Assuming responsibility for data protection in the cloud

Assuming responsibility for data protection in the cloud

Given the responsibility to ensure data protection in the cloud, how can organisations encrypt, share and manage data securely?

Author: John Michael, CEO iStorage

The Liability Clause

A recent study reveals that, alarmingly, only 32% of organisations believe that protecting data in the cloud is their own responsibility. The terms and conditions of major cloud providers includes a “Limitations of Liability” clause which puts data security responsibility on the cloud user. For example, AWS states it accepts no liability in the case of “any unauthorised access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of the user’s content or other data."

Those responsible for cloud infrastructure in an organisation generally understand the risks involved with storing data in the cloud. However, all users of the cloud need to be conscious of the severity of protecting data in the cloud.

Hackers are devising many sophisticated methods to target innocent and vulnerable users, making human error prevalent amongst data leakage incidents.

Who guards the encryption key?

It has often been said that data is the new oil. Data can provide valuable insights that drive key business decisions, political campaigns and marketing initiatives.
Just as the oil industry has security measures in place to protect against terrorism
and maritime piracy, organisations need to establish security measures to ensure the protection of their data. One vital step is encryption.

More than half (51%) of organisations fail to use encryption to protect sensitive data in the cloud. Arguably, most cloud providers will encrypt its customers’ data. However, the encryption key is stored in the cloud and thus accessible to hackers and cloud staff – much like leaving your house key under the doormat that half the neighbourhood knows about. Interestingly, Apple was recently pressured by the FBI to abandon its plans to fully encrypt its iCloud backups as it did not give the FBI a backdoor. Recall the liability clause? Full encryption of data cannot be dependent on the cloud provider

To be a truly secure solution, the user needs full and secure control of the encryption key that is stored away from the data. This will protect the data even if the cloud account is hacked.

Controlling data shared in the cloud

Who guards the encryption key?

How can you back up your data securely?

How can you back up your data securely?

Everyone has at some point lost data.

It could have been a stolen phone, a lost USB flash drive or a result of a computer crash.

What exactly is Data Encryption?

How to secure data in the cloud

If the data is stored in the cloud, control of the encryption key is important.

Although most cloud service providers will encrypt their customers’ data, the encryption key is stored in the cloud and thus accessible to hackers and cloud staff – much like leaving your house key under the doormat that half the neighbourhood knows about.

Moreover, if a hacker obtains the user’s credentials, the breach will go unnoticed to the cloud service provider as they won’t be able to decipher between a legitimate user from an attacker.

By encrypting the data yourself, you have full and secure control of the encrypted encryption key, which will ensure the data is kept confidential even if the cloud account is hacked.

Keeping the encryption key away from the cloud increases the number of security measures from just one authentication, the cloud account login, to as much as five-factor authentication.

Backing up data in the most secure way possible

In the worst-case scenario of a lost or stolen USB flash drive, hard drive or solid state drive, an encrypted PIN protected USB or HDD/SSD drive will negate the risk of your data being compromised.

Additionally, backing up valuable data onto an encrypted, PIN-authenticated drive can save you the trouble of losing access to important information during a ransomware attack, allowing you to quickly restore your data so that you’re back up and running

If the drives are only accessible by entering a unique 7-15-digit PIN, it will prevent unauthorised access to the data stored on the drive.
With brute force limitation, if the PIN is entered incorrectly a designated number of times, all data previously stored in the drive is deleted and the drive is reset to factory default settings.

When power to the USB port is turned off, or if the drive is unplugged from the host device or after a predetermined period of inactivity, the drive should automatically lock to prevent unauthorised access.

Using a drive that can also be configured as a read only (write protect) will ensure the data is not modified.

Data is becoming increasingly valuable. Businesses and individuals alike should take the utmost precautions to protect their data.

Backing up data into the cloud or to an encrypted PIN protected USB or HDD/SSD drive will protect your data from being accessed or viewed by unauthorised persons and will ensure your data isn’t lost forever.

Can the healthcare sector find treatment for data privacy?

Can the healthcare sector find treatment for data privacy?

he healthcare sector has experienced great technological advancement over the years. Remember pagers? We’ve certainly come a long way. Clinical applications used today, such as electronic health records (EHR), mobile health (mHealth), computerised physician order entry (CPOE) and self-service applications, contribute to a more efficient medical workforce. However, as with any digital transformation project, increased security risks can be expected, especially with the rise of sensitive data collected.

Healthcare institutions collect a vast amount of data, including patient records, health card numbers and radiologic images. With the exponential growth of data, many are turning to the cloud for storage solutions. This, in turn, only amplifies data protection concerns.

Whether it be in adherence to HIPAA, CCPA, DPA or GDPR, healthcare institutions are responsible for protecting and securely storing patient health information (PHI) data. PHI data must be protected in transit and at rest. This can be challenging for large healthcare
institutions when sharing data with remote employees, with other departments or with other institutions. Many lack a centralised management of systems and data, losing out on full visibility and control of data.

To ensure data privacy, there are five important suggestions to follow: (1) encrypt data in transit and at rest; (2) control the encryption key; (3) share encrypted data securely; (4) back up sensitive information; (5) have a centralised management system that will help you closely monitor and remotely manage data.

