How to Prevent Data Leakage with Microsoft Data Loss Prevention

microsoft data loss protection

Businesses using Microsoft Office 365 have new options to prevent data leakage from their business. Whether a company frequently handles sensitive information like patient information or wants to clamp down on sharing personally identifiable information (PII) via e-mail, the Microsoft Data Loss Prevention (DLP) tools can help. A brief overview of the DLP capabilities will show why businesses that operate in industries with a lot of regulations need to deploy their IT team to shore up their defenses.

Microsoft DLP—Identifying Shared Information

The Microsoft Data Loss Prevention tools are a system within Office 365 that reads the information that you input in the Microsoft cloud software such as OneDrive, SharePoint Online, and Exchange Online. Also, the DLP can be applied to offline sources for added security.

Essentially, an IT team sets up the DLP to process all the data that you send through these systems and flags information that you do not want to be shared. The toolset can identify credit card numbers, social security numbers, and other forms of PII.

The system can be localized to the country in which a company operates as well as those with whom they do business. For example, the system can be set so that Australian ID numbers and American ID numbers can both trigger the security protocols, protecting a wider swath of data without burdening the system with data that would never be used.

Each business is in charge of establishing the parameters that they would like followed as well as the desired results when the information shared does produce a red flag.

The system can be set to remove a file with PII or disallow the communication from going forth. Furthermore, the system will send messages to the appropriate members of management to provide documentation about the attempts to send out information.

DLP is easy to set up with the help of trained IT team members, and it goes into effect in less than an hour after establishing parameters.

Monitoring and Educating Employees

The vast majority of employees do not want to contribute to a leak of personal information for the people they serve or those they work with. However, there are still internal data losses every year where people within a company unwittingly give away valuable data.

As previously mentioned, an IT team can work to establish specific parameters for data sharing. These DLP parameters can identify when PII or other valued information is shared internally and externally in Microsoft software.

Not only will utilizing DLP tools cut down on the frequency of leaks, but they will give management the tools they need to teach workers about their specific vulnerabilities and how to prevent them from happening in the future.

Using Microsoft DLP to prevent data leakage is a step that every business operating with Office 365 should take. Simply identifying the types of information you do not want to be shared and enabling the parameters and alerts for data can prevent many common problems from occurring. The result is your company will identify which employees are responsible for data leaks so they can be properly re-educated and save information from falling into the wrong hands.

What is Data Privacy’s Status Going Into 2021?

what is data privacy

As a consumer, how concerned are you about the care that businesses give to your data privacy. Very? You aren’t the only one. 87 percent of Americans see their data privacy as a human right. However, despite these views, most people are far too lax when it comes to their own security. What is data privacy’s status going into 2021? Let’s take a closer look.

Consumers on Businesses and Their Data Practices

In a recent report from advisory firm KPMG, the results of a survey that asked American consumers about their expectations of corporations and the privacy of their collected data were revealed. These results showed a few concerns very clearly, while revealing that not all respondents were fully aware of today’s most pressing cyberattacks.

  • 86 percent of respondents to the survey felt that their data privacy was a rising concern.
  • 70 percent claimed to be “generally familiar” with how companies collect their personal data, while 64 percent were familiar with how it was used and stored, 63 percent say they understand how it is protected, and 57 percent say they know how it is sold.
  • Having said that, 68 percent don’t trust these companies to sell this data ethically, 54 percent don’t trust it will be used ethically, 53 percent don’t feel it will be collected ethically, and 50 percent don’t trust these companies to protect their data sufficiently.
  • Most consumers are concerned about the theft of their social security number, with 83 percent of respondents identifying this concern. Following closely behind come the 69 percent worried about their credit card numbers.
  • Surprisingly, only 16 percent are concerned about the theft of their medical records.

Data Practices Amongst Consumers

While this sounds like a decent start, the survey’s results showed a bit of hypocrisy. Most users agreed that repeating passwords, saving credit card information to a website, and using public Wi-Fi are risky behaviors, but more than 40 percent of them did these things anyways. 61 percent neglected to use all available tools to secure their accounts, as well.

What We Can Learn

It doesn’t matter if it’s your data at stake, or your business’… your highest priority needs to be your security.

In another study, this one conducted by Harvard Business Review Analytic Services, it was shown that almost half—46 percent—of consumers surveyed had stopped doing business with a retailer because of issues with that retailer’s privacy statement.

Are you willing to let half of your client base abandon your business?

It just goes to show that, from the consumer’s perspective, it is our responsibility to make sure that companies are accountable for the data they collect. From the business standpoint, it shows that data security is something that can’t be slapped together or neglected. Is ensuring data security simple? Far from it… but when compared to what you risk otherwise, it’s a no-brainer.

