Proofpoint: Security, Compliance and the Cloud

Thanks to the hundreds of you that tuned in for our first live web seminar of the new year, "2011 Predictions: Top 10 Privacy Issues" where co-presenter Ken Liao and I looked into the crystal ball to expose the cultural, policy, technology and regulatory trends that will dominate privacy discussions this year! My thanks especially for all of the great questions and feedback on the seminar.

If you missed it, or if you'd like to refer back to the web seminar, it's now available as a replay. For those of you who registered for the live event, a direct link to the replay file has been sent to you via email, as usual.

In our presentation, Ken and I shared quite a few links to various privacy-related resources that I promised to share with you here as clickable links, so here they are, by prediction:

Intro: Why Privacy Matters Today

Privacyrights.org's running list of data breaches can be found here:
http://www.privacyrights.org/data-breach

Proofpoint's 2010 research on data loss events was referenced multiple times during the presentation. You can download a copy of our full report, Outbound Email and Data Loss Prevention in Today's Enterprise, 2010 here:
http://www.proofpoint.com/outbound

Prediction 1: Mobility & Location-based Info Becomes a Major Concern

We had a little extra comedy in yesterday's webinar as our slide on this first prediction had mysteriously disappeared. Click the image at left to see the slide we had intended to display!

Predictions 2-4: At Least One Major Social Media Site Will Experience a Serious Breach, Evolution of Social Media Policies, More Organizations will Formalize Acceptable Use Policies

The data/charts in these slides on social media data loss events, social media/web services that large organizations prohibit access to, and acceptable use policy adoption are all from the aforementioned Proofpoint research at http://www.proofpoint.com/outbound.

Prediction 5: Blended Threats Will Continue to Increase

For more on the VBMania outbreak and other recent blended threats, see my blog post about "Blended Threats Old and New." On the topic of spam's holiday vacation and subsequent return, see "Spam Volume Makes a Comeback After Holiday Hiatus."

Prediction 6: New, Stricter Privacy Regulations Will be Adopted Worldwide

Not mentioned in the slide, but here's a good article explaining the European reactions to privacy implications of Google Street View.

Prediction 7: Expect a US National Data Breach Notification Law

Here's the link to the Federal Trade Commission's report on Protecting Consumer Privacy. And here's information on the new White House "Enhancing Online Trust and Privacy" initiative.

Prediction 8: At Least One Enforcement Action Under Massachusetts 201 CMR 17

Links for the State of Massachusetts FAQ on 201 CMR 17, and interesting ThreatPost article about a possible 201 CMR 17 test case in 2011.

Prediction 9: More Organizations Will Encrypt More Data

Find more product information about Proofpoint Encryption here. Also, http://www.proofpoint.com/outbound is referenced again (data on adoption of data loss prevention technologies).

Prediction 10: Increased Adoption of Secure/Managed File Transfer

Statistic about level of concern around FTP as a source of data loss risk is, once again, from http://www.proofpoint.com/outbound. And visit this link for information on the Proofpoint Secure File Transfer solution. 

Q&A Session

In my comments, I mentioned recent email breach of personal information of all GSA personnel.

Thanks again to everyone who joined us for this web seminar. If you missed it and would like to see the replay, please visit:

 http://www.proofpoint.com/id/top10privacy/index.php?id=6

As is traditional during the fourth quarter, IT vendors begin putting out predictions for the coming year and Proofpoint issued a press release today predicting the top 10 privacy issues for 2011 and how enterprises will respond. 

Both consumer privacy concerns and an increasing number of regulations will encourage many organizations to review the way that they handle private information in 2011. As a result, many will deploy new data protection policies, procedures and technology solutions to better protect private and confidential information.

Here are Proofpoint's predictions for the top 10 privacy issues in 2011:

1. The privacy and confidentiality of location-based information will become a major concern for both consumers and corporations. With the rise in mobile GPS information, companies will have to protect both personally identifiable information (PII) of employees, customers and partners, and also create new policies for handling location-based information. Not only will real-time information about location be a vulnerability, but companies will have access to information about where people (or their devices) spend much of their time.