1. Give PHI data the encryption pill

Encrypting data is a requirement of compliance standards, including HIPAA. Organisations are under constant attack. Regardless of whether the attack makes headlines or not, the data should be protected. To ensure data privacy when faced with common threats, such
as DDoS and malware attacks, data must be encrypted before it is sent to the cloud, in transit and at rest.

For ultra-secure encryption, that data should preferably be encrypted with a FIPS certified randomly generated AES 256-bit encrypted encryption key. Confidential information stored on a local computer or drive, sent via email or file sharing service and shared in the cloud should be securely encrypted.

2. Don’t let PHI data spread like a virus – control the encryption key

If the data is stored in the cloud, control of the encryption key is important. Granted, most cloud service providers (CSPs) will encrypt their customers’ data and some even offer a key management system service, which allows customers to manage their encryption keys.
However, the encryption key is stored in the cloud and thus accessible to hackers
and cloud staff – much like leaving your house key under the doormat that half the neighbourhood knows about.

In fact, the US Department of Health and Human Services launched an inquiry into Google’s partnership with non-profit healthcare organisation Ascension. Reportedly, 150 Google employees can access the healthcare data on tens of millions of patients, including patient names and dates of birth, diagnoses, patient health and hospitalisation records.

The user needs full and secure control of the encryption key in order to ensure the data is kept confidential even if the cloud account is hacked. Having your own key management system will not only give you more control of encryption keys but is also more convenient for those using a multi-cloud solution.

Security measures must go beyond the cloud login credentials. If a hacker obtains the user’s credentials, the breach will go unnoticed to the CSP as they won’t be able to decipher between a legitimate user from an attacker. By keeping the encryption key, which should be encrypted itself within an ultra-secure Common Criteria EAL4+ microprocessor along with a PIN authenticated code, away from the cloud increases the number of security measures from just one authentication, the cloud account login, to as much as a five-factor authentication.

3. Sharing is caring, but only if the data is secure

The more people the data is shared with, the greater the challenge to ensure data privacy. In 2019, over 60% of personal data breaches reported to the Information Commissioner’s Office (ICO) were a result of human error – healthcare being the most affected sector – with a fifth of those incidents caused by posting or faxing data to the incorrect recipient and 18% whose emails landed in the wrong inbox. In fact, a concerning 59% of US healthcare IT professionals cite email as the most common point of compromise.

Storing PHI data in one place and accessed by authorised users only, who have a copy of the encrypted encryption key at hand, can allow for efficient working whilst ensuring data security

Sharing encrypted data securely allows for instant collaboration in the cloud, saving time in what would be days of posting encrypted USB flash drives to and from colleagues. This is a far greater alternative to the archaic use of fax machines the NHS only just discontinued in March 2020. The NHS admittedly agreed to increased investment in its IT department, especially following the infamous WannaCry ransomware attack.

4. Failing to back up data will make you WannaCry

5. Centralised management – saving hands for data privacy

Controlling access to data is challenging when there is a high volume of data that is widely shared. For example, Canada-based genetic testing company LifeLabs reported it discovered unauthorised access to its systems, containing the data of 15 million patients, including contact details, lab results and health card numbers. The lawsuit claims the company failed to implement “adequate security measures”, including failing to encrypt their data.

Another worrying example is that of a dismissed hospital administrator who hacked his NHS trust and stole 14 files relating to his sacking, 600 staff-related documents, 150 documents discussing management matters and almost 9,000 patient heart scan images.

These incidents highlight the need for a centralised management of data. Having one IT manager responsible for each department and a superior IT manager overseeing the whole organisation will help organisations monitor and manage large amounts of sensitive data in an organised fashion.

IT managers need full visibility and control of all member access to data within the organisation. Administrator capabilities – such as temporarily disabling or resetting encryption modules (storing the encrypted encryption key to access data stored in the cloud), restricting file types, encrypting file names, viewing user’s log files, displaying user’s location, as well as geo-fencing and time-fencing capabilities – will all contribute to an efficient oversight of data.

Healthcare institutions must assume responsibility for data privacy. Encrypting PHI data is the first step in doing so. When organisations encrypt their data themselves, they have control of the encrypted encryption key and increase security measures when storing data in the cloud. Sharing that encrypted encryption key to authorised colleagues, backing up data in PIN protected drives and having full visibility and control of users and devices will ensure data confidentiality when information is shared, if the cloud is hacked or if a drive is lost.

Taking control of sensitive information to ensure its privacy will help healthcare institutions avoid hefty data breach fines, preserve their reputation and, most important of all, earn patient and customer trust.

A Guide to HIPAA Compliance

A Guide to HIPAA Compliance

How iStorage can help

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for patient data protection. HIPAA applies primarily to covered entities (treatment, payment and operations providers in healthcare). It is also applicable to business associates – a person or business that provides a service, function or activity for a covered entity that involves the business associate having access to protected health information (PHI) maintained by
the covered entity. Business associates can include lawyers, accountants or cloud service providers (CSPs), as long as they are involved in creating, receiving, maintaining or transmitting PHI.

Compliance is easier said than done. Healthcare institutions collect a vast and ever-growing amount of data, including patient records, health card numbers and radiologic images. Protecting all this data can be challenging for large healthcare institutions when sharing data with remote employees, with other departments or with other organisations. Many lack a centralised management of systems and data, losing out on full visibility and control of
data. As a result, healthcare organisations suffer the looming threat of non-compliance. Common HIPAA breaches include unauthorised disclosures and misuse of patient records, disclosing to third parties more than the minimum necessary PHI and lack of administrative or technological safeguards for PHI.

