Proofpoint: Security, Compliance and the Cloud

July 29, 2014

Why All the Chatter about Chatter?

One of the information governance surprises from the first half of 2014 has been the emergence of enterprise social. While our typical infogov discussions usually focus on compliance officers, legal staff, and records managers, the enterprise social topic (e.g. Salesforce Chatter) has been expanding our discussions into the areas involving business intelligence, enterprise apps, collaboration, and sales operations. The reasons behind the broader functional interest in the capture and archiving of Salesforce Chatter are clear, which we will summarize here.

  1. For IT messaging teams, Salesforce is an established system of record and an existing part of the IT fabric, unlike use of public social media that requires changes to processes, training, and policies. For IT decision makers, enabling new features on existing applications with known security capabilities, support processes, and existing contracts is significantly easier than deploying emerging, public social channels.  Topics of interest have centered on the processes for deployment, as well as understanding what additional on-going burdens are created for IT staff in managing the use of Chatter’s collaborative features
  2. For Sales & Marketing teams, the use of enterprise social increases the value they can gain from this existing asset – whether it is using Chatter to collaborate on multi-national sales opportunities, share customer information with sales channels, or simply use Salesforce to improve communication efficiency with prospects. Sales and marketing management are typically driving requirements for Salesforce Chatter archiving projects given the objectives to directly impact productivity and sales results, while sales operations has been most typically been asking about administrative impact, user registration, and on-going management processes
  3. For Compliance teams, most recognize that the use of Chatter creates yet another form of communication that must be controlled. In addition to helping them to stay on top of quickly moving regulatory requirements, our discussions have most often focused on what specific Chatter content is captured, how that content is captured (e.g. complete, time slice, incremental), and if existing compliance tools and processes can be leveraged to address potential regulatory concerns
  4. For Legal teams, few have indicated that they have existing litigation involving the use of social, but it seems to be clear to most that FRCP rules define social media to be discoverable as any other form of electronically stored information (ESI). In that light, enabling the use of Chatter raises questions of how that information would be identified and collected if requested for eDiscovery, how the method of capture could reduce common concerns over how one can attest to the authenticity of social at trial, and what would be required to extract and produce social content that is stored in the cloud

In spite of the differences in these functional perspectives across industries, we are seeing a consistent pattern where sales & marketing are creating the compelling business cases and defining requirements – that then require the sign-off from compliance and legal teams over eDiscovery and regulatory risk. What is clear is that many solutions in the market lack the capabilities to sufficiently address the legal and regulatory concerns, be it:

  • methods used to collect content are not complete or comprehensive;
  • dependence of manual methods to map social identities to Active Directory information;
  • use of data storage that does not ensure information is stored immutably according to defined retention requirements;
  • data privacy and/or data security capabilities that do not meet internal IT standards
  • review of social content for regulatory or legal purposes requires the deployment of new tools and costly and time consuming data migration

How Proofpoint Helps To Meet These Requirements

Proofpoint’s Archiving for Chatter, a module of the Social Platform for Archiving, is a cloud-based service that is quick to deploy and works seamlessly with the archiving and compliance solution that you already have in place, thereby eliminating the need to manage multiple tools for electronic communication compliance. Proofpoint Archiver for Chatter archives all Chatter-related conversational content, by converting user content to email form in real-time - even if a user deletes that content. All elements related to that post are captured, including the full conversation thread and all parties involved in the communication. This enables the compliance officer to view the entire context of the content in each captured item, enabling fast and efficient compliance review  in light of requirements set forth by the SEC, FINRA, EPA, HIPAA and other regulatory entities.

To help demonstrate these benefits, Proofpoint utilizes an established proof-of-concept process that can quickly demonstrate the solution’s ease of deployment and on-going hassle-free operation. For more information – or to request a proof-of-concept, please visit http://www.proofpoint.com/products/archive-governance/social-platform

---

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

 

 

Linkedin_icon Twitter-icon1  

ChrisRicciutiNewChristopher Ricciuti is Vice President of Financial Services Archiving Solutions at Proofpoint, where he brings 10+ years of Financial Services industry experience. He focuses mainly on helping regulated organizations leverage next-gen communication technologies, such as social media, while maintaining regulatory compliance. Prior to Proofpoint, Christopher worked as a CTO on Wall Street and founded eDynamics, a social media compliance start-up. He holds an MBA from Babson College. 