4 Corner IT is here to help. We can help you to implement the security solutions and processes that will help protect all your data. To learn more, or to get started, call our team at (877) 771-2384 today.

350,000+ Personal Data Exposed After Preen.Me Attack

350000 personal data exposed after preenme attack

It’s the rare business that can survive without marketing and social media efforts, so when a social media marketing company like Preen.Me comes under a cyber attack, it invariably adversely affects many, many interested parties. And with Preen.Me’s recent hack, that’s exactly what happened. Over 100,000 social media influencers have had their personal data stolen because of their connection to Preen.Me. In addition, over 250,000 social media users have had their personal data exposed on a deep web hacking forum from their use of ByteSizedBeauty, a Preen.Me application.

While Preen.Me primarily focuses their marketing efforts on beauty-related content, meaning many other types of businesses were spared, that does not provide any comfort to those whose primary business is related to personal care. Preen.Me boasts big-name customers such as Unilever, Revlon, St. Ives, and Neutrogena, who in turn interact with large customer bases. 

In this post, we will outline how the attack was discovered, the data involved, and discuss the level of sophistication that hackers and data thieves can employ in their efforts to exploit, steal from, and harass innocent parties.

The Discovery  

RBS, a world-renowned leader in cyber security, first discovered the Preen.Me leak on June 6, 2020 after they noted a known threat actor posting a message on a deep web forum about their recent hacking efforts. The attack was confirmed by the actor on the same day when they shared stolen information from 250 beauty influencers on PasteBin. PasteBin is a content hosting website service that allows users to store text on their site for set periods of time. The hacker also threatened to release the personal information of 100,000 records he/she acquired. However, as of this date those records do not seem to have been released.

The Data at Risk 

The affected clients of Preen.Me are social media influencers involved in the beauty industry. Of course, their social media efforts lead them to collect information about their followers as well. Information from both side of the equation were affected, with the threat actor exposing personal information of the media influencers such as home addresses, phone numbers, email addresses, names, and social media links. In addition, some of these social media influencers have over a half million followers, potentially exposing their information as well.  

Further Exploitation

It wasn’t enough to steal such a large amount of data to potentially hold Preen.Me for a ransom amount. On June 8th, the hacker released detailed information of the over 250,000 users of Preen.Me’s application, ByteSizedBeauty. The details include their Facebook name, ID, URL, and friend’s list, along with their Twitter ID and name. Personal information was also leaked, including their email address(es), date of birth, home address, eye color, and skin tone. 

Also found in the stolen database dump, were 100,000 user authentication tokens for social media, along with a small number of possible password hashes, and a data table consisting of over 250,000 records containing user names, email addresses, customer names, and auto-generated passwords. 

Doxing so many users of Preen.Me’s marketing tools and applications leaves all of them exposed to significant issues with spam, harassment, and especially identity theft. It remains to be seen if the hacker has accomplished their entire “mission” or if they are planning to further exploit Preen.Me and/or their clients. 

A Cautionary Tale 

Preen.Me’s recent attack is a cautionary tale for every other entity that uses the world wide web. Hackers can take very personal information and hold it for ransom, or they can release it on the dark web and allow others to commit further criminal acts against innocent affected parties. Organizations must take technology security seriously and understand their security efforts are not just protecting their own data, but the private data of clients who entrust them oftentimes with very personal information.

If you would like to know more about how to protect your business and the sensitive data of your clients from cyber hackers, please contact us.

How to Implement a Successful IT Risk Assessment

successful it

More and more companies are relying on the web, not only to be their premier source of customer interaction but also to carry out cloud-related tasks and functions associated with running their business. When a company is able to securely run their business, both management and production employees can focus on doing what they do best — ensuring the success of business operations. In this article, we will outline 8 steps businesses can follow to assess the level of risk associated with their current IT operations.

Thoroughly Define Vulnerabilities

Gone are the days when installing a good antivirus program on their computers meant that a company was protected from all threats. While companies should still require this, of course, there are many more areas of vulnerability. Assessing risk means defining all potential vulnerabilities such as fire, a natural disaster, theft, ransomware, phishing attempts, and more, in some instances. Anything that can compromise employee productivity, or negatively affect a company’s ability to adhere to compliance rules has the potential to be disruptive.

Communication is Key

As with any other successful project, communication is a key component to ensuring a successful risk assessment outcome.  When key players understand why they are being called to evaluate risk in their areas of function, they will be more successful in identifying areas that could pose a problem. When those players do report their findings, it’s just as important for those in charge of the risk assessment project to clarify any unclear points, so they have a clear understanding of the potential issues.

Data Collection

Both hardware and software must be evaluated to look for weaknesses. Operational data such as accounts receivable and payable, HR data, business forecasting, company salaries, etc. is also an asset. Any risks along the pipeline of handling this type of data should be evaluated as well.

Analyzing Risk

Once all potential points of risk are gathered and thoroughly understood, the next step is to analyze each potential risk.  The areas most vulnerable, the likelihood of some type of attack or interruption in operations, and the ramifications of such an event occur, should all be evaluated and categorized.

Make Recommendations, Then Review 

Those in charge of the risk assessment will also likely be the ones to make recommendations to address each security concern. As part of the process, department heads should have an opportunity to review the recommendations made by the risk assessment team and provide feedback. Once plans are solidified, each department can develop a strategy to address each of the security issues related to their specific function.

Implementation

Once everyone is on board with the solutions that address each point in the risk assessment project, it’s time to implement the solutions. Some departments may institute their solutions fairly quickly. Others may require more time to fully address complex functions. If roadblocks occur, feedback should be given to the risk assessment team so they can research and provide alternative solutions.

Mitigating Risk 

It’s not always possible to completely eliminate all risks when dealing with IT infrastructure, software, or data. Still, companies can achieve the goal of risk mitigation when they know they’ve done everything possible to reduce the potential of an adverse event. To help accomplish this goal, department heads should set specific benchmarks along the way, making sure they are meeting their own expectations of progress, as well as the expectations of upper management. 

Maintenance 

The only constant regarding information technology is that it is always changing. The same needs to be said about risk assessment. While putting solutions in place to deter security threats is the goal of risk assessment, the process must be regularly evaluated. New hardware or software can require changes in the way employees perform their functions, and the hardware or software itself can open up a security risk that did not exist previously. Early on, simple modifications may be sufficient to address changes. However, a full risk re-assessment is ideally performed on average, about every two years.

If you would like to know more about how to develop and implement an IT risk assessment plan, please contact us!

6 Cyber Security Must-Haves for Remote Work

6 cyber security must haves for remote work

The quick transition to remote work that many companies have had to make has revealed security risks that IT professionals are not able to monitor or correct as closely as they would be able to when employees work in-house. To mitigate these risks and protect data, employees will need to follow security best practices and abide by the requests made by IT. Fortunately, skills and security measures like the following that employees will need during these times help not only their employers in the present but protect them from personal security risks in the future. 

Secure Wi-Fi

The convenience provided by an open wireless network doesn’t mitigate the risk of sensitive data falling into the wrong hands, and this applies to personal financial information as much as it does to data relating to work. Employees will need to secure their home wireless networks with the most advanced protection available to them. Users should also have the latest firmware.

Encrypted Traffic

IT departments can consider a virtual private network, or VPN, on top of secured wireless networks to encrypt all traffic data. There are downsides to VPNs, however, including slower connection speeds. Some users may not like that their employer can monitor their network usage with a VPN, either.

Phishing Prevention

It doesn’t matter if a company uses the most advanced security software or the most impenetrable hardware if the user is the weak point. Employees should undergo training to detect and avoid phishing scams and their various modes — phone, text, and email —  before working remotely, even if they’ve already issued this training in the past.  All it takes is a careless click to give access to a user’s login information.

Fortunately, modern security software can even warn about potential phishing attacks.

Smart Password Usage

Not only is it risky to use the same password and username for multiple websites, but choosing simple passwords that are easy to crack also puts a user at risk. Because users won’t necessarily opt for best practices such as strong passwords that they periodically change, companies should ensure that their software systems require these password security measures and even use password managers to generate and store strong passwords. Businesses should also encourage two-factor authentication, which requires that users enter a second code that is typically sent via email or text, to log in.

Company-Issues Devices

Many of the risks listed above can be minimized when a company issues devices that prevent unauthorized changes and have the appropriate software installed so that employees have all the resources necessary to complete their jobs. Sending employees home with company devices keeps sensitive data away from personal devices, which may be less secure and more likely to be compromised, and companies can install enterprise-level security software to prevent malware and phishing attacks. 

If this is not possible, companies should set standards for which devices can be used, including software and hardware requirements, to ensure the devices being used are as secure as possible and to avoid the risk of “shadow backups” to personal cloud storage accounts.

Data Backup

Assuming that users abide by security best practices and a company’s software is set up securely, there is always the risk of hard drive or another mechanical failure, which is why a company must have a plan in place to back up data. Many companies opt for cloud storage, a solution that is especially useful when the office is inaccessible; however, some choose physical servers that their IT team members maintain themselves. 

Companies that want to increase security measures for remote workers or ensure that their systems are secure enough for telecommuting can contact us for a cybersecurity analysis.