To ensure adherence to the various HIPAA rules and safeguards, health organisations must have appropriate physical, network and security measures in place to protect PHI at rest and in transit and prevent and detect unauthorised access to PHI. At iStorage, we have designed and developed our products and solutions to assist our clients in the healthcare sector meet industry regulatory standards.

The importance of encryption

To understand the importance of encryption, it is essential to first understand the value of PHI. Unlike credit card information or social security numbers, PHI, which is made up of one’s personal health history, cannot be changed. As a result, PHI sells for as much as US$363 in the black market, compared to credit card information and PII that sell for US$1-$2. It is not surprising then that there was a whopping 80 per cent increase in
the number of people affected by health data breaches from 2017 to 2019*.
In fact, IBM’s Data Breach Report found that healthcare is the most expensive
industry for a data breach at USD 6.45 million.

Data encryption renders stored and transmitted data unreadable and unusable in the event of theft. Therefore, if a hacker obtains encrypted PHI, it will be of no use. Furthermore, if an encrypted device, such as a USB flash drive or hard disk drive, is lost or stolen, it will not result in a HIPAA breach for the exposure of patient data. HIPAA’s Technical Safeguards require PHI to be encrypted to NIST standards, which calls for the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption. All iStorage devices, which include the USB flash drive range, HDD/SSD range and cloudAshur encryption module, have an on-device crypto-chip offering real-time AES-XTS 256-bit hardware encryption with FIPS PUB 197 validated encryption algorithm.

For ultimate security, going above and beyond HIPAA requirements, the datAshur PRO² and the diskAshur PRO² range, as well as the cloudAshur encryption module, are the only drives to feature a Common Criteria EAL4+ ready secure microprocessor, which employs built-in physical protection mechanisms, designed to thwart an array of cyber-attacks, such as side-channel attacks.

Backing up valuable data onto a PIN-authenticated, encrypted hard-disk drive can save healthcare service providers the trouble of losing access to important information during a ransomware attack and can also be a means to archive medical records in an encrypted format for at least six years, in accordance to HIPAA.

Another HIPAA Technical Safeguard is employing network or transmission security that ensures HIPAA compliant hosts protect against unauthorised access to PHI. This safeguard addresses all methods of data transmission, including email, internet, or private networks, such as a private cloud. How can this be achieved?

Controlling access to data

Confidential information stored on a local computer or drive, sent via email or file sharing service and shared in the cloud should be securely encrypted. If the device is lost or stolen when employees transport files or work out of the office, the datAshur PRO² and the diskAshur PRO² range allow organisations to avoid the risk of their data being accessed or viewed. The drives are only accessible by entering a unique 7-15-digit PIN, preventing unauthorised access to the data stored on the device.

The brute force limitation feature means the User PIN is deleted if entered incorrectly a designated number of times and the drive can only be accessed by entering the Admin PIN to reset the User PIN. If the Admin PIN is entered incorrectly a certain number of times, the encrypted encryption key is deleted along with all data previously stored in the drive.

When power to the USB port is turned off, or if the drive is unplugged from the host device or after a predetermined period of inactivity, the drive will automatically lock to prevent unauthorised access. The datAshur PRO² can also be configured as a read only (write protect) device to ensure the data is not illegally modified. The technical safeguards of HIPAA require access control allowing only for authorised personnel to access PHI. How can this be upheld when sharing data in the cloud?

HIPAA and the cloud

A common concern when sharing confidential information in the cloud is security and, by extension, liability. Who is liable for data breaches in the public cloud? A CSP is classed as a business associate under HIPAA, even if the PHI shared is encrypted and the decryption key is not provided, meaning the CSP must meet HIPAA compliance obligations. When using the public cloud covered entities must enter a business associate agreement (BAA) with the CSP and a service level agreement (SLA) can be drawn to address specific responsibilities regarding data protection and security

In terms of security, the level of encryption used by most cloud service providers meets the minimum standard demanded by HIPAA. However, this does not necessarily mean the CSP is HIPAA compliant. For example, Apple averts culpability, clearly stating in its terms and conditions: “If you are a covered entity, business associate or representative of a covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function or other facility of iCloud to create, receive, maintain or transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business associate.”

Another important factor to consider is control of the encryption key. Granted, most CSPs will encrypt their customers’ data and some even offer a key management system service, which allows customers to manage their encryption keys. However, the encryption key is stored in the cloud and thus accessible to hackers and cloud staff – much like leaving your house key under the doormat that half the neighbourhood knows about.

With cloudAshur, each authorised user will have a copy of the encrypted encryption key stored physically within the PIN-authenticated cloudAshur encryption module. Using cloudAshur KeyWriter, all critical security parameters are copied, including the randomly generated encryption key and all PINs, between the Master cloudAshur module and as many Secondary cloudAshur modules as required. This allows secure and instant collaboration in the cloud between authorised users, as well securely sharing encrypted files via email and file transfer services.

Multi-factor authentication is also highly recommended as a best practice for HIPAA compliance. Although not mandatory, the HIPAA Journal advises it’s “the best way to comply with the HIPAA password requirements.” If a hacker obtains the cloud user’s credentials, the breach will go unnoticed to the CSP as it won’t be able to decipher between a legitimate user from an attacker. The cloudAshur encryption module increases security measures to an unprecedented five-factor authentication, as the encryption key is kept away from the cloud.