 

 Linkedin_icon Twitter-icon1

July 25, 2014

FRCP Changes and Impact on Information Governance

We’ve had quite a few discussions recently on pending changes to the Federal Rules of Civil Procedure (FRCP), and their potential impact on information governance practices. These changes, recently approved by the Advisory Council of Civil Rules, would be implemented in 2015 and address some very common concerns surrounding current eDiscovery, namely, that it takes too long, is too expensive, and is guided by preservation rules that – at best – remain foggy. Before discussing the impact on InfoGov, let me first provide some background on the proposed changes themselves.

Background

The Judicial Conference Committee on Rules of Practice and Procedure (‘the Committee’) has recommended a number of amendments to FRCP that would significantly alter eDiscovery practices. From the perspective of information governance, these changes would be most impactful in two key areas:

1. Proportionality (Rule 26): In this area, the Committee is attempting to address the concern that eDiscovery often creates a burden that exceeds the value of the issue in dispute. While the initial premise is not without debate, the proposed change does attempt to create a more thorough cost-benefit analysis by limiting discovery scope with more precise verbiage to support the concept of proportionality. The new rule (with changes denoted in italics) would become:

Parties may obtain discovery regarding any non-privileged matter that is relevant to any party’s claim or defense and proportional to the needs of the case, considering the importance of the issues at stake in the action, the amount in controversy, the parties’ relative access to relevant information, the parties’ resources, the importance of the discovery in resolving the issues, and whether the burden or expense of the proposed discovery outweighs its likely benefit. Information within this scope of discovery need not be admissible in evidence to be discoverable.

2. Failure to Preserve (Rule 37e): this rule attempts to address the wide variety of remedies that courts have put into place when the dog ate the homework. The current Rule 37(e) reads simply that a court “may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system”.  Clearly, this does little to address what sanctions are appropriate when information is lost. In fact, the Committee itself noted that:

The Committee remains firmly convinced that a rule addressing the loss of ESI in civil litigation is greatly needed. The explosion of ESI in recent years has affected all aspects of civil litigation; the preservation of ESI is a major issue confronting parties and courts; and the loss of ESI has produced a bewildering array of court cases. These developments have caused litigants to expend excessive effort and money on preservation in order to avoid the risk of severe sanctions if a court finds they did not do enough.

In contrast, the revised ruling authorizes specifies the measures a court may use if information that should have been preserved is lost, and outlines the conditions necessary to justify these measures:

If electronically stored information that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve the information, and the information cannot be restored or replaced through additional discovery, the court may:

(1) Upon a finding of prejudice to another party from loss of the information, order measures no greater than necessary to cure the prejudice;

(2) Only upon a finding that the party acted with the intent to deprive another party of the information’s use in the litigation,

(A) presume that the lost information was unfavorable to the party;

(B) instruct the jury that it may or must presume the information was unfavorable to the party; or

(C) dismiss the action or enter a default judgment.

Impact on InfoGov

The advancement of proportionality and clearer guidance on the implications for failing to preserve should impact information governance practices in several areas. These include the following:

1. Increased focus on Identification and Collection practices: Increased emphasis on proportionality will serve to spotlight areas of inefficient ESI collection practices, namely the on-demand, reactive collection from unmanaged locations such as hard drives, PST files and back-up tapes. Collecting ESI from automated systems will enable organizations to more quickly and efficiently support its claim or defense of discovery scope

2. Improved enforcement of retention policies: Rule 37(e) creates uniformity and predictability around the conditions lead to spoliation – and should reduce the tendency to over-preserve ESI over fear of court sanctions. Enforcing retention and disposition practices often requires a change in corporate culture, but one of the key motivators behind the ‘keep everything forever, just-in-case’ mentality has just been removed

3. Reduced reliance on individual custodians for preservationthe key clause within the Rule 37(e) change is “failed to take reasonable steps to preserve”. Citing a number of factors, the Committee chose not address the question of when preservation begins or what is reasonable in defining preservation scope. As a result, a reasonable first step is to revisit preservation processes and those that entail highest risk – in particular those that rely upon action from individual custodians as opposed to automated systems and processes. Expect this clause to create demand for legal hold notification software and systems that enable the locking down of ESI without custodian intervention

4. Concrete Action to address ‘information in the wild’: As noted by the Committee, many of these rule changes are the result of ESI that continues to grow in ways never anticipated by litigation rules. The Committee notes:

One industry expert reported to the Advisory Committee that there will be some 26 billion devices on the Internet in six years — more than three for every person on earth. Significant amounts of ESI will be created and stored not only by sophisticated entities with large IT departments, but also by unsophisticated persons whose lives are recorded on their phones, tablets, eye glasses, cars, social media pages, and tools not even presently foreseen. Most of this information will be stored somewhere in the “cloud,” complicating the preservation task. In other words, the litigation challenges created by ESI and its loss will increase, not decrease, and will affect unsophisticated as well as sophisticated litigants.

