Skip to content

Backup Strategy and the 3-2-1 Principle

Data loss comes in all sizes: small (individual files), medium (SharePoint site), and large (ransomware and disaster recovery). No matter the size of the loss of data, none of them are fun, and even the smallest of data loss events could leave you lacking your most critical data. That one spreadsheet or that one hard disk drive could have what you and your business rely on most – it’s not always something someone can “just create again” on a whim as data loss is indiscriminate in its impact. All data loss events negatively impact workflow, and all are risk and data protection concerns that ultimately are a business imperative. Proactive data protection through backup and data management is at the forefront of all of our minds—or at least should be. Now why is that? Years ago, the assumption prevailed that cloud services would “take care of everything” once you signed up for a cloud service, with backup being lumped in. But now, more than ever, as the awareness of shared responsibility models for SaaS applications grows which states it is the user who is responsible, it’s clear the onus is on you to have that backup strategy in place. That’s why the 3-2-1 backup rule—a principle established for on-premises infrastructure which requires multiple copies of backup data on different devices and in separate locations—is still relevant to today’s cloud-based infrastructures by providing essential data-protection guidelines.

Why Back Up Cloud SaaS Data, and Why Now?

Your data is critical to your business operations, and in many cases, maintaining control of and access to it is required by law. (Read more about how third-party security keeps companies in control of their data here.)

SaaS Shared Responsibility Model

Software-as-a-service providers have established documentation that clarifies the areas of responsibilities they have and also those responsibilities that are retained by the customer. Microsoft, well known for its Microsoft 365 SaaS offering, delineates the boundaries of shared responsibility in the cloud. While Microsoft does provide some degree of data protection, many people are not aware of the limitations of this protection. The short of it is that Microsoft does not provide suitable backup and restore functionality to customers. Learn more about why your M365 is not backed up (and how to fix it) in our in-depth article here.
And it’s not only Microsoft that has a shared responsibility for their SaaS services. Google (and backup files to Google drive) has what they refer to, almost ominously, as “shared fate” on Google cloud shared responsibilities. Likewise, Amazon Web Services (AWS) have their own shared responsibility model. It’s vital customers know and understand the extent of their agreement.

Risks to Data Security

In the days of on-premises backup, the only credible risks were acts of mother nature and hardware failure. That is, of course, if you ignore software issues. Lots of software (from firmware on RAID adapters to drivers to operating system filesystem implementations and the user applications) problems would cause data loss and a need for restore, from system level down to file level. (That’s one thing I don’t miss about the ‘90s.) However, in the cloud-computing era, the risks have evolved as much as the ways in which we create, share, and store data, so things are much more complicated now. With both the prevalence and penetration of ransomware, cybercrime, and not to mention the increased access users have in order to streamline collaboration interactions and boost productivity, data—the lifeblood of a company—has, in many ways, never been more susceptible to data loss, regardless of whether it’s international (malicious actors, ransomware, etc.) or unintentional (human error, accidental deletion). Sometimes going back to basics can be the place to start in developing or hardening security.

3-2-1 Backup Method

The 3-2-1 principle comes from the days of on-premises data storage. It is still commonly referenced today in the modern, cloud-computing area. Even though it isn’t directly applicable, word for word, to cloud data, this well-known and widely used principle can still be used today to guide security decision makers in their process of improving their security infrastructure against today’s data risks.
Roughly speaking, the 3-2-1 backup rule requires 3 copies of data, across two types of storage media, with one off-site copy stored.

What Is the Origin of the 3-2-1 Rule?

Backup and recovery solutions have existed since long before cloud computing. However, the methodologies have shifted due to the modernization of the infrastructures, behaviors, needs, and of course a lot more variables (but we won’t get into that here), which has resulted in some discrepancies between best-practice principles and their application to modern data infrastructures. This is also the case with the 3-2-1 backup rule, with the biggest change being the shift of how data is created and stored (or rather where). Formerly, production data was created on site and stored in on-premises hardware, alongside one backup copy, and the third being stored off premises and typically on tapes. ComputerWeekly has a feature on if the cloud has made 3-2-1 obsolete. In the cloud era, data is created in numerous places by remote workers in SaaS applications, where it is often transferred around the globe, and is stored “somewhere else” from a business’s physical office. More than likely, the extent of an answer to the question of “where is your data stored” is that it’s in the cloud. But is that backup? And what is true backup in the cloud?

How Does the Rule Apply to Cloud Backup?

We often see iterations of this backup principle in fancy infographics that almost forget to translate the rules to apply to the current scenarios. However, with a few tweaks, there’s plenty of relevant guidance that can help lead to a successful, modern, data security system.
Let’s look at the rules with a modern lens:

3 Copies of Your Data

The ‘3’ in the rule refers to the number of “copies of your data,” with one being the primary dataset in the production environment while the remaining two copies are backups. This is still applicable to modern data protection best practices.