What if the CSP is willing to enter a BAA, such as Microsoft? Although Azure or OneDrive can be used in a way that satisfies HIPAA Rules, Microsoft will accept no responsibility for HIPAA violations caused as a result of the misuse of its services. As Microsoft explains, “Your organisation is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.” The same is true with many CSPs. CSPs will not accept liability for misuse of their service/platform or misconfigurations by healthcare employees. It is therefore the responsibility of the covered entity using the service to ensure that HIPAA Rules are followed.

Gaining visibility and control of data

To avoid a HIPAA violation, cloud accounts must be monitored to ensure that PHI is not being accessed by unauthorised individuals. Administrators should delete individuals when their role changes and they no longer need access to PHI or when they leave the organisation. This level of management can be attained using the cloudAshur Remote Management Console.

Administrator capabilities – such as temporarily disabling or resetting encryption modules (storing the encrypted encryption key to access data stored in the cloud), restricting file types, encrypting file names, viewing user’s log files, displaying user’s location, as well as geo-fencing and time-fencing capabilities – will all contribute to an efficient oversight of data.

Having full visibility of PHI shared will be useful if a patient requests to obtain a copy of their health records, which must be provided within 30 days – a right outlined in the HIPAA Privacy Rule. In the event of a breach, the HIPAA Breach Notification Rule requires breach notifications to include the nature of the PHI involved, the unauthorised person who used the PHI or to whom the disclosure was made (if known), whether the PHI was actually viewed or acquired (if known) and the extent to which the risk of damage has been mitigated. Gaining visibility and control of data. Using the cloudAshur Remote Management Console, Admins can view log files, revealing when files have been accessed or modified and by whom. This will help adhere to the technical safeguard of HIPAA that requires access control, which includes audit reports or tracking logs that record activity

HIPAA compliance encompasses a number of obligations. Such is the case, that a HIPAA Compliance Officer is needed to ensure privacy policies to protect the integrity of PHI are enforced. Healthcare organisations that violate HIPAA Privacy and Security Rules are subject to hefty fines imposed under the supplementary Health Information Technology for Economic and Clinical Health (HITECH) Act, regardless of whether the violation was inadvertent or resulted from wilful neglect. Simply put, excuses will not be accepted. Failure to comply can also result in criminal charges and civil action lawsuits being filed should a breach of PHI occur.

The high black-market value of health data means the industry will likely never be free from the attention of cyber criminals. Healthcare providers must do everything they can to build a resilient shield to defend themselves, their equipment, and most importantly their patients against any form of digital incursion. A two-pronged strategy which combines regular backups with hardware encryption should be an essential component of any digital hygiene plan – with the right equipment it is easy to introduce, easy to administer, and inherently secure.

Healthcare organisations need to confirm they have implemented all the appropriate safeguards to protect PHI in transit and at rest and prevent unauthorised disclosures, if they are to be HIPAA compliant. The datAshur PRO² and the diskAshur PRO² will provide a secure back up of encrypted data, accessed only those authorised with a PIN. The cloudAshur can be used to encrypt data in the cloud or locally on a PC or Mac, as well as encrypt files shared via email or file sharing services. Using the cloudAshur Remote Management Console, healthcare organisations can have a holistic view and full control of PHI shared, helping keep PHI confidential, meet HIPAA compliance and gain patients’ trust.

The critical care of data in healthcare

The critical care of data in healthcare

iStorage CEO, John Michael, considers the importance of digital hygiene in healthcare and explains how hardware encryption helps health organisations add security to their processes, protects patients, and keeps sensitive records safe from cyber criminals

High-impact data breaches

Data breaches are a global issue, and as worldwide healthcare providers have transitioned to EHR-based record keeping, controlling access to such sensitive data has proven to be difficult. In the UK, eight in ten providers of frontline healthcare services suffered at least one data breach between 2021 and 2023 . French healthcare software provider Dedalus Biologie was fined €1.5 million for a 2021 breach which saw the names, social security numbers, and sensitive medical information of nearly 500,000 people released onto the internet . And in the US, reported breaches affecting major healthcare organisations totalled around 295 in the first half of 2023 . 87 million US patients have had their information breached in 2023, with 43 million in the third quarter alone5.

The safety of healthcare data is, clearly, a worldwide issue, and the methodology of cyber criminals can be extremely disruptive. The EU Agency for Cybersecurity reports that ransomware accounts for 54% of cybersecurity threats in the health sector , and not only does a ransomware attack risk the loss or distribution of improperly secured or backed up data, but it also causes serious disruption to medical systems. Being unable to restore an affected system quickly and easily may cost lives, a position health organisations should never have to face.

Reliance on outdated technology

In many cases, technological threats and issues mean providers have been forced to reach for outdated technology in a bid to safeguard secure communication channels. Many US health organisations, for example, have found the transition to a modern EHR platform difficult. Incompatibilities – and, in some cases, vendors actively blocking communication – between competing EHR platforms hampers interoperability to the point where most US healthcare providers have struggled to remove their reliance on electronic and paper fax for secure communication7.