 The bottom line is that the premium to be prepared for eDiscovery has never been higher. This preparation includes bringing information under control, whether in managed repositories, or with processes and technologies to track ESI as moves throughout an organization. With these changes, steps taken now to automate collection, retention, and preservation practices will be more easily measureable with cost-benefit support – and with the consequences of the dog eating the ESI homework more clearly laid out.

---

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

 

 

Linkedin_icon Twitter-icon1  

July 16, 2014

How big of a threat is intellectual property theft?

While digital solutions like email, mobile devices and the cloud have greatly benefited most businesses, they also raise the specter of intellectual property theft. In order to safeguard mission-critical assets at all times, companies should adopt enterprise security solutions from Proofpoint to make sure their intellectual property is never leaked out or stolen.

In a recent speech to filmmakers, media professionals and other businesspeople, Vice President Joe Biden said that intellectual property theft is a multibillion-dollar issue, according to The Hollywood Reporter. As the Internet rose in prominence, however, the threat landscape changed dramatically. For example, Biden said that instead of bringing a camcorder into a movie theater, someone can get an illegal recording of that film much more easily online. This is just one example of how it has become easier than ever for criminals to pilfer intellectual property.

While exact numbers related to the overall costs of IP theft are not known, most estimates corroborate the figure Biden noted. A May 2013 report from The Commission on the Theft of American Intellectual Property estimated that the United States loses more than $300 billion a year from this issue, and numbers cited by the National Crime Prevention Council put potential losses at up to $5.5 trillion.

Although IP theft is often considered a victimless crime, the NCPC noted that it is typically anything but that. The crime inhibits many companies' ability to grow and hire, and often businesses need to recoup related losses by charging consumers more for their goods or services.

"The effects of this theft are twofold," The IP Commission Report stated. "The first is the tremendous loss of revenue and reward for those who made the inventions or who have purchased licenses to provide goods and services based on them, as well as of the jobs associated with those losses. American companies of all sizes are victimized. The second and even more pernicious effect is that illegal theft of intellectual property is undermining both the means and the incentive for entrepreneurs to innovate, which will slow the development of new inventions and industries that can further expand the world economy and continue to raise the prosperity and quality of life for everyone."

How can companies stem the IP theft tide?
The situation relating to IP today may seem dire, but companies can take steps to significantly insulate themselves against this threat. In particular, by adopting a best-in-class suite of cybersecurity solutions from Proofpoint, businesses will be able to keep their trade secrets, patents and other pieces of intellectual property safe from harm.

For example, Proofpoint Enterprise Archive allows organizations to keep a thorough record of all online messaging, and Proofpoint Enterprise Privacy secures email and other forms of communication that may contain sensitive information. To keep threats like malware on the outside looking in, businesses can use Proofpoint Enterprise Protection.

Only by leveraging a comprehensive and powerful data security and privacy suite will businesses be able to safeguard all of their intellectual property. As the IP threat environment grows larger and more potent, Proofpoint's solutions will become even more vital and mission critical for organizations operating in a wide variety of industries.

July 09, 2014

A CISO, GC, and Records Manager Walk into a Bar…

THE JOKE

A CISO, GC, and Records Manager walk into a bar.

The CISO says, “Can you believe a guy just tried to sell me a tool that can guarantee when intellectual property is about to leave my network?”

The GC says, “That’s hilarious, I just talked with a man who told me his software can tell me exactly where the smoking guns are amongst my entire corpus of data.”

The Records Manager says, “That’s odd because I just read about a solution claiming it can scan all my files and classify records according to my file plan.”

 The trio quickly realized they were all talking about the same solution. Of course, such “all in one” claims will cause many of us to drop to the floor, rolling with laughter. Yet, the statement above - while not remotely imaginable even a few years ago - today, is not that far off.