2 Administrative Domains

As mentioned, the ‘2’ can be understood as “two administrative domains” so that copies are managed independently from the other or are stored within separate logical environments. You often see this written as “two types of media,” which is a relic from the on-prem past when it was made up of disks and tapes. Now, it’s about having copies across multiple disks and across two administrative domains so that one data-loss event cannot possibly—or is extremely unlikely to—impact all copies of the data. This is known as a logical gap. Without it, should there be a cloud-wide compromise (such as a breach) or data loss event of the cloud where your primary data lives, your data would not be available to you. One of the best-known examples of this is the Danish shipping giant Maersk and the infamous NotPetya cyberattack, dubbed “the most devastating cyberattack in history” in the full Wired story here. When working “in” the cloud, the building you are in isn’t of any real consequence to the data. Rather, it’s the cloud you are working in and storing data in that matters. In many regards, this step could envelop the step below, “1 copy external,” but in respect to the principle, it serves us here to keep it a separate consideration. Should there be a cloud-wide compromise or data loss event of the cloud where your primary data lives, your data would still be available to you by following the rule. Without doing so, you’ve lost access to your data (or even lost your data permanently), with an impact that has a massive potential for business disruption and costs (as in the case of Maersk).

1 Copy External

Formerly the ‘1 off-site storage copy,’ this still applies for the same reasons as it did in the past: You don’t want to store all of your data in the same exact location, and whether all are aware or not, the cloud is located in physical data centers. From the on-premises days, this meant literally having a copy of disks and/or tapes in a different location from your business in case someone, something, or some event with the power to destroy the building did so. Let’s call this the “in case of fire” step. In cloud computing, this means having a backup copy outside the cloud of the production environment and outside the administrative domain of the other backup. Remember, the cloud is ‘just’ physical data centers, so by working in the cloud, the centers you are storing your data in are of real importance to the data. What if the data center of the cloud you are working in is also the same data center that your backup cloud data is stored in? Should there be a data loss event at that center, all of your data would be at risk from that event. That’s bad.

Use Case: What would this look like in real life?

If, for example, you are working on a Microsoft Word document and you save it to OneDrive that has OneDrive Backup turned on, you’re totally protected, because it says “backup,” right? This is an example where the 3-2-1 principle still helps shed light on modern data protection in the cloud. By following the 3-2-1 rule above, one can deduct that this example isn’t backup (but neither is a lot of what SaaS providers offer as ‘backup’) because true backup requires a logical infrastructure separate from the primary data. As the “in case of fire” step requires, you must have one copy outside of the administrative domain. By working in and backing up OneDrive data to Microsoft’s cloud services, the data remains in the same administrative domain. What if something were to happen to Microsoft servers? You’d lose access to your primary data and the copies “backed up” since they all relied on the same cloud. What’s even worse is that since the backup is configured by “you” (i.e., the admin), a compromise of your account can unconfigure it, too. So, a simple case of ransomware could completely and automatically disable or work around such in-service protections—even leading to immediate backup data deletion. Keepit, on the other hand – aside from being separate (and therefore unlikely to be compromised at the same time by the same mechanism), as a dedicated backup solution – will actually protect even the administrator from quickly or immediately deleting backup data. In this respect, Keepit offers some of the most desirable features of “the tape in an off-site vault” in a modern cloud service solution.

Here’s how to use the 3-2-1 backup rule to ensure you’re covered: Independent cloud

If you’re interested in further reading, check out our e-Guide on SaaS data security for a thorough look into leading SaaS data security methodologies and how companies can raise the bar for their data protection in the cloud era. Convinced you need backup, but want to know more about data protection and management for your particular SaaS application, then explore how Keepit offers cloud data backup coverage for the main SaaS applications here.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.

Cyber Kill Chain

Intro

This is an important concept and I want to provide you with a quick overview of what are kill chains, what is threat modelling, why we do these things, and why we need them. This understanding is crucial in creating a stable and strong security posture.

One other thing to note is that all these frameworks are generally made to complement other frameworks. For example, the UKC – Unified Kill Chain – is made to be a complement to MITRE.

Cyber Kill Chain – what is it?

This term is a military term/concept that relates to an attack, in particular its structure. Lockheed Martin (security and aerospace company) is the one that established the Cyber Kill Chain in 2011, based on the aforementioned military concept. The idea of the framework is to define the steps adversaries are taking when attacking your organization. In theory, to be successful, the adversary would pass all the phases within the Kill Chain.

Our goal here is to understand what the Kill Chain means from an attacker’s perspective, so that we can put up our defences in place and either pre-emptively mitigate that, or disrupt their attacks.

Why do we need to understand the (Cyber) Kill Chain?