The UK, despite attempts to ensure NHS interoperability by 2020, still struggles with siloed systems and fragmented technology which prevents seamless communication between departments and restricts adherence to digital and data standards . Primary Care Support England continues to distribute paper-based Lloyd George medical records, physically couriering them between locations as the scanning and digitisation of UK medical records remains incomplete9.

While a certain amount of teething trouble is to be expected over the course of any digital transformation effort, a difficult or frustrating system may cause pressurised individuals to transmit data without following proper protocols. Besides, many legacy or portable systems do not yet have the capability to be connected to a modern network, let alone the technology to communicate in a truly secure manner. Temptation or necessity may lead to insecure data storage and transfer – an extremely poor practice in such a sensitive environment.

Changing practices to protect data

Digital hygiene must be treated as importantly as physical hygiene within healthcare. It is vital that all professionals in the health space are made aware of their responsibility to protect data. This goes far beyond those developing EHR platforms or other back-end technologies; digital hygiene must be practiced up and down the chain.

Anyone with access to sensitive records must learn the inherent vulnerabilities of transfer methods like email or devices like laptops and be clear on the potential consequences of their use, misuse, or loss. Many everyday practices within healthcare organisations can introduce security vulnerabilities, too. Pulling results from a non-networked mobile ECG or sonograph, for example, is often done using a basic USB flash drive. If such a drive is lost or stolen, control of that data is lost with it – and the sanctity of a patient’s personal information becomes vulnerable. It is incumbent on any individual that may need to transfer anything from place to place that they do so in the most secure way possible.

The power of hardware encryption

Introducing hardware encryption prevents such data from reaching the wrong hands. Utilising storage media which can encrypt files securely and automatically keeps sensitive data safe, ensuring it can only be seen by those authorised to unlock it. Employing encrypted storage further up the chain, using it alongside other standard methods to locally back up patient records, safeguards against system loss in the case of ransomware or other disruptive hacking techniques. Data stored on an encrypted external drive is, if that drive is then disconnected, protected against network intrusion and even against physical attack – and since hardware encrypted drives appear as a standard USB device when unlocked, they are fully compatible with all medical equipment with a USB port as no software is required.

The high black-market value of health data means the industry will likely never be free from the attention of cyber criminals. Healthcare providers must do everything they can to build a resilient shield to defend themselves, their equipment, and most importantly their patients against any form of digital incursion. A two-pronged strategy which combines regular backups with hardware encryption should be an essential component of any digital hygiene plan – with the right equipment it is easy to introduce, easy to administer, and inherently secure.

John Michael, CEO, iStorage

Halting the rise of ransomware: how zero trust can mean zero loss

iStorage CEO, John Michael, considers why ransomware attacks are again on the rise and how encryption and backups are critical ways to take the sting out of hackers’ ransom demands

Despite hope last year that successful ransomware attacks were on the wane, 2023 has seen a revival of ransomware. Companies continue to face the threat of locked down hardware, losing access to critical data, and potentially having that data released publicly if they refuse to acquiesce to extortionate ransom demands.

It’s not hard to track the reasons for ransomware’s resurgence. IT departments employed proactive methods – including regular backups, encryption, and network security – to combat the so-called ‘golden age’ of ransomware caused by the pandemic-led shift to hybrid and remote working. Statistics suggest such plans are no longer being given the same priority. Just 68% of companies allocated a budget in 2022 to protect against ransomware compared to 93% in 2021. Moreover, only half of those surveyed were taking proactive steps to prevent such attacks, such as regular data backups. Instead, as media headlines declined, companies appear to have lowered their defences.

Ransomware works, and it is not going away. Victims are incentivised to pay, because an attack could cause serious reputational and regulatory damage as well as an average of 20 days of business downtime. Criminals could net millions with a successful ransomware deployment – demands of US$70 million and upwards from a single compromised business are not unheard of. In only the first three months of 2023, companies were forced to spend around $450 million to regain control of their data and could potentially spend more. The golden age of ransomware is clearly not over, and its impact may be rising exponentially.

The rise of commercial ransomware

The lucrative nature of ransomware means it has, progressively, moved away from the domain of lone hackers or small groups. Ransomware is an increasingly professional criminal endeavour, employed with a focused approach specifically tailored for maximum impact to hackers’ targets, however big or small they may be. Attackers have become more brazen and public with their extortion methods, threatening to release sensitive data like company records, client lists, or trade secrets publicly or even making ransom demands to an affected business’s third-party clients.

Mounting a ransomware attack does not even demand a huge amount of expertise. Any prospective hacker can access Ransomware-as-a-Service (RaaS). As part of a profitable secondary cybercrime market, RaaS sees malware authors offering off-the-shelf variants of malicious software, along with expertise on its use and ready-made databases of online credentials, for a fee. An open market for ransomware means an attack could potentially come from any source at any time, making a solid backup and encryption policy absolutely essential.

Growing physical vulnerabilities in the workplace

Ransomware must be deployed within a company’s systems to work. Attackers can use various means to gain access to systems, from directly targeting insecure networks and computers to exploiting previously undiscovered digital vulnerabilities. The number of potential avenues of attack is growing all the time. The wide-ranging devices which make up the Internet of Things (IoT), for example, are likely to number over 22 billion by 2024, each of them a tiny network-connected computer. The trend towards commonplace remote and hybrid working also highlights new vulnerabilities for more traditional computer hardware, as employees use insecure home networks or even public Wi-Fi in places like coffee shops.