 THE SETUP

 CISO have no problem getting attention. Every hour, each day is another headline that keeps them up at night. Most recently, Goldman Sachs accidentally sent highly confidential information about its brokerage clients to a Google account, immediately going into damage control, requesting Google to block access to the email and to delete it. This type of exposure will continue to increase as the amount of sensitive information increases; as the number of locations sensitive information is stored in increases, and as the number of channels through which sensitive information can be passed increases.

 Breaches are happening every day around the world.

 GC’s have a sleep schedule similar to the CISO. However, their greatest challenge is identifying, controlling, and sifting through gigabytes of business documents typically associated with eDiscovery and large scale investigations. Doing so with a defensible process only adds to the Sominex bill.

 The sheep counting culprit is not only the amount of unstructured corporate information, (growing by at least 60% per year per IDG by 800% over the next 5 years per Gartner), but that information increasingly exists in new, often unmanaged data types such as social media, IM, and mobile.

 Records managers face a more insidious threat in that co-workers often choose the path of least resistance when it comes to records management, and this means any remotely complex policy will be casually ignored or circumvented. The consequences are tangible and often quantifiable when the company is in a regulated industry such as healthcare.

 THE DELIVERY

 Speaking to Jason R. Baron, former law of records management Jedi of NARA and now Of Counsel at Drinker Biddle & Reath LLP, he described the solution (and problem) of records management, in the most elegant fashion. Paraphrasing, there are two requirements for records management to work: 1) Simpler policies, 2) Machine assistance.

 While Jason is doing great work in helping firms simplify policies, it will be up to technology firms to ante up with usable, workable, and scalable machine assisted technologies to address the second requirement.

 Considering Jason’s points and listening to customers talk about their concerns around security, privacy, compliance, and records, it’s clear to me that there is an Informational Convergence taking place where corporate information, regardless of its business use or risk profile, is increasingly in need of a common, firm wide classification. This means centralized classification that can be shared across all groups, stakeholders, or leaders; be they CISOs, GCs, or records managers.

 Impossible?  Conventional wisdom divides departments into distinct groups possessing their unique view of information and what it means. The joke works because CISOs think differently from GCs who in turn differ from records managers. Or do they? The tenth time I heard a CISO ask if our DLP technology could be used to help their current records classification efforts I raised an eyebrow. Once ten records managers asked about the possibility of flagging records for security violations, I realized that the market is ignoring conventional thinking.

 The Informational Convergence of Information Governance (IG) provides a holistic view across every information-driven department. Each department is asking for the same thing in their own way and soon companies will realize this. As thought leading technology firms, we need to enable them.

 An equally important side effect to Informational Convergence is the need for IG platforms to support more sophisticated and cloudy ecosystems. Business relevant, cloud-based repositories are also corporate content containers and exposure points. Their rising popularity demands that the most advanced IG platforms support them as well as conventional repositories. Solutions like Box, Dropbox, or OneDrive, contain records, legal content, and represent risk like any other repository.

 THE PUNCHLINE

There are actually several punch lines to this joke. The saddest version is that no one knows what the records manager thinks about the solution because they forgot to invite him to the meeting. As noted above, this only makes everyone’s job harder because proper records management helps everyone in the end.

 I’ll also note that some to whom I’ve told this story have immediately declared it a lie. That it’s all just a dream. Not because the notion of Informational Convergence is too complex to conceive. No. It’s because no one would ever believe these three individuals would be caught socializing.

- Stephen Chan

 ---

Stephen Chan Blue Bckgnd

Stephen leads products for the Information Governance team at Proofpoint. Successfully merging 15 years of expertise in the areas of e-discovery, compliance, and records management together with their most relevant technologies, Stephen drives thought leadership in the industry and has advised the SEC and Global 1,000 organizations. Prior to Proofpoint, Stephen was co-founder of several enterprise and consumer software firms, served as primary investigator on two government funded research projects, and has been published in over twenty magazines and books. Stephen is a graduate of the University of California at Davis and Harvard University.

Linkedin_icon Twitter-icon1  

July 06, 2014

White House Study on Big Data Reveals Need for Encryption

According to a report recently released by the White House, estimates of information created and replicated in 2013 reached 4 zettabytes of data generated worldwide, a 2.2 zettabyte increase from 2011. To put that into perspective, if every person in the United States took a picture every second for over a month and uploaded them, they total data would equal about one zettabyte.