Understanding of the Cyber Kill Chain can help you protect against myriad of attacks, like ransomware, for example. It can also help you understand in what ways do APTs operate. Through this understanding, as a SOC Analyst, or Incident Responder, you can potentially understand the attacker’s goals and objectives by comparing it to the Kill Chain. It can also be used to find those gaps and remediate on missing controls.

The attack phases within the Cyber Kill Chain are:

  • Reconnaissance
  • Weaponization
  • Delivery
  • Exploitation
  • Installation
  • Command & Control
  • Actions on Objectives (Exfiltration)

Reconnaissance

As we all know, this means searching for and collecting the information about system(s). In this phase, our adversaries are doing their planning. This is also where OSINT comes in, and is usually the first step an adversary will take, before going further down the chain. They will try and collect any possible piece of info on our organization, employees, emails, phones, you name it.

This can be done, for example, through email harvesting – process of collecting email addresses from online (public, paid, or free) services. These can further be used for a phishing campaign, or anything else.

Within the recon step, they also might collect the socials of the org’s employees, especially if some employee in particular might seem of interest or is a bit more of an easier target. All this information goes into the mix and is nothing new. First step – Recon.

Weaponization

After the initial recon phase, our adversary goes on to create their weapons! Usually, this entails some sort of malware/exploit combination bundled into a payload of sorts. Some adversaries will straight up buy the malware on the Darkweb marketplaces, but some more sophisticated attackers, as well as the APTs, will usually write their own malware. This is advantageous as it might actually evade your detection systems.

They can go on about this in numerous ways, but some examples might include them creating a malicious MS Office document with bad macros or VBA scripts, they could also use Command & Control techniques so that your affected machine calls to the Command server for more of those malicious payloads. (Yikes!) Or, they could add a backdoor, some other type of malware, or anything really.

Delivery

This step entails the attacker choosing a way to deliver the payload/malware to their victim. There are many options here, but in general, the most used one is good old phishing email.

With a phishing email that’s sent after the successfully completed reconnaissance phase, the attacker can target a specific person (spearphishing), or a group of employees at your organization. Within the email would be the embedded payload.

Other ways to distribute the payload may include the attackers planting infected USBs in public places, like parking lots, the streets, etc. Or, they could use a so-called watering hole attack which basically aims at a specific group of people by sending them to an attacker controlled website, by redirecting them to that site off a site they generally use but is now compromised by the attacker.

The attacker exploits the website, and then somehow tries to get the unsuspecting users to browse to the site where the victim basically downloads the malware/payload unintentionally.

Exploitation

Before finally getting access to our systems, the attackers need to carry out an actual exploit. Suppose the previous steps worked and the user downloaded or somehow ran the malicious payload, the attacker is ready for the next steps… or whatever’s in between! They can try to move laterally, get to your server, escalate privileges, anything goes.

This step boils down to

  • Victim opening the malicious file, thus triggering the exploitation
  • The adversary exploits our systems through a server, or some other way
  • They use a 0 day exploit

Whatever the vector, it comes down to them exploiting our systems and gaining access.

Installation

This step comes after the exploitation and it usually pertains to the adversary trying to keep a connection of sorts to our system. This can be achieved in many ways, for example, they might try to install the backdoor on the compromised machine, or they could modify our services, they could also install a web shell on the webserver, or anything else that helps them achieve persistence. This is key for the Installation phase.

The persistent backdoor is what will let the attacker interact and access our systems that were already compromised.

In this phase, they also might try to cover their tracks from your blue team by trying to make the malware look as if it was a legitimate app/program.

Command & Control

The Command & Control, also known as C2, C2 beaconing, or C&C is the penultimate part, and this is where the adversary uses the previously installed malware on the victim’s device to control the device remotely. This is usually built into the malware itself, and it has some sort of logic through which it calls back home to its Control server.

As the infected device calls back to the C2 server, the adversary now has full control over the compromised device. Remotely!

The most used C2 channels these days are:

  • HTTP protocol 80, HTTPS port 443 – HTTPS is interesting as it can help hide within the encrypted stream and it can potentially help the malicious traffic evade firewalls
  • DNS – the infected host will make constant DNS queries calling to its C2 server

An interesting fact – In the past, adversaries used IRC to send C2 traffic (beaconing), but nowadays it’s became obsolete as this type of bad traffic is much more easily detectable by the modern/current security solutions.

Actions on Objectives (Exfiltration)

This is your exfiltration (or exfil) step, where the adversary tries to gather all the goodies they just stole, so, user credentials, messing with the backups and/or shadow copies, corrupt/delete/overwrite/exfiltrate data. They can also escalate to domain admin, for the keys to the kingdom, or move laterally through the organization. They could also try to find vulnerabilities of your software internally, and much more.

This step depends on their specific goals/objectives, and is where all the action will happen, thus actions on objectives.

Conclusion

I hope I’ve managed to give a brief overview of this incredibly important concept. I will cover it a bit more in the future, but for now, I felt like this was a good (traditional) start. I do hope to cover the Unified Kill Chain soon, though. So – stay tuned!