The distributed workforce means VPNs are a target. Working in public places means criminals can discover passwords by simply watching a user type them in. A single lost or unattended laptop could be enough for a hacker to gain the credentials to launch an attack. The inevitable growth of technology means those wishing to utilise brute force to deploy ransomware within a network have stronger tools available to them, backed by higher processing power. Protecting one’s data with encrypted, air-gapped backups nullifies any potential impact that any of these attack vectors could hold; there is no brute force method which can come close to breaking AES 256-bit hardware encryption.

Using confidence tricks to shatter security

Often, ransomware attackers attempt to gain access to networks with more simplistic methods like phishing. Spoof emails are surprisingly effective: two in three users open phishing emails, a third will click the links or attachments within, and half of those will enter details into fake login screens . Their potential success rate means the use of phishing emails is growing, too. In Q1 this year, malicious emails made up a quarter of all email messages, an all-time high3.

Phishing works so well because phishers have mastered social engineering confidence tricks and employ meticulous research and Artificial Intelligence (AI) tools to make their emails seem authentic. In addition to broad email campaigns, they research and target specific individuals with more valuable access credentials. Phishers also use AI to replicate the writing style of powerful employees in order to make their emails appear more authentic – a process known as spear phishing. Reports suggest that newer AI-generated phishing emails can convince users to click through and fill in a form up to 80% of the time4.

Bypassing the ingenuity and methodology of those wishing to deploy ransomware – whatever their method – requires consistently vigilant behaviour, and a Zero Trust approach. Zero Trust is a framework which offers no implicit trust to any entity which interacts with your organisation. Under Zero Trust, every device, user, platform, tool, or vendor must clearly demonstrate its security credentials. It is an essential component of digital hygiene, and, if properly understood by all employees, is the best way to minimise the possibility of a ransomware attack. In some cases, though, hackers with insider knowledge may find a way to infiltrate a network regardless of an organisation’s policies. So, any cyber resilience plan must be joined by a matching IT infrastructure.

Encryption and backups - the two-pronged solution to ransomware

As creative as one’s network policies may be, there is no other option: organisations must implement consistent encryption and a strong backup policy in order to protect their data. In the case of a ransomware attack, the presence of a backup accelerates the speed of any recovery efforts and potentially avoids an expensive and embarrassing payout. An air-gapped backup, one stored on an external device not attached to the network, cannot be affected by ransomware. Backups should, therefore, be kept in triplicate online, offline, and off-site – a strategy known as the 3-2-1 rule, which ensures there is always a backup available in the case of physical or digital disaster.

Add encryption, and you introduce an extra layer of security to your backups. In the unfortunate event that an external drive is lost or stolen, encryption makes its contents functionally useless to those without the key, minimising the possibility of a damaging data breach. Hardware encryption helps to streamline and fool proof this process by encrypting and decrypting data automatically without needing to install special software.

The correct hardware backup and encryption solution removes a large amount of business vulnerability, and a lot of worry. Employees no longer need to be concerned with awkward software, or even whether they are doing the right thing – hardware encryption is secure by default. Physical and logical separation between encryption keys and the data they protect renders hacking attacks useless. And with a solid plan in place for recovery, ransomware will end up little more than a temporary inconvenience.

John Michael, CEO, iStorage

Preventing data breaches and staff burnout in the remote-work era

iStorage CEO, John Michael, argues that remote and hybrid work demand a stricter focus on data security and employee health, both of which can be achieved with the right tools and policies.

Hybrid and remote work are not going anywhere. Workers love the flexibility of the modern office, and the statistics back it up: 82% of a surveyed 28,000 full-time employees find that hybrid working has made them happier, and 78% say that working remotely improves their overall wellbeing . Employers enjoy their own benefits, given that remote work reduces burnout and – contrary to certain management assumptions about its effectiveness – increases employee engagement. A 2018 survey, conducted prior to the major rise in remote work, noted that 67% of workers had experienced burnout , yet in 2022 flexible working had brought this figure closer to 30% .

These figures present the positives, but they absolutely downplay the difficulty of administering a distributed workforce, particularly one, such as accountants, which is expected to work with sensitive data. It doesn’t take a genius to realise that an accidental breach could be an incredibly costly mistake, incurring a significant fine or losing a client – and breaches do happen. The Information Commissioner’s Office received reports of over 1,000 data breaches related to unauthorised access of data in 2022, and almost 600 incidents of data or paperwork being left in an insecure location . The protection of data cannot be left to chance: in the remote work era, good data hygiene is essential.

Controlling data access based on location

IT administrators would not generally allow hybrid workers a free choice of software or hardware. In the same vein, employees should also not be given full freedom to work as they want in any location they choose. Hybrid workers, given their relative freedom, may take an over-relaxed attitude to their place of work; putting in the hours in coffee shops, on public transport, or otherwise working away from the office are naturally more vulnerable to causing such breaches.

Tight security controls are vital to keep data safe, whether that be PII data or company spreadsheets. A data breach could be caused by connecting to cloud services over insecure networks, for example. Data could be leaked through a device like a laptop being left unattended or being stolen. But an offline, secure approach mitigates these issues. If hybrid and remote workers are required to use encrypted storage while working away from a trusted network, virtually every potential cause of a breach is removed.