2. At least one major social media site will experience a major breach. According to Neilsen, nearly a quarter (22.7%) of all online time is spent social networking. With more people on social networks and more personal information available via those networks, the potential for exposure of that data is likely.

3. Stricter data privacy regulations will be passed worldwide. Privacy regulations in the healthcare, financial services and critical infrastructure industries like energy and telecommunications will likely see new regulations dictating what needs to be protected and what to do when data loss occurs.

4. Expect a US national data breach notification law. Notification laws like California’s SB 1386 exist in 46 of 50 states today. A federal law is imminent.

5. Blended threats will increase. While email is still the number one threat vector for personal information loss, threats from newer communications channels is increasing, especially in the form of blended threats where the target is first attacked through email, then directed to Web or social media.

6. At least one company will be prosecuted under the broad-reaching Massachusetts Privacy Law (201 CMR 17.00). In March of this year, the Massachusetts Privacy Law went into effect, mandating that any company that “owns or licenses” personal information—whether stored in electronic or paper form—about Massachusetts residents must comply with its privacy requirements, including notification of breaches and encryption of stored or transmitted personal data. Although the state has yet to enforce the law, 2011 will likely be the year that companies begin seeing penalties. In addition, we may see more laws of this type passed in 2011. Nevada also has a similar law.

To deal with these threats, the following additional trends will emerge among businesses:

7. Companies will move away from outright bans on social networks, IM or web mail to allowing those services, but applying stricter corporate policies on these new services as well as investing in secure web gateways to monitor use. New innovations such as Facebook mail give enterprises yet another good reason to put better policy and technology controls around the corporate email system.

8. More companies will create policy around acceptable use. Email leaks such as the recent Google corporate memo exposure are heightening awareness in companies that policies need to be created about what content is considered sensitive and enforce them both through technology and through training.

9. More companies will encrypt more data. Three factors are converging to make 2011 the year of encryption adoption: (1) More regulations today require encryption. (2) It’s become a best practice in many industries. (3) It’s easier to implement and less confusing for users. With processing power increasing and companies like Proofpoint innovating, encryption has become faster and easier to implement and use.

10. More interest in secure managed file transfer. Driven by privacy considerations and security flaws in FTP, more companies will be implementing reliable ways to send files securely. With data breach notification laws in place in nearly every state, companies cannot risk losing data through FTP security issues.

Related Resource

For some actionable advice about improving privacy protection and guarding against data loss, see Gartner's 2010 Content-Aware Data Loss Prevention FAQs report, which you can download compliments of Proofpoint at the following URL:

 http://www.proofpoint.com/id/gartner-data-loss-prevention-dlp-faq-report/index.php?id=6

This 8-page report describes Gartner's advice about the best approaches and benefits of deploying data loss prevention (DLP) solutions. It lists many of the typical questions asked by Gartner clients and provides answers that are applicable to the most common DLP scenarios.

We issued a press release today about Proofpoint customer University Hospital of Zurich (aka USZ), about their deployment of Proofpoint Messaging Security Gateway email security appliances to protect 7000 email users at the hospital from spam, viruses and other inbound email risks.

Additionally, the hospital uses Proofpoint Secure File Transfer as a way to transfer large files, or files that require enhanced security/encryption, "out of band" from their SMTP email system. Like healthcare organizations in the US, University Hospital of Zurich wants to ensure that confidential, personal healthcare information isn't improperly exposed. Proofpoint Secure File transfer lets staffers send information such as patient data, medical test results, insurance information and other sensitive info in a secure fashion.

Jens Grundtvig, the manager of network security for University Hospital of Zurich says that the hospital chose Proofpoint because of a combination of ease of administration, security and cost reasons.

“The combination of an easy-to-deploy appliance, ability to enforce policies for individual users and groups, the price-performance ratio and the option for secure file transfer gave Proofpoint a strong advantage over the other four suppliers [that the hospital considered],” says Grundtvig.

You can read the full press release at the Proofpoint site here:

 "University Hospital of Zurich Deploys Proofpoint for Inbound Email Security and Secure File Transfer"