.4 million, according to the Ponemon Institute
• This cost typically is a culmination of fines, lost customers, brand damage, credit monitoring, and litigation

How does an organization properly encrypt their sensitive data?  They need to follow best practices such as deploying AES encryption and NIST FIPS 140-2 compliant key management, as well as important practices such as separation of duties, split knowledge, and dual control.

Encryption key management best practices will:

• Provide you with strong encryption
• Provide you with powerful, defensible encryption key management
• Protect your business in the event of a data breach
• Put you in compliance with industry and state regulations
• Give you peace of mind

To learn more about the business risks of data security, download our free eBook "Turning a Blind Eye to Data Security: Mending the Breakdown of Communication Between CEOs and CIOs" and learn about the business risks associated with unprotected sensitive data, tools and resources to begin the discussion about data security in your company, and actionable steps you can take today.

What exactly is data security and encryption & key management, and why care about it? 

Interesting conversation this morning as I walked from the parking lot to my office building.  Another person from one of the eight companies that occupy this building and I walked in together and chatted... first it was just “looks like the weather is getting better”... then it moved to “what floor are you on?  what company?” and when I told her ‘Townsend Security’, she said “oh, I’ve always wondered what you folks do”...

As the newest staff member, I wasn’t sure I had perfected my 30 second elevator pitch, but I told her that we were a data encryption company and design the software (and provide hardware) that almost everyone needs to protect themselves from a data breach. At first her response was “oh, we don’t need that, we have a guy that takes care of our computers”. Then we talked about how high the statistics are for people who would experience a data breach ("In 2010, if you received a data breach notification, your odds of being a fraud victim were one in nine. Last year, that jumped to one in four."), and after asking if they had a database and if they kept any records that held personally identifiable information (PII) or credit cards, it quickly became “I think we need that!”.

It reminded me that when I started working here, I wasn’t fully aware of many of the reasons or regulations that make data encryption so important.  I’m not sure I will ever have a complete technical understanding of all the nuances, but I’m working on it... Luckily I work with incredibly brilliant people who daily do all of the hard programming work and are very passionate about encryption.

I am lucky enough to be working with a company that I believe in, doing work that I know is important and can really make a difference in peoples lives. One of the main reasons I love this job... all the wonderful people that I work with, people so passionate about data security and the positive impact we can have on other people’s lives!

The founder, Patrick Townsend, impressed me so much at our last staff meeting when he reminded everyone to really think about why we are here, why we do what we do.  “It isn’t about selling a product.  It isn’t about the bottom line.  It is about protecting people from the devastation that a data breach can have on their individual lives.  It is about making sure we help companies protect their customers and clients.  It is about stopping the bad guys from wrecking havoc by making it impossible for them to get what they are after.  That is why we are here, remember that”.

Think about what your company does with the data you collect.  Is it encrypted and secure when it is “data at rest” (just sitting on your server)? How about when it is “data in motion” (being transferred to someone else)?  Look into what is happening with your information, and if you depend on someone else to take care of it, make sure they are doing it right.

Data gets out. Period. Either by accident or by design (someone hacking into your information). Make sure that when it does get out (and unfortunately it is “when”, not “if”) that it can’t be read.  You can make that data useless by encrypting it.   Remember to keep the encryption key stored in a different location than the data (encryption key management 101) because you wouldn’t lock up your house and then tape the key to the front door or leave it under the welcome mat!...  Would you?

If you aren’t sure what encryption or key management is all about.  We have a wonderful resource section on our website, and I’ve gathered a collection of some great Key Management resources right here.

Check out the information we have on data security and encryption key management and then contact us with questions, we are here to help!

Townsend Security recently asked business executive and mid-market expert Todd Ostrander to contribute his expertise and thought leadership on C-level risk management to our most most recently published eBook, Turning a Blind Eye to Data Security (Mending the Breakdown of Communication Between CEOs and CIOs).

In his article, Todd Ostrander discusses several key points around data security and business risk including:

• The roles and responsibilities of a CEO around data security
• The high costs associated with a data breach
• How unencrypted data represents a significant business risk
• Why proper encryption key management is needed to prevent a breach

In addressing these issues, Todd Ostrander urges us to implement the solution that many businesses have yet to adopt.

Read an excerpt from his article below:

“In any organization, the CEO has many jobs. At the macro level, a CEO’s job is to instill a high level of confidence in his or her stakeholders, including customers, investors, employees, suppliers and partners. To accomplish this, a CEO must establish a level of trust with these stakeholders in order to inspire, encourage, and engage them to take part in the entity’s vision and pursuits. Ultimately, the organization uses its stakeholders’ trust—their confidence in the CEO and his or her team’s ability to execute—to grow and build its value.

Every business has inherent risks in its execution—such as hiring dependable employees and maintaining financial stability. In order for a CEO to instill the kind of confidence that increases a business’ value, he or she must be able to identify and address each of the risks in the business.  Therefore, risk mitigation by nature becomes a core component of a CEO’s job.

In a pre-internet world, the risk of data loss was limited to a physical breach of an actual building. Security guards, fences, and access control systems were established to keep people away from sensitive information. However, as today’s world has become electronically connected at virtually every level, businesses need to focus not only on preventing access to data but also on protecting the data itself. This is where a comprehensive data protection strategy comes in to play.

Most CEOs are well aware that encryption methodologies were created for their CIOs to be able to protect data in their networks. However, encryption is such a new field that few CEOs understand all of the risks associated with unprotected data as well as evolving industry-based regulations which they must comply with.

CEOs may not know that even if their data is encrypted, without proper encryption key management, they are still at risk and do not comply with many industry regulations. Without good key management practices, you are practically inviting hackers to break in to your system…"

Todd Ostrander is a professional with over 25 years of F1000, mid-market and emerging market startup experience. Throughout his career, he has been at the forefront of groundbreaking changes that create new markets and opportunities. While he has a broad range of skills from finance to procurement, strategic marketing and product strategy, his core functional expertise is in exploiting existing markets as well as identifying and creating new market opportunities with specific focus on go-to-market, intellectual property, and capitalization strategies. Within the technology industry, he has specific expertise in workflow management, Software as a Service (SaaS), wireless, digital marketing, and mobility.

Data breaches of sensitive, unencrypted information occur almost every week and many of these events become highly publicized. Organizations are thrust into the public's eye and scrutinized for gross lack of oversight and accountability around data security. Despite the fact that these breaches happen at the IT level, the burden and the blame for a data breach almost always falls on C-level leaders such as the CEO or CIO. Consumers ask, “why didn’t you protect my personal information?” and the leaders respond, “We didn’t think it would happen to us.”

Today business leaders need to know that data breaches are no longer a matter of “if” but “when.” Even behind firewalls and secure networks, unencrypted sensitive data is a goldmine for hackers. Not protecting this information with encryption is like driving a brand new Ferrari without car insurance. You can drive as safely as you want, but you can’t control the behavior of other drivers. Just like driving without insurance, not encrypting your organization’s  sensitive data in a time when hackers are always trying to break into networks is taking a huge risk with both your organization’s financial resources and reputation.

I recently sat down with data security expert Patrick Townsend, CEO & Founder of Townsend Security, to discuss why unprotected data is a business problem, not just an "IT problem."

Watch the video of that discussion here.

Why is unprotected data a business problem?

In most organizations, a large part of the CEO's role is to assess risk. Every day the leaders in any given organization address financial, market, competitive, and many other types of risk. These leaders are used to assessing risk in their organizations, but they are not yet thinking about unprotected data and the possibility of a data breach as a fundamental risk. Unprotected sensitive data leads to identity theft, fraud, and theft of financial resources from employees and customers.

Data breaches happen to both large, small, public, and private companies. In fact, today hackers are targeting small to mid-sized businesses simply because those networks tend to be less secure. However, every day I come across large business that have failed to protect their customers' data either by not encrypting the data, or failing to protect the encryption keys.

Anyone who's been through a data breach understands in their bones the importance of encryption and encryption key management. The costs associated with a data breach are far reaching.

These costs include:

• Fines
• Forensics investigation
• Credit monitoring for customers
• Lost sales due to brand damage
• Litigation costs

These are costs all organizations want to avoid. They represent huge risk in terms of actual financial costs and damage to reputation. Not considering these costs and not protecting your company and customers' sensitive data is a failure to assess risk.

Want to learn more about the risks associated with unencrypted data? Check this video, “Why is Unprotected Data a Business Problem?” featuring Patrick Townsend, Founder & CEO of Townsend Security.