Ps: you’ll notice there are a couple of other frameworks/variations aside from the Cyber Kill Chain, and I will try to explain the distinctions. Just remember these are models/methodologies and there’s no silver bullet. They should be used in conjunction with other security controls.

Image source – https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

Cover image by Linus Sandvide

#kill-chain #cyber #C2 #threat-modelling

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Data Loss in Healthcare

As one of the most sensitive pieces of personal information, patient health data needs to be protected from data incidents or breaches. When the majority of the data is spread among multiple applications and devices though, then keeping the data safe from threats can be quite challenging. 

There are a few best practices that companies from the healthcare sector can use to boost their data security (and patient trust) straight away, though – you’ll learn about those in this article. 

How technology has changed the healthcare sector

The healthcare industry has benefited from technology in many ways. Thanks to digitized medical records stored on the cloud, doctors don’t have to spend as much time creating, updating, and managing paper records. Wearable devices and digital health apps help doctors monitor patients with long-term illnesses. There are even AI-powered applications that can record patient-doctor conversations and turn them into complete notes, saving doctors plenty of time. 

All those applications also generate enormous amounts of data every day – and this is both a blessing and a curse for the healthcare sector. A blessing because the data coming from the applications can give healthcare professionalists much more information about a patient than an interview would. That way, they can make better decisions about how to treat them and provide better patient care overall.

The amount of data being generated every single day makes it increasingly difficult to keep track of which sensitive healthcare information is stored where and who can access it though. Add to these hectic work days, a well-known dislike for paperwork among medical staff, and (unfortunately far too often) a lack of cybersecurity training, and you can see why healthcare is among the industries that experience the most data incidents. Unfortunately, Healthcare attacks are also becoming more common. This is due both to the value medical records have to criminals and that many healthcare facilities still use outdated equipment – making obtaining the records much easier for criminals.

What is the average cost of data loss/breach in Healthcare?

Healthcare has the highest average cost of data breaches at $10.10M per incident.

What’s even more worrying is that the cost of healthcare data breaches is rapidly growing. According to an IBM Security breach report, the average cost of such incident in the healthcare sector has gone up 42% since 2020 – and keeps on growing. 

The cost is so high for several reasons. The first is related to the type, and amount of data healthcare providers collect and store in their systems. In every patient’s file, there usually is: 

  • Patient’s full name and address
  • Email addresses
  • ID number
  • Billing information
  • Social security numbers
  • Medical history, together with drug prescriptions, etc.

For criminals, one such medical record is worth even 50 times more than a credit card number as they can build an entirely fake persona from the information available in the healthcare records. Then they use the new persona to purchase medical equipment on the victim’s health insurance, take loans under the patient’s name, abuse the victim’s health plan or fill insurance claims. Plus, as health records (compared to, for example, credit cards) can’t be canceled, blocked, or changed after a data compromise is noticed, healthcare companies have a much harder time containing it and minimizing the damage.

As a result, it’s estimated that now 95% of identity theft comes from stolen healthcare records – which means any data incident might pose a serious risk to the patient’s safety.

Another thing that makes healthcare data incidents so costly is how much time they take to solve them. In their 2022 report, IBM security found that the average healthcare data breach lifecycle is 329 days. 

Considering how little time healthcare professionals have during the day and how easily files (including sensitive healthcare ones) can be copied or shared without anyone noticing, it can take a long time for a clinic or hospital to discover a data incident. 

Unfortunately, when they find out about it, it’s often far too late. Their patients’ data (from social security numbers and credit card numbers to health history) has already been leaked to the darknet, and the company has now to deal with reputational damage, financial losses – and also legal consequences. 

Healthcare data breaches and legal consequences

Healthcare data breaches are so costly also because of the number of laws and regulations the industry has to adhere to these days – and the penalties for violating those are pretty hefty as well. 

The largest HIPAA violation penalty up to date, $16 million, was paid by Anthem Inc. in 2018 after a 2014 cyber attack caused a healthcare data breach spanning 78.8 million records. In addition, Anthem also had to pay $115 million to settle the lawsuits filed on behalf of the incident victims and $48 million as penalty fines. 

The second largest breach with the highest penalty was imposed on health insurance company Premera Blue Cross in 2020. The company was fined for neglecting several HIPAA requirements and causing a data incident in which hackers obtained the protected health information of 10,466,692 individuals. The company then agreed to pay a financial penalty of $6,850,000 to resolve the case and adopted a corrective action plan to address all areas of non-compliance. 

Besides that, Premera Blue Cross settled a multi-state action for $10 million and a class action lawsuit filed on behalf of victims for $74 million.

Health, genetic and biometric data are also considered special categories of data under the General Data Protection Regulation (GDPR). That’s why healthcare companies are expected to follow stricter guidelines when collecting, processing, and storing health information – otherwise, fines can be pretty steep as well.