A secure drive may be able to lock itself based on a user’s proximity to their computer – should the drive’s owner step away from their machine, the drive’s contents would automatically be rendered inaccessible. If strict policies demand that remote employees work only from a pre-approved locale, secure storage can also be geofenced. This restricts use of a device based on its GPS coordinates – the fence can cover regions as large as continents or as small as a few metres. Outside of those areas, such a device would not be able to be unlocked.

Implementing hardware policies to aid work/life balance

The health of a company’s data is of paramount importance, of course, but introducing proper data hygiene procedures can also go some way to protecting the health of its employees. Remote workers, and even in-office employees, can experience an unhealthy creep towards the work side of work/life balance. We’ve all burned the midnight oil at times, and not always because we’ve needed to. Digital connectivity can be an addiction.

Overarching legislation isn’t necessarily the answer. Even in France, where ‘Right to disconnect’ legislation passed in 2017 aimed to protect workers from out-of-hours work, the easy availability of digital tools means many employees continue to feel compelled to remain connected and available outside of their working hours . But French companies which have established strong internal policies in line with the legislation have been able to demonstrate significantly reduced out-of-hours engagement. A culture focused on wellbeing and reasonable expectations is key, then – and using secure hardware to implement more direct controls can have a positive effect, too.

Set a time limit on the use of secure storage, for example, and the unlocking procedure can be prevented outside of agreed hours, reducing the chance of employees engaging in so called ‘grey work’ – out-of-hours work beyond one’s prescribed responsibilities. If such a limit needs to change, simple back-end software allows administrators to alter it on a user-by-user basis or apply a temporary lifting of restrictions. Each unlock also builds an audit trail of activities, which can tell administrators and managers precisely when and where a drive has been unlocked.

Employing remote management for additional security

Cryptographic security is what makes these functions work – and they really do work. The contents of a sufficiently secure drive will be obscured by uncrackable encryption until that drive is unlocked, offering a guarantee that those vital numbers are completely safe from any breach. Indeed, even if plugged into a USB port, such a drive would not appear to be connected to the computer until a secure online authentication process has been completed. Even if the encrypted storage were able to be accessed, AES 256-bit hardware encryption protects data against the possibility that the data could ever be read, copied, or shared.

Online authentication has a double use. It also means the access parameters of the device can be remotely administered at the time of unlocking. If a geofence moves, or an employee’s access restrictions change, these alterations do not require physical access to any remote hardware – any policy changes are automatically applied to a drive upon its use, no matter what machine it is connected to.

Remote data erasure provides peace of mind

A lost drive is obviously not a good thing. But that’s the point of cryptographic security and pivoting one’s data policies to ensure it is used. If a hardware encrypted drive is lost or stolen, it does not mean company data being breached, it simply means a loss of easily replaceable hardware. And if a double layer of security is required, a remotely administered secure drive can be set to erase itself if too many unsuccessful attempts are made.

If a remote employee reaches the end of their tenure, proper data hygiene procedures might also require that they return their hardware. But a secure drive could, if required, be set to be wiped at the moment an unlock attempt is made. This, along with geofencing, goes some way to preventing disgruntled employees taking company data to places it shouldn’t be.

Obviously much of the burden of remote worker data hygiene must be shouldered by company policy. But whatever level of control a company wishes to have over its remote employees, whatever policies exist to support efficient work and wellbeing, or even if you’re running a freelance accounting operation, investing in secure hardware makes such policies far easier to follow and implement. Select hardware which is also backed by clear and straightforward administration software, and the prospect of safer data is easier to achieve.

John Michael, CEO, iStorage

The search for security and safety amid cryptocurrency chaos

The search for security and safety amid cryptocurrency chaos

In a volatile market where key players have suffered high-profile failures, iStorage CEO, John Michael, considers the best way to keep crypto funds secure and entirely under control.

Cryptocurrency is unpredictable. But outside of its potential as decentralised currency – and the ability of the blockchain, the shared database crypto relies upon, to act as an immutable ledger of transactions – its volatility may be its key selling point. Bitcoin, Ethereum and their ilk have the potential to fluctuate in price wildly. One day an investment of fiat currency, for example, may produce a massive loss in the crypto market but the next could offer huge growth.

Crypto’s big problem is that the volatility gamble does not only apply to currencies. It can just as easily affect the tools that make crypto work. When trouble strikes a crypto exchange, an online entity which switches out real-world currency for crypto tokens as well as storing that crypto online, one’s investment could not only lose value – it could be lost entirely.

Notable crypto disasters

Transactions on the blockchain are irreversible. If a criminal infiltrates an online wallet and transfers its contents, there is no hope of a resolution. In the case of Japanese exchange Mt. Gox, for example, a breach saw the company’s ‘hot wallet’ – essentially an online account used to hold cryptocurrency for quick transfers or sales – emptied by hackers, losing 7% of the world’s Bitcoin, most of which belonged to its customers . The attacking party transferred and ‘washed’ the coins, automatically scattering them between anonymous wallet addresses to make tracing their whereabouts on the blockchain impossible.

It is also a given that the company behind the exchange is operated properly and is trustworthy. The recent high-profile collapse of crypto exchange FTX happened because customer deposits were mishandled, loaned to owner Sam Bankman-Fried’s hedge fund second business, and otherwise lost to risky bets. When this was discovered, major investors bailed, a potential takeover was dissolved, and the crypto market itself crashed. End-user customers were left without financial recourse, their fiat currency gone, and their crypto deposits locked into FTX’s platform while a block on withdrawals was instituted.