In 2005, business investment in technology systems, talent and services has almost doubled, reaching $4 trillion, meaning data creation and use will only keep growing.

The report was issued on big data's transformative qualities, data-related privacy and security issues and was authored by a group led by White House counselor John Podesta. During review for the report, Podesta and the group, sometimes accompanied by the President, interviewed stakeholders including executives from leading technology companies to find out major issues stemming from the acquiring and utilizing of big data.

In the study, the group gave recommendations on how to create more data privacy, including passing national data breach legislation and updating the Electronic Communications Privacy Act which controls how the government is able to access email.

The report also pointed out issues with the way many organizations protect against privacy intrusions. A common way to protect personal information is by de-identifying it, or removing identifiable characteristics that link to a specific person or device, but according to the study, this doesn't always work because it can be "re-identified."

"...Integrating diverse data can lead to what some analysts call the 'mosaic effect,' whereby personally identifiable information can be derived or inferred from data sets that do not even include personal identifiers, bringing into focus a picture of who an individual is and what he or she likes," the study explained.

Protecting sensitive personal information 
One of the most common ways malicious actors gain access to personally identifiable information is through email. Email encryption services, like Proofpoint's Sentrion message processors, create a secure environment to send messages without sharing information to those who wish to steal it. Encryption provides privacy protection by utilizing inbound message filtering and outbound data loss prevention techniques such as keyword recognition.

Proofpoint also offers platforms specifically designed to block spear phishing attempts or other targeted attacks at big data. Billions of requests are processed each day, allowing these platforms to detect any change in traffic flow and accurately determine which messages are valid and those that are not.

While large amounts of data are certainly vulnerable, the study also revealed that small data can pose a threat, too. The most common privacy risks deal with small data, including personal financial information being used for credit card fraud.

"These risks do not involve especially large volumes, rapid velocities or great varieties of information, nor do they implicate the kind of sophisticated analytics associated with big data," according to the report.

Targeted attack protection from Proofpoint ensures that all sensitive data, big or small, are safe from malicious activity. Proofpoint uses big data analysis and a sophisticated cloud architecture to detect suspicious messages and prevent their contents from causing a data breach.

July 01, 2014

Why All Libraries Need Robust Cybersecurity Solutions

As libraries transform from places to check out books into a critical digital resource for many people, these public services need to adopt best-of-breed cybersecurity solutions from Proofpoint to ensure that public computers remain safe and usable.

Libraries have always been a source of learning within communities, but now a lot of that education happens online instead of from books or periodicals. For many individuals today, the public library is their go-to option for getting online, checking email and browsing the Web. According to the latest statistics from the Pew Research Center, among those in the United States over the age of 16 that use the Internet at a library, 63 percent were browsing the Web for leisure and 54 percent said they checked email there.

In addition, numbers from the American Library Association just how critical these public services are for many people today. More than three-fourths of libraries provide Wi-Fi access, and 98.7 percent of them offer Internet access at no charge. Furthermore, not only does the average library now have around 11 computers per each facility, but more than 71 percent of libraries say they are the only source of free Internet access in their general vicinity.

But, too often, this rise in Internet usage at libraries does not accompany increased cybersecurity. The ALA noted that many of those who use library computers are not tech savvy, which means that they could inadvertently be introducing malware onto the library's network. Considering how many people are using these machines, libraries need to take every step possible to ensure that one lapse in judgment does not compromise the assets of hundreds or thousands of people.

"Think about it: Your constituents, volunteers, and donors entrust their personal information with you," TechSoup contributor Zac Mutrux wrote. "If you're not taking steps to secure your data, including using antivirus and anti-spyware software, their information may not be safe. Information security breaches can have major legal and financial ramifications."

Case study: South Dakota Library Network
For libraries that often strapped for cash, trying to keep their IT assets safe from the myriad threats that abound in cyberspace can seem like an insurmountable task. Users can accidentally click on a bad link in an email, and malware has become especially adept at duping unsuspecting people. Libraries may think that the only effective response to these issues is unobtainable to them, but the South Dakota Library Network shows that libraries can have all of their major cybersecurity needs covered with a suite of solutions with Proofpoint. Now, the South Dakota Library Network is able to effectively eliminate spam, encrypts emails, protect the network against viruses and ensure that all of their compliance needs are met.