On 23rd February 2021, the health data of nearly 500,000 people was released on the internet following a massive data breach at the DEDALUS BIOLOGIE company. The exposed data included names, Social Security numbers, the name of the patient’s primary doctor, examination dates, as well as confidential health information related to HIV, cancers, genetic diseases, pregnancies, and drug therapy. The company was then fined 1.5 million euro by the French data protection authority (CNIL) for violating GDPR articles 28, 29, and 32 requirements and causing the breach to happen. However, the investigation is still ongoing, so the final amount the company will have to pay for the violations could be much higher.

It is also becoming more common for people to file lawsuits after a breach of their data. For example, Baker Hostetler law firm analyzed more than 1,200 data security incidents from 2021 that their company helped clients manage and found that 23% of those incidents involved healthcare breaches.

That means that in case of a serious data breach, healthcare facilities may find themselves not only facing data privacy law enforcement but also private lawsuits from individuals affected by the incident. Then, companies could end up having to pay lawsuit settlements, compensation and also reimburse the breach victims out-of-pocket costs connected to the incident – which will significantly increase the costs of the breach.

How to protect patient records from loss or breach?

While enhancing the data security at the health center facility will likely take some time and effort, it will help you in the long run as it will make it easier for you to avoid data incidents or compliance violations. This way, you can both assure your patients and business partners that their data is safe with you, as well as prevent very expensive financial repercussions from healthcare data breaches.

Where should you start, though? 

Here are some things you can do to tighten up your health systems:

  • Run a security risk assessment

Both GDPR and HIPAA require healthcare providers to run an annual security risk assessment to identify potential security vulnerabilities and data threats in their networks. While those usually take some time, they are incredibly important for healthcare companies as they can give them enough information about where the patient’s data might be compromised and how you should address the vulnerabilities. 

In this way, you’ll be able to fix any vulnerabilities or issues in your network that could lead to breach or loss incidents in the future, saving you time (and money).

  • Educate your staff on best cybersecurity practices

Without cybersecurity training, your employees might not be aware of your company’s security policies or cyber risks, leading them to take risky actions – such as sending a patient’s file through social media messenger. And yet nearly a third of healthcare employees (32%) said they had never received cybersecurity training from their workplace! Lack of awareness of the breach consequences might also cause the employees to skip security procedures just to get a task done faster. This can quickly lead to healthcare data breaches though – in fact, human error accounted for 33% of healthcare breaches in 2020 alone.

To lower the number of incidents, make sure your employees know how they should work with sensitive data and what are the consequences of neglecting the procedures. Handing them an incident response plan with guidelines on how to respond when they notice a healthcare data breach would also be very helpful when it comes to preventing and dealing with data threats.

  • Limit access to health records

With hundreds of people and devices within a healthcare organization, it’s vital that you keep a close eye on who can open, edit and share patients’ health records to prevent data theft. The access permissions for the most sensitive healthcare files should be set up so that only healthcare specialists who need the specific medical records can access and edit them. 

The fewer people that have access to the health records, the less likely it is that the data might be compromised – or leaked outside.

  • Limit the use of personal devices

Healthcare professionals may find it convenient to use their personal devices for work, but these devices are usually not as secure as those they have at the clinic or hospital. Having clear policies that outline how employees can access your network/applications when using personal devices and how they should handle incidents are essential if you want to allow employees to bring and use their own devices for work. It is also a good idea to keep a close eye on what devices are added to your network and to restrict or block access to sensitive files for those you don’t recognize.

  • Keep a data audit log

Keeping data logs is an essential part of HIPAA compliance, as through those, you can quickly detect any policy violations and respond to those straight away. In addition, when an incident occurs, an audit trail will also help forensic specialists pinpoint the place where the incident started, determine the cause and suggest the best way to prevent similar issues from happening. 

Manually tracking and saving the audit log would be time-consuming and complicated though. Fortunately, here you can rely on applications such as Safetica that will create and update the audit logs for you. Then, when you’ll be dealing with a data incident, you will only have to check the data logs, and you will know where and how it started – rather than having to search the entire network.

  • Restrict what actions can be taken when working with sensitive data

In addition to monitoring which employees have access to sensitive files, it is recommended to restrict what can be done with those files to prevent unauthorized disclosures. For example, limiting or blocking sensitive file web uploads, screenshotting, copying to external drives, adding the files as mail attachments, or printing can go a long way in lowering the risk of incidents happening.  Data endpoints monitored and secured will also greatly reduce the chances of data thieves stealing confidential data as they will have far fewer options to copy or share the data without getting caught.

  • Encrypt data

Encryption is one of the most effective methods of protecting sensitive information. Even if someone unauthorized gains access to sensitive files such as patients’ medical records, the information inside the files would be unreadable to them and so they won’t be able to use the files in any way. For additional security, you can also add more encryption layers so that more than one encryption key is required to enter a system or combine the encryption with multi-factor authentication.

  • Destroy sensitive information properly

HIPAA also has stringent regulations regarding how you should destroy files and devices with patients’ data or other sensitive information to make sure no unauthorized person can use it. Failing to properly destroy the data you no longer need can cause the data to be exposed, and then you might be fined for non-compliance. 

In fact, some of the largest fines for HIPAA violations have been for failing to comply with the medical records destruction rules. For example, New England Dermatology and Laser Center had to pay $300,640 to settle an investigation into the improper destruction of medical records. 

It is recommended to hire HIPAA-compliant data destruction services for disposing of the sensitive data and the devices the data was on to ensure that they were destroyed properly and that the information can’t be recovered.

  • Backup data regularly and store it in a secure location

Whether your healthcare system crashed or your employee accidentally overwrote patient records, losing access to sensitive data can force you to spend more time restoring the files rather than taking care of your patients. Additionally, if you have to reschedule patients’ appointments or procedures because of a data incident, you risk losing their trust that their data is safe with you.

That’s why HIPAA’s final rule requires that electronically protected health information (ePHI) be backed up regularly and stored securely offsite. Ideally, you should have three backups of the data stored in different locations, as that way, you significantly reduce the chances of losing all of your data.

It’s also recommended that the backups be done daily or at least once weekly. If you don’t have time to do it yourself though, it will be a good idea to schedule automatic backups at set intervals – for example, every day at midnight. Additionally, you should make sure that only people who will need the copies for their work have access to the copies – and also that all copies are encrypted.

How can Safetica help you protect the data?

Meeting compliance and data security requirements while also giving patients the best care possible is definitely not an easy task – especially if most of the tasks related to securing the data are done manually. Safetica can take over the data security and compliance tasks to give your healthcare professionals more time to take care of your patients.  

After you set your own data privacy policies and requirements inside the platform, Safetica will monitor your entire healthcare data within and (most importantly these days) outside of the work environment, 24/7. 

What else can Safetica do for you:

  • Automatically discover, classify and secure sensitive files.
  • Analyze your environment to find out places where there’s a risk of data breach or non-compliance.
  • Ensure that all employees are following internal security policies and are meeting HIPAA/GDPR compliance requirements.
  • Respond to any suspicious activity in the manner you specified earlier (for example, it can show a warning to an employee when they are working with sensitive data).
  • Monitor all external or remote devices for potential data incidents or breaches and report all new devices added to the network. 
  • Automatically create data activity logs for audits. 

You can learn more about how Safetica can protect the data in your healthcare facility by reading our dedicated whitepaper

Conclusion

Hospitals, clinics, and healthcare providers are responsible for safeguarding patient data and critical healthcare information, as the consequences of those falling into the wrong hands can be disastrous. The average cost of a data breach is also growing – so that makes preventing various types of breaches and incidents more critical than ever.

By educating the hospital staff members and healthcare personnel, restricting access to patient data, and encrypting the data though, the number of incidents and the damage they can cause can be visibly reduced though. 

Safetica can also make keeping patient data secure easier by monitoring healthcare data and protecting it from threats. Once you combine best security practices with Safetica, you can rest assured that every piece of data within your organization’s system is safe and secure.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Safetica
Safetica is to provide small and mid-sized companies with the same quality data protection that corporations have – affordably, and without any additional IT administration or disruptions in operation.

Zero Trust Guidance Rewrites US Cyber Strategy

“Our adversaries our in our networks, exfiltrating our data, and exploiting the Department’s users.”

So reads the humbling introduction to zero trust guidance recently released by the Department of Defense (DoD). It acknowledges in the very first line that cybersecurity has failed on almost every front. Then it makes a complete commitment to zero trust as the solution.

Many were waiting on this guidance and wondering what, exactly, it would entail. It comes following an order from the Biden administration 18 months ago to strengthen America’s cybersecurity in a big way. Many changes and long-overdue improvements have come out of that order. But by far the most significant is a commitment on the part of all federal agencies to adopt a complete zero-trust posture by 2027.

We now have a road map for how the government plans to get there. I will cover that shortly. Before that, let me highlight a few reasons I think the latest guidance (and the strategy that prompted it) are worth paying attention to.

First, that strategy will form the backbone of U.S. cybersecurity, which in turn will play a critical role – or may even be the cornerstone – of continued national security. Cyber attacks will be the most accessible, most common, and most devastating kinds of attacks in the future, so how countries defend themselves against this massive risk really matters. I have been writing about national cyber defenses from a few lenses recently. What makes the US approach unique, from my perspective, is the insistence on not just applying a cyber strategy consistently across all agencies but focusing it so specifically on zero trust. Some will call it practical, even mandatory, to make zero trust the guiding principle of cybersecurity in a decentralized world. Others, however, might view it as putting too many eggs in one basket. Time will tell.