An exchange alternative

Crypto exchanges are not inherently unsafe. Yet FTX’s fall has certainly created increased wariness from investors. Exchanges are a necessary means to trade digital currency for hard currency, but that’s as far as trust should go. Taking the decision to store crypto offline provides full control over funds and isolates them from any potential online disaster. Setting up an offline wallet, otherwise known as a ‘cold wallet’, is a simple process which allows the movement of funds away from exchanges and into a software package stored on a device controlled by the funds’ owner.

Once that currency has been transferred, it becomes completely hidden from the internet. The token that then represents the cryptocurrency itself remains stored on the blockchain, but its location – and the cryptographic keys required to access it – are known only to the offline wallet. For all intents and purposes that currency disappears. Although, as we will discuss, a cold wallet comes with its own vulnerabilities, its offline nature makes it the safest way to store cryptocurrency.

Protecting the cold wallet

There are some downsides to moving cryptocurrency offline. Managing offline storage requires a little more attention than simply relying on the streamlined tools of an exchange. Cold wallets such as Ledger, Trezor, and KeepKey can remain safe offline indefinitely, but they must be periodically connected to the internet to update the value of their crypto portfolio, to update the investor on their contents, or to transfer money away from them. They are by far the most secure method of cryptocurrency storage, but cold wallets are also not impervious to hacking. If an attacker were able to gain access to the hardware containing the wallet itself, or the seed phrase (a mnemonic phrase to recover a lost or broken crypto wallet) used to generate its private key – both of which should be securely stored by their owner – they could steal its funds.

Perhaps most importantly, a cold wallet’s practice of security by obscurity makes it fragile in its own way: if a wallet is physically lost, or if its access credentials are forgotten, its contents permanently go with it. The fact that it is cryptographically secured means that no amount of searching, hacking or computation will ever get its contents back. Managing an offline wallet is, essentially, to manage one’s own bank: protecting one’s assets is critical.

Safer data through encryption

One way to ensure the safety of a cold wallet is to store it on a hardware-encrypted data storage device. While a wallet should always sit on external storage which can be automatically or physically disconnected when not in use, hardware encryption adds a second layer of protection, since an opportunistic attacker will not be able to access a single byte of the drive’s contents without the appropriate credentials. It needn’t have a high capacity, since wallets themselves are very small, but a reliable, secure data storage device removes the possibility of anyone potentially accessing a wallet they shouldn’t. With the right choice of hardware, a wallet becomes double-protected: an intruder entering the wrong passcode too many times could cause the drive to be erased and, with it, any possibility of accessing the wallet is removed.

The positive is that even if the offline wallet disappears, funds won’t necessarily be lost. Unlike a hot wallet on an exchange, a cold wallet does not have to be a singular entity. Offline wallets can be cloned by copying them to additional drives, providing backups to protect the first against disaster, and removing the need to write down or remember a seed phrase. Most cold wallet software tools can be used to generate a full backup of private and public keys and to store those elsewhere, too. As long as care is taken around where each copy resides – and, again, proper access controls and encryption are implemented – a cold wallet offers the strongest assurance possible that cryptocurrency remains safe and secure.

John Michael, CEO, iStorage

NIS 2 Directive: Improving data security to ensure cybersecurity compliance

NIS 2 Directive: Improving data security to ensure cybersecurity compliance

iStorage CEO, John Michael, explains how companies affected by the new directive should be looking to demonstrate the highest levels of cybersecurity compliance as it comes into force.

The UK government is set to follow the new NIS 2 Directive (NIS 2) that has been recently adopted by the EU. NIS 2 replaces the existing legal framework (NIS Directive) modernising it to keep up with increased digitisation and an evolving cybersecurity threat landscape. This is intended to improve cybersecurity risk management and reporting obligations across several new sectors such as energy, transportation, healthcare, food and waste management.

The new NIS 2 Directive eliminates certain classifications, and clarifies businesses as either ‘essential’ or ‘important’, while using a size-cap rule to determine which entities fall within its scope . It is expected that businesses that need to comply with NIS 2 will have to carry out a greater level of due diligence on their technology partners. As part of this evaluation process, it is highly likely that policies and processes will play a much greater role. What steps, then, should businesses take to protect their data from cyberattacks and be compliant with NIS 2?

Protecting the many points of vulnerability

To comply with NIS 2, a holistic approach is required that considers all possible threat vectors. Organisations should not assume that just because on-prem data is secure, that this equates to a sufficient level of compliance to meet NIS 2 criteria. Consideration should be given to the integrity of all outgoing and incoming data, as well as data that is stored in the cloud. In this context, it is important to question who is ultimately liable for data in the cloud?

Cloud providers have been quick to promote security capabilities along with other benefits of scalability, cost and convenience. Yet, the security element can be somewhat misleading. Indeed, the terms and conditions of many major cloud providers include a ‘limitations of liability’ clause, which puts data-security responsibility squarely on the shoulders of the cloud user. All users need to be conscious of using adequate, and in many cases, more stringent security measures when storing their data in the cloud to assure wider stakeholders of its integrity.

In addition, consideration must also be given to the integrity of data on the move with the increase in flexible working options for employees. Hybrid and remