Proofpoint: Security, Compliance and the Cloud

July 16, 2014

How big of a threat is intellectual property theft?

While digital solutions like email, mobile devices and the cloud have greatly benefited most businesses, they also raise the specter of intellectual property theft. In order to safeguard mission-critical assets at all times, companies should adopt enterprise security solutions from Proofpoint to make sure their intellectual property is never leaked out or stolen.

In a recent speech to filmmakers, media professionals and other businesspeople, Vice President Joe Biden said that intellectual property theft is a multibillion-dollar issue, according to The Hollywood Reporter. As the Internet rose in prominence, however, the threat landscape changed dramatically. For example, Biden said that instead of bringing a camcorder into a movie theater, someone can get an illegal recording of that film much more easily online. This is just one example of how it has become easier than ever for criminals to pilfer intellectual property.

While exact numbers related to the overall costs of IP theft are not known, most estimates corroborate the figure Biden noted. A May 2013 report from The Commission on the Theft of American Intellectual Property estimated that the United States loses more than $300 billion a year from this issue, and numbers cited by the National Crime Prevention Council put potential losses at up to $5.5 trillion.

Although IP theft is often considered a victimless crime, the NCPC noted that it is typically anything but that. The crime inhibits many companies' ability to grow and hire, and often businesses need to recoup related losses by charging consumers more for their goods or services.

"The effects of this theft are twofold," The IP Commission Report stated. "The first is the tremendous loss of revenue and reward for those who made the inventions or who have purchased licenses to provide goods and services based on them, as well as of the jobs associated with those losses. American companies of all sizes are victimized. The second and even more pernicious effect is that illegal theft of intellectual property is undermining both the means and the incentive for entrepreneurs to innovate, which will slow the development of new inventions and industries that can further expand the world economy and continue to raise the prosperity and quality of life for everyone."

How can companies stem the IP theft tide?
The situation relating to IP today may seem dire, but companies can take steps to significantly insulate themselves against this threat. In particular, by adopting a best-in-class suite of cybersecurity solutions from Proofpoint, businesses will be able to keep their trade secrets, patents and other pieces of intellectual property safe from harm.

For example, Proofpoint Enterprise Archive allows organizations to keep a thorough record of all online messaging, and Proofpoint Enterprise Privacy secures email and other forms of communication that may contain sensitive information. To keep threats like malware on the outside looking in, businesses can use Proofpoint Enterprise Protection.

Only by leveraging a comprehensive and powerful data security and privacy suite will businesses be able to safeguard all of their intellectual property. As the IP threat environment grows larger and more potent, Proofpoint's solutions will become even more vital and mission critical for organizations operating in a wide variety of industries.

July 09, 2014

A CISO, GC, and Records Manager Walk into a Bar…

THE JOKE

A CISO, GC, and Records Manager walk into a bar.

The CISO says, “Can you believe a guy just tried to sell me a tool that can guarantee when intellectual property is about to leave my network?”

The GC says, “That’s hilarious, I just talked with a man who told me his software can tell me exactly where the smoking guns are amongst my entire corpus of data.”

The Records Manager says, “That’s odd because I just read about a solution claiming it can scan all my files and classify records according to my file plan.”

 The trio quickly realized they were all talking about the same solution. Of course, such “all in one” claims will cause many of us to drop to the floor, rolling with laughter. Yet, the statement above - while not remotely imaginable even a few years ago - today, is not that far off.

 THE SETUP

 CISO have no problem getting attention. Every hour, each day is another headline that keeps them up at night. Most recently, Goldman Sachs accidentally sent highly confidential information about its brokerage clients to a Google account, immediately going into damage control, requesting Google to block access to the email and to delete it. This type of exposure will continue to increase as the amount of sensitive information increases; as the number of locations sensitive information is stored in increases, and as the number of channels through which sensitive information can be passed increases.

 Breaches are happening every day around the world.

 GC’s have a sleep schedule similar to the CISO. However, their greatest challenge is identifying, controlling, and sifting through gigabytes of business documents typically associated with eDiscovery and large scale investigations. Doing so with a defensible process only adds to the Sominex bill.

 The sheep counting culprit is not only the amount of unstructured corporate information, (growing by at least 60% per year per IDG by 800% over the next 5 years per Gartner), but that information increasingly exists in new, often unmanaged data types such as social media, IM, and mobile.

 Records managers face a more insidious threat in that co-workers often choose the path of least resistance when it comes to records management, and this means any remotely complex policy will be casually ignored or circumvented. The consequences are tangible and often quantifiable when the company is in a regulated industry such as healthcare.

 THE DELIVERY

 Speaking to Jason R. Baron, former law of records management Jedi of NARA and now Of Counsel at Drinker Biddle & Reath LLP, he described the solution (and problem) of records management, in the most elegant fashion. Paraphrasing, there are two requirements for records management to work: 1) Simpler policies, 2) Machine assistance.

 While Jason is doing great work in helping firms simplify policies, it will be up to technology firms to ante up with usable, workable, and scalable machine assisted technologies to address the second requirement.

 Considering Jason’s points and listening to customers talk about their concerns around security, privacy, compliance, and records, it’s clear to me that there is an Informational Convergence taking place where corporate information, regardless of its business use or risk profile, is increasingly in need of a common, firm wide classification. This means centralized classification that can be shared across all groups, stakeholders, or leaders; be they CISOs, GCs, or records managers.

 Impossible?  Conventional wisdom divides departments into distinct groups possessing their unique view of information and what it means. The joke works because CISOs think differently from GCs who in turn differ from records managers. Or do they? The tenth time I heard a CISO ask if our DLP technology could be used to help their current records classification efforts I raised an eyebrow. Once ten records managers asked about the possibility of flagging records for security violations, I realized that the market is ignoring conventional thinking.

 The Informational Convergence of Information Governance (IG) provides a holistic view across every information-driven department. Each department is asking for the same thing in their own way and soon companies will realize this. As thought leading technology firms, we need to enable them.

 An equally important side effect to Informational Convergence is the need for IG platforms to support more sophisticated and cloudy ecosystems. Business relevant, cloud-based repositories are also corporate content containers and exposure points. Their rising popularity demands that the most advanced IG platforms support them as well as conventional repositories. Solutions like Box, Dropbox, or OneDrive, contain records, legal content, and represent risk like any other repository.

 THE PUNCHLINE

There are actually several punch lines to this joke. The saddest version is that no one knows what the records manager thinks about the solution because they forgot to invite him to the meeting. As noted above, this only makes everyone’s job harder because proper records management helps everyone in the end.

 I’ll also note that some to whom I’ve told this story have immediately declared it a lie. That it’s all just a dream. Not because the notion of Informational Convergence is too complex to conceive. No. It’s because no one would ever believe these three individuals would be caught socializing.

- Stephen Chan

 ---

Stephen Chan Blue Bckgnd

Stephen leads products for the Information Governance team at Proofpoint. Successfully merging 15 years of expertise in the areas of e-discovery, compliance, and records management together with their most relevant technologies, Stephen drives thought leadership in the industry and has advised the SEC and Global 1,000 organizations. Prior to Proofpoint, Stephen was co-founder of several enterprise and consumer software firms, served as primary investigator on two government funded research projects, and has been published in over twenty magazines and books. Stephen is a graduate of the University of California at Davis and Harvard University.

Linkedin_icon Twitter-icon1  

July 06, 2014

White House Study on Big Data Reveals Need for Encryption

According to a report recently released by the White House, estimates of information created and replicated in 2013 reached 4 zettabytes of data generated worldwide, a 2.2 zettabyte increase from 2011. To put that into perspective, if every person in the United States took a picture every second for over a month and uploaded them, they total data would equal about one zettabyte.

In 2005, business investment in technology systems, talent and services has almost doubled, reaching $4 trillion, meaning data creation and use will only keep growing.

The report was issued on big data's transformative qualities, data-related privacy and security issues and was authored by a group led by White House counselor John Podesta. During review for the report, Podesta and the group, sometimes accompanied by the President, interviewed stakeholders including executives from leading technology companies to find out major issues stemming from the acquiring and utilizing of big data.

In the study, the group gave recommendations on how to create more data privacy, including passing national data breach legislation and updating the Electronic Communications Privacy Act which controls how the government is able to access email.

The report also pointed out issues with the way many organizations protect against privacy intrusions. A common way to protect personal information is by de-identifying it, or removing identifiable characteristics that link to a specific person or device, but according to the study, this doesn't always work because it can be "re-identified."

"...Integrating diverse data can lead to what some analysts call the 'mosaic effect,' whereby personally identifiable information can be derived or inferred from data sets that do not even include personal identifiers, bringing into focus a picture of who an individual is and what he or she likes," the study explained.

Protecting sensitive personal information 
One of the most common ways malicious actors gain access to personally identifiable information is through email. Email encryption services, like Proofpoint's Sentrion message processors, create a secure environment to send messages without sharing information to those who wish to steal it. Encryption provides privacy protection by utilizing inbound message filtering and outbound data loss prevention techniques such as keyword recognition.

Proofpoint also offers platforms specifically designed to block spear phishing attempts or other targeted attacks at big data. Billions of requests are processed each day, allowing these platforms to detect any change in traffic flow and accurately determine which messages are valid and those that are not.

While large amounts of data are certainly vulnerable, the study also revealed that small data can pose a threat, too. The most common privacy risks deal with small data, including personal financial information being used for credit card fraud.

"These risks do not involve especially large volumes, rapid velocities or great varieties of information, nor do they implicate the kind of sophisticated analytics associated with big data," according to the report.

Targeted attack protection from Proofpoint ensures that all sensitive data, big or small, are safe from malicious activity. Proofpoint uses big data analysis and a sophisticated cloud architecture to detect suspicious messages and prevent their contents from causing a data breach.

July 01, 2014

Why All Libraries Need Robust Cybersecurity Solutions

As libraries transform from places to check out books into a critical digital resource for many people, these public services need to adopt best-of-breed cybersecurity solutions from Proofpoint to ensure that public computers remain safe and usable.

Libraries have always been a source of learning within communities, but now a lot of that education happens online instead of from books or periodicals. For many individuals today, the public library is their go-to option for getting online, checking email and browsing the Web. According to the latest statistics from the Pew Research Center, among those in the United States over the age of 16 that use the Internet at a library, 63 percent were browsing the Web for leisure and 54 percent said they checked email there.

In addition, numbers from the American Library Association just how critical these public services are for many people today. More than three-fourths of libraries provide Wi-Fi access, and 98.7 percent of them offer Internet access at no charge. Furthermore, not only does the average library now have around 11 computers per each facility, but more than 71 percent of libraries say they are the only source of free Internet access in their general vicinity.

But, too often, this rise in Internet usage at libraries does not accompany increased cybersecurity. The ALA noted that many of those who use library computers are not tech savvy, which means that they could inadvertently be introducing malware onto the library's network. Considering how many people are using these machines, libraries need to take every step possible to ensure that one lapse in judgment does not compromise the assets of hundreds or thousands of people.

"Think about it: Your constituents, volunteers, and donors entrust their personal information with you," TechSoup contributor Zac Mutrux wrote. "If you're not taking steps to secure your data, including using antivirus and anti-spyware software, their information may not be safe. Information security breaches can have major legal and financial ramifications."

Case study: South Dakota Library Network
For libraries that often strapped for cash, trying to keep their IT assets safe from the myriad threats that abound in cyberspace can seem like an insurmountable task. Users can accidentally click on a bad link in an email, and malware has become especially adept at duping unsuspecting people. Libraries may think that the only effective response to these issues is unobtainable to them, but the South Dakota Library Network shows that libraries can have all of their major cybersecurity needs covered with a suite of solutions with Proofpoint. Now, the South Dakota Library Network is able to effectively eliminate spam, encrypts emails, protect the network against viruses and ensure that all of their compliance needs are met.

"The Proofpoint Messaging Security Gateway has worked exactly as we've needed it to, eliminating all types of spam messages and detecting a wide variety confidential information with very high accuracy," said Sean Crooks, systems administrator with South Dakota Library Network. "As an added bonus, the appliance truly runs itself, requiring less than an hour of my time per week for administration."

June 29, 2014

Office 365 and Investigations: Counsel, Where's My ESI?

Further on the topic of new Office 365 capabilities, thought it would be useful to dig deeper into the use case of eDiscovery. Not just to look at newly unveiled features, but to address the practical question: Will Office365 really address my use case?

Building on earlier posts on this topic (see: http://blog.proofpoint.com/2014/03/office365-and-ediscovery-the-confusion-continues.html), consider the following case study:

You are a member of the legal team for a high tech organization with 10,000 employees in 50 countries worldwide. Litigation is not unusual, and your team is currently managing 5 active matters in the US and EU involving intellectual property and a variety involving contracts, employee matters and others. You are leading the response to a formal inquiry, and must conduct a search with 20 keyword terms that may be contained with email, 15 different attachment types commonly used by product and engineering teams, PDF files, plus company sanctioned social media and IM channels. Timing in completing the search is critical to recommend a strategy to General Counsel, and you have found in similar investigations that 5-10 mailboxes were searched in order to yield a single custodian.

So, let’s play Will Office365 Really Address My Use Case?

The comparison between Office 365 and a purpose-built solution such as Proofpoint Enterprise Archive is not only a matter of features – it is how can those features be used to address a task you face on a regular basis. Those difference can be summarized as follows:

Investigation

Implications

In this case study, differences can be measured, not only in terms of legal team productivity and process efficiency, but also quantifiably. Conducting investigations by waiting for IT to split searches into batches, then manually aggregating results – while search tasks for other matters wait – is not optimal. Limiting the scope of search in Office365 to only Microsoft file types requires companies to rely to manual collection, or dependence on service providers that typically bill at $250 per GB for such efforts. Having limited ability to segregate non-US data to ensure that local data privacy requirements are adhered to raises both legal and regulatory risk. With Office 365, IT administrators can utilize command line tools to execute these tasks, but this is far from enabling legal teams to serve themselves with proven tools that were explicitly built for this purpose.

With 71% of corporations spending more than $1M in litigation in 2013 (per Norton Fulbright), and with regulatory investigation being named as a significant concern by 41% of corporations (again, per Norton Fulbright), companies are well served to dive deep into their specific use cases and investigative patterns to determine if Office 365 is equipped to meet their needs.

---

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

 

June 19, 2014

All Industries Must Prioritize Privacy Protection

All too often companies don't devote the necessary energy to data loss prevention until a problem stares them in the face. Unfortunately by that time it's already too late. Just ask eBay, whose recent breach resulted in the potential exposure of information for 233 million customers, according to The Motley Fool. 

Statistics like these should be a wakeup call and a cry to action for all businesses that lack a robust privacy protection infrastructure. Yet administrative laziness about enterprise cybersecurity still abounds. The reason for this, according to a recent infographic, is that many companies simply aren't picking up on the potency of the virtual threat landscape. This avoidance has to change.

Study points to lack of cybersecurity concerns among businesses
A study carried out by Robert Half and Proviti found that weak enterprise protective measures are almost as big a problem as cybercrime itself. The study - whose findings come from a poll of UK IT executives - revealed that of those surveyed, a full one third admitted that cybersecurity is not on the senior management list of priorities. Yet in seemingly direct opposition to this figure is the acknowledgment, among 50 percent of respondents, that cybercrime incidents are on the rise.

So what accounts for this disparity? The answer boils down to the simple issue of reality versus perceived reality. As the study revealed, many IT executives have merely convinced themselves that because their company has not been attacked yet, that somehow means it won't be attacked. In fact, this reasoning accounted for 38 percent of those who said cybersecurity was not on the immediate agenda. 

Yet in reality, that reasoning is simply invalid. Just because a company is safe one minute doesn't mean it won't be attacked. After all, criminal hackers are operating with a measure of sophistication and stealth that they never have before. In this environment, a complacent company presents the best target. And far from fading away, attackers are not disappearing from the scene any time soon.

Security expert explains that hackers are experiencing "breakthrough"
There's no denying the damage wrought by the Target and eBay debacles, but if security expert Patrick Peterson's projections are true, infringements like these will not only continue, but become commonplace

The founder of an email security company located in California, Peterson said that the failure of companies to properly defend themselves is actively exacerbating an already thriving criminal network. A report conducted by Peterson's company found that of 133 businesses it analyzed, 100 of those had weak enough protective measures to qualify them as "easy targets" for hackers.

Speaking to Inc, Peterson said that not only are businesses behaving without proper protective strategies, but that hacking is also mounting both in scale and in the virulence of individual attacks.

"We are seeing breakthrough levels of success by criminals in foreign states that have not ever been seen before. The phenomenon of criminals from foreign states getting access to data is not new, [but] their success in doing it and what they do when they have that data is truly revolutionary," he said. "In the past, they would hit Target and steal some encrypted credit card information. Now they are getting to a point-of-sale terminal and getting the credit card information in the 10 milliseconds before it's encrypted permanently and irrevocably."

But a large part of the reason such criminals are operating with such success is because of the widespread indifference toward data loss prevention on the part of businesses. As long as such inactivity persists, so too will devastating hacks, and it will only be a matter of time before the next eBay or Target.

Archives

Blog Search

Email Security Gateways, 2012

Magic Quadrant

Tweets

What people are saying right now about us.

©2012 Proofpoint, Inc.
threat protection: Proofpoint Enterprise Protection compliance: Proofpoint Enterprise Privacy governance: Proofpoint Enterprise Archive secure communication: Proofpoint Encryption