Which brings me to my second observation, which is that the US government is embarking on the biggest experiment in zero trust ever undertaken. Keep in mind that the phrase “zero trust” has barely existed for more than a decade, and few large-scale, trust-free environments are actually up and running. Despite widespread zero trust adoption across the private sector, the government is by far the biggest trailblazer on this front, and the road ahead will be illustrative for all. What will it take to eliminate trust from the whole of the federal government? And once 2027 arrives, how secure will the government really be? This test case could cement zero trust as the centerpiece of cybersecurity moving forward – or it could reveal zero trust to be just the latest flawed fad. I suspect the answer will land somewhere in the middle. But unpredictability is the dominant feature of cybersecurity, so who knows what will happen? It will be important no matter what.

The Next Five Years in Zero Trust

A 2027 deadline to standardize zero trust across all federal agencies creates a lot of work to finish in a short five years. To its credit, the DoD seems to be fully aware of that fact because the roadmap is systematic and comprehensive to an extreme degree. Since there are so many different agencies with so many levels of cyber maturity – along with existing zero trust deployments – the guidance aims (and largely succeeds) at being accessible and universal. Which is a bonus for the private sector because companies can then easily adopt the government’s zero trust strategy as their own.

The roadmap has four distinct goals:

  • Zero Trust Cultural Adoption – Everyone in the DoD understands and commits to zero trust principles (trust nothing, verify everything, encrypt automatically, segment risks etc).

  • DoD Information Systems Secured & Defended – All new and legacy systems follow the DoD zero trust framework and put prescribed capabilities in place. Further guidance on this is forthcoming.

  • Technology Acceleration – The DoD and its vendors get faster at scaling, innovating, or replacing new technologies as new threats and new tools emerge in the coming years.

  • Zero Trust Enablement – The zero trust framework has the resources and support it needs to remain a robust and consistent effort.


Each of the goals has multiple objectives considered imperative for achieving the desired outcome. Overall, the DoD identifies 45 capabilities and 152 total activities required for framework compliance. I would encourage anyone to peruse the framework – it’s heavy on jargon but also a valuable visualization of how the disparate components of zero trust fit together to form a cohesive security strategy. It’s not just MFA and encryption (though the framework calls for both of those things). Perhaps more important to realize, it’s not just about security or IT either – it’s a whole new way for information to move.


As such, what the DoD has set out to do (and the timeline they have committed to) is fairly remarkable. Whether it will succeed is debatable. Whether it’s interesting, important, and impactful for everyone in America isn’t. It will be a fascinating five years.




About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Zero Trust: What Is It and How to Implement

Zero Trust and Data Security in Companies 
Due to the surge of ransomware attacks, the increased risks for data loss, and the continuous adverse effects cybercrime poses, many organizations have adopted the zero-trust principle to harden the security of their systems, thereby increasing their cyber resiliency.

Cyberattacks have become so ubiquitous that the Biden White House issued a statement urging American business leaders to strengthen their organization’s cybersecurity measures.

As it stands, GlobeNewswire reported that zero trust security is expected to reach a market value of $29 million USD by the end of 2022 and increase to US $118.7 billion by 2032. This significant growth in the coming decade comes from the value zero trust brings companies.

 

The simple fact is that business leaders are following its principles, like consistent monitoring and validation, because these principles help prevent data breaches and mitigate data loss.

This post will dive into what the zero principle is, as well as its capacity to tighten workplace data and security, effectively ushering in what Microsoft calls:

A new security model that more effectively adapts to the complexity of the modern environment, embraces the hybrid workplace, and protects people, devices, apps, and data wherever they’re located.

What are the cybercrime trends that zero trust can help curb?

One trend that’s risen in recent years is ransomware. Ransomware cripples businesses by locking their computer systems until a sum of money is paid. These attacks are expected to have a price tag of $265 billion USD annually by 2031, according to Cybersecurity Ventures.

With how easy it has become for ransomware gangs to deploy ransomware on a multinational scale, businesses need to deploy enhanced cybersecurity solutions to lessen system vulnerabilities, because “when it comes to ransomware attacks, it’s a matter of when, not if.” Read more from the Keepit blog article on how to prepare for ransomware.

It should come as no surprise that ransomware attacks can result in operational downtime. A Statista report stated that the average length of interruption after ransomware attacks is 20 days.

 

Even minor disruptions can decrease employee productivity, impede communications with clients—among other issues such as the significant fines Marriott faced—and impact business continuity. One might struggle to fully comprehend the serious implications that 20 days of downtime would have for businesses.

Zero trust, in a nutshell, is guided by the principle of ‘never trust, always verify.’

Why Zero Trust?

Zero trust, in a nutshell, is guided by the principle of “never trust, always verify.” It’s a modern security architecture which assumes that internal and external threats exist on the network at all times due to the pervasiveness of cybercrime. And as such, it requires all network users to undergo verification and validation processes before they can access the network resources.