"The Proofpoint Messaging Security Gateway has worked exactly as we've needed it to, eliminating all types of spam messages and detecting a wide variety confidential information with very high accuracy," said Sean Crooks, systems administrator with South Dakota Library Network. "As an added bonus, the appliance truly runs itself, requiring less than an hour of my time per week for administration."

June 29, 2014

Office 365 and Investigations: Counsel, Where's My ESI?

Further on the topic of new Office 365 capabilities, thought it would be useful to dig deeper into the use case of eDiscovery. Not just to look at newly unveiled features, but to address the practical question: Will Office365 really address my use case?

Building on earlier posts on this topic (see: http://blog.proofpoint.com/2014/03/office365-and-ediscovery-the-confusion-continues.html), consider the following case study:

You are a member of the legal team for a high tech organization with 10,000 employees in 50 countries worldwide. Litigation is not unusual, and your team is currently managing 5 active matters in the US and EU involving intellectual property and a variety involving contracts, employee matters and others. You are leading the response to a formal inquiry, and must conduct a search with 20 keyword terms that may be contained with email, 15 different attachment types commonly used by product and engineering teams, PDF files, plus company sanctioned social media and IM channels. Timing in completing the search is critical to recommend a strategy to General Counsel, and you have found in similar investigations that 5-10 mailboxes were searched in order to yield a single custodian.

So, let’s play Will Office365 Really Address My Use Case?

The comparison between Office 365 and a purpose-built solution such as Proofpoint Enterprise Archive is not only a matter of features – it is how can those features be used to address a task you face on a regular basis. Those difference can be summarized as follows:

Investigation

Implications

In this case study, differences can be measured, not only in terms of legal team productivity and process efficiency, but also quantifiably. Conducting investigations by waiting for IT to split searches into batches, then manually aggregating results – while search tasks for other matters wait – is not optimal. Limiting the scope of search in Office365 to only Microsoft file types requires companies to rely to manual collection, or dependence on service providers that typically bill at $250 per GB for such efforts. Having limited ability to segregate non-US data to ensure that local data privacy requirements are adhered to raises both legal and regulatory risk. With Office 365, IT administrators can utilize command line tools to execute these tasks, but this is far from enabling legal teams to serve themselves with proven tools that were explicitly built for this purpose.

With 71% of corporations spending more than $1M in litigation in 2013 (per Norton Fulbright), and with regulatory investigation being named as a significant concern by 41% of corporations (again, per Norton Fulbright), companies are well served to dive deep into their specific use cases and investigative patterns to determine if Office 365 is equipped to meet their needs.

---

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

 

June 19, 2014

All Industries Must Prioritize Privacy Protection

All too often companies don't devote the necessary energy to data loss prevention until a problem stares them in the face. Unfortunately by that time it's already too late. Just ask eBay, whose recent breach resulted in the potential exposure of information for 233 million customers, according to The Motley Fool. 

Statistics like these should be a wakeup call and a cry to action for all businesses that lack a robust privacy protection infrastructure. Yet administrative laziness about enterprise cybersecurity still abounds. The reason for this, according to a recent infographic, is that many companies simply aren't picking up on the potency of the virtual threat landscape. This avoidance has to change.

Study points to lack of cybersecurity concerns among businesses
A study carried out by Robert Half and Proviti found that weak enterprise protective measures are almost as big a problem as cybercrime itself. The study - whose findings come from a poll of UK IT executives - revealed that of those surveyed, a full one third admitted that cybersecurity is not on the senior management list of priorities. Yet in seemingly direct opposition to this figure is the acknowledgment, among 50 percent of respondents, that cybercrime incidents are on the rise.

So what accounts for this disparity? The answer boils down to the simple issue of reality versus perceived reality. As the study revealed, many IT executives have merely convinced themselves that because their company has not been attacked yet, that somehow means it won't be attacked. In fact, this reasoning accounted for 38 percent of those who said cybersecurity was not on the immediate agenda. 

Yet in reality, that reasoning is simply invalid. Just because a company is safe one minute doesn't mean it won't be attacked. After all, criminal hackers are operating with a measure of sophistication and stealth that they never have before. In this environment, a complacent company presents the best target. And far from fading away, attackers are not disappearing from the scene any time soon.