Is zero trust really needed?

Generally, employees within a company access multiple networks simultaneously. There are many, many data exchanges between multiple user devices, across potentially numerous networks – of course, depending on the complexity of a company’s IT infrastructure.

 

This architecture boosts productivity through increased collaboration. However, this can come with a hidden risk when not following the zero-trust security model.

Zero trust use cases

What might that risk look like? Let’s suppose that one employee working on a single device is validated as “trusted.” But that device has become infected with malware by the user opening a dangerous email. (Learn how to identify a dangerous email.)

Since this user’s device was previously validated and is now assumed harmless, it still has access to all the users and networks as before being infected without having to provide or verify any credentials.

The result is unrestricted access to spread malware from this “trusted” device to other users within the network and to other devices within overlapping networks, allowing the malicious actor to expand their reach and damage, gaining access to more and more of a company’s business-critical data.

This example is the main reason zero trust architecture rejects assuming any device is safe. Rather, the system reduces risks through continuous authentication, thereby enhancing protection for your company’s network system by always verifying and authenticating. According to TechTarget:

This protects your organization in ways other models can’t. It stops malware from entering your network; gives remote workers more protection without affecting productivity; simplifies management of security operations centers with enhanced automation; and extends visibility into potential threats to improve proactive remediation and response.

TechTarget

How to Adopt Zero Trust  

According to a Microsoft zero trust business plan, “digital transformation forces re-examination of traditional security models.” And as such, there are many companies offering guidance. Microsoft alone has helped aid zero trust deployments in thousands of organizations with insightful (and practical) guides on how to adopt a zero-trust business plan.

Global cybersecurity leader Palo Alto Networks shares that there are three crucial steps you need to follow to deploy zero trust architecture in your business:

  1. Define your protected surface: Zero trust architecture can be costly and complicated. As such, identify your protected surface—including components like company applications and assets— rather than focusing on a large network area.

    If your business utilizes Microsoft 365, then you’ll know that documents, email, SharePoint data, and Teams chat must be secured against cyberattacks. Attackers can breach an account with access to the data or hijack your system admin, making it imperative to find a SaaS data backup solution that can maintain multiple backup copies with the needed granularity of data and metadata.

  2. Map your data flow: Plan your business’ flow of instructions and data as this will provide you with information on overlapping networks.

    For instance, where and in which formats is the data stored? If your employees utilize digital, desktop, mobile, or cloud, identify them so you can see how data is moved and shared.

  3. Design your architecture: Essentially, the network architecture should prevent unauthorized access to individuals who aren’t part of your company.

    This is especially relevant if you want to encrypt data before it moves to cloud storage devices. If you want to back up your company’s Microsoft 365 data, for instance, we offer blockchain-based encryption technology that guarantees your backups will remain immutable to ransomware threats and data loss. At Keepit, we also offer comprehensive coverage for M365 applications such as SharePoint, OneDrive, Groups and Teams, and Exchange Online.

Of course, implementation isn’t as simple as one, two, three: It involves a massive undertaking and a focused effort to implement and maintain. There are many, many other variables and considerations.

 

For instance, you can also adopt multi-factor authentication (MFA) and ensure use of updated devices.

  • MFA is especially relevant for companies who have stored their digital information on cloud computing systems. With MFA, you can prevent unauthorized users from accessing your organization’s resources.
  •  Similarly, encourage your workforce to update their devices with the latest firmware as this typically offers security patches for known vulnerabilities.

Continuously monitor your network and device attributes. Adopting zero trust architecture can prove futile if your workers do not audit and maintain a log for monitoring network traffic.

Do I still need to get backup for my SaaS data?

Ultimately, zero trust makes it much more difficult for external threats to gain access to an organization’s business-critical data – but not impossible. It also does not protect you against internal threats nor from human errors such as accidental overwrites and accidental deletions.

Data protection best practices tell us to always have a backup. That is a fundamental responsibility for you, the data creator and customer of a SaaS service like Microsoft 365, due to the well-documented yet often misunderstood shared responsibility model.  Securing an independent backup is still the best way to ensure 24/7 availability to your data.

With the offerings from specialized third-party backup and data management providers, peace of mind can be had quickly and from a cost-effective service. This is why Keepit was created: Your data, here today, here tomorrow.

Want backup now?

Learn more about Keepit’s SaaS data backup service offerings here.

If you’d like to explore more about backing up a particular SaaS workload like Microsoft 365, find the relevant Keepit blog posts below, as Keepit offers a suite of cloud SaaS data protection services:

  • Read our blog about why you need to back up M365
  • If you’re using Salesforce, read that blog article here
  • Why back up Active Directory (Azure) here
  • And for Google Workspace
  • Finally, read why to back up Zendesk here

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×