Security expert explains that hackers are experiencing "breakthrough"
There's no denying the damage wrought by the Target and eBay debacles, but if security expert Patrick Peterson's projections are true, infringements like these will not only continue, but become commonplace

The founder of an email security company located in California, Peterson said that the failure of companies to properly defend themselves is actively exacerbating an already thriving criminal network. A report conducted by Peterson's company found that of 133 businesses it analyzed, 100 of those had weak enough protective measures to qualify them as "easy targets" for hackers.

Speaking to Inc, Peterson said that not only are businesses behaving without proper protective strategies, but that hacking is also mounting both in scale and in the virulence of individual attacks.

"We are seeing breakthrough levels of success by criminals in foreign states that have not ever been seen before. The phenomenon of criminals from foreign states getting access to data is not new, [but] their success in doing it and what they do when they have that data is truly revolutionary," he said. "In the past, they would hit Target and steal some encrypted credit card information. Now they are getting to a point-of-sale terminal and getting the credit card information in the 10 milliseconds before it's encrypted permanently and irrevocably."

But a large part of the reason such criminals are operating with such success is because of the widespread indifference toward data loss prevention on the part of businesses. As long as such inactivity persists, so too will devastating hacks, and it will only be a matter of time before the next eBay or Target.

June 13, 2014

Office 365 Archiving: Dude, Where’s My Email?

There’s no question that Office 365 is a fantastic platform. It’s an excellent means of offloading commodity services to a vendor you can trust that will assure you of around-the-clock availability. But some services are best left to folks who focus on value-added services as its core competency. For us here at Proofpoint, we would argue that this specialized focus must rest in security, threat response and remediation, and information governance.

In the case of archiving, for example, Exchange Online Archiving (EOA) is included with many Office 365 packages to varying degrees. This serves as an online PST in most incarnations, although more expensive packages also include basic multi-mailbox search capabilities for eDiscovery.

One of the secondary functions of an archive is to ensure end users have access to archived email for anywhere, anytime access. The issue with EOA in this case is that there’s no guarantee that the email will be retained in the archive. In other words, imagine a scenario in which a user is attempting to find a 6-month-old email that’s needed to conduct business, but poof it’s gone. What this means is that the email had been unintentionally (or perhaps intentionally) deleted by the end user and subsequently there’s no copy of it whatsoever. An administrator can surely chase down a copy in the Recoverable Items folder, but that defeats the purpose. And most importantly, it’s polar opposite of expected behavior for a true-blue archive.

Microsoft’s answer to this will undoubtedly be that the customer should create a legal hold across the organization to ensure retention. If that’s the solution, how are we addressing the disposition problem? Legal hold, by definition, is designed to provide data immutability in the case of active, ongoing litigation. So now you’ve gone from not ensuring content is retained, to unnecessarily retaining content for an indefinite period of time lest you keep tabs on disposition.

Needless to say, when an end user attempts to find an email in Office 365, it just might not be there.

Let’s not forget what problems enterprises look toward information archiving vendors to solve.

The archive should be:

  • Simple to use
  • Ensure defensible capture and retention of all communications, be it email, social, IM, files, etc.
  • Flexible, policy-based retention and disposition

- Joe Diamond

---

Joe-diamondJoe has more than a decade of engineering, product management, product marketing and software leadership expertise in both the consumer and enterprise markets. In his role at Proofpoint, Joe is responsible for defining and bringing to market Proofpoint’s next generation information governance products. Prior to Proofpoint, Joe was the Head of Product Management & Marketing for RiskIQ, led enterprise product management for Symantec's Emerging Products and Technologies and served in product management and marketing roles for hosted email archiving vendor LiveOffice, which was acquired by Symantec

 

 

 

June 11, 2014

(More) Key Social Media Compliance Takeaways from the 2014 FINRA Annual Conference: Part 2

[This is Part II of a two part blog series on the 2014 FINRA Annual Conference]

A few weeks back, Proofpoint attended the 2014 FINRA Annual Conference and we summarized some key takeaways in the blog post here.

As promised, we're following up to that post with a second installment in this series. In this post, we'll explore the various stages of social media adoption through which a regulated organization pass during their quest to achieve full social media adoption. As folks struggle with ironing out the best ways to leverage social media, these stages will be helpful in both identifying your current state and determining how to advance to the next stage.

Let's start by defining what we call the Social Media Adoption Lifecycle. The lifecycle is broken down into 3 distinct groups, as follows:

Social-media-adoption-lifecycle

Crawl - Crawl is step 1 in that you're unsure how to best employ social media at your firm. An example of Crawl state is that you block access to social for most of your employees because of concern over the impact on compliance obligations. You might operate in a "read-only" mode; perhaps having a handful of employees monitor social media websites for information pertaining to your brand or to view customer complaints. But, at this stage, posting content to social media sites usually does not occur.

Walk - Walk defines step 2 in that you've yet to fully leverage all of the benefits that social has to offer. Perhaps you have a branded, marketing-owned social media page on each of the major sites. These pages are most likely controlled by a handful of employees, blocking access for the remainder of the firm, with any changes to content posts being manually reviewed by compliance prior to submission. After submission, you may be satisfying requirements to archive social content by taking screenshots of content directly from the social media websites, pasting the screenshots into an email and sending the email off to your archive for long-term retention and eDiscovery. Not the most efficient solution, but, hey, you've got to start somewhere.

Run - With Run, you've fully embraced social media at your firm, no longer blocking access for all employees, and you've deployed social use cases for sales, marketing, customer support and others. You've put in place an automated means through which pre-approved, "static" content can be stored and subsequently drawn from. For "interactive" content, you may have a means to supervise / pre-review employee generated posts before they reach their final destination. And most importantly, you have an automated means by which to archive and retain an immutable copy of all posted social media content and related comments- including third party comments.

So how to best get from crawl to run? Start by defining the business use cases for social media at your firm, describe how each use case will be employed and ensure that you build compliance controls and acceptable use policy around those use cases before putting them into practice. Involve your compliance team from the start - the last thing you'd want to do is have your compliance group find out about your social media non-compliance after the fact.

To help you along, below is a cheat sheet containing items extracted from FINRA's annual conference. All of the topics listed below arose in one or more of the conference's social media sessions and they answer common questions that regulated organizations often have regarding compliant social media use.

  • Supervision on social media is important, but...
    • Pre-review vs. Post-review: Interactive content need not be pre-reviewed
    • Pre-approval: Static content must be pre-approved
    • Supervision is not one-size-fits-all. You may want a "mix" of the above based on functional group
  • Archiving is an absolute must
    • This includes any form of electronic business communication (email, social, IM, etc.)
    • Be prepared to produce content during FINRA spot checks
  • Privacy: employer access to employee social media accounts still an issue
    • Controlled via statutes at the State level; FINRA is successfully lobbying for carve-outs for regulated firms
    • Until then, have employees sign semi-annual letters of attestation stating that they are not using personal social media accounts for business purposes
  • Prospectuses and tombstones can be sent via a limited space communication channel, like Twitter
  • Hyperlinks issue: are you responsible for 3rd party content behind hyperlinks that you've shared on social media?
    • Use disclosures on social media pages that indicates that your firm is not responsible for 3rd party content
  • You are not responsible for shares and retweets of your content by 3rd parties
  • Be wary of any social media features that can be interpreted as a recommendation or an endorsement
    • But, the "like" button is not an endorsement, so long as the "like" is not in relation to performance

In summary, there were many key social media compliance takeaways from this year's FINRA Annual Conference. Whether you're crawling, walking or running, be sure to take note of the above points when crafting your overall social media use and compliance strategy. As always, it's better to be well informed and compliant, than not. 

 - Christopher Ricciuti

---

ChrisRicciutiNewChristopher Ricciuti is Vice President of Financial Services Archiving Solutions at Proofpoint, where he brings 10+ years of Financial Services industry experience. He focuses mainly on helping regulated organizations leverage next-gen communication technologies, such as social media, while maintaining regulatory compliance. Prior to Proofpoint, Christopher worked as a CTO on Wall Street and founded eDynamics, a social media compliance start-up. He holds an MBA from Babson College. 

 

Linkedin_icon Twitter-icon1

 

Archives

Blog Search

Email Security Gateways, 2012

Magic Quadrant

Tweets

What people are saying right now about us.

©2012 Proofpoint, Inc.
threat protection: Proofpoint Enterprise Protection compliance: Proofpoint Enterprise Privacy governance: Proofpoint Enterprise Archive secure communication: Proofpoint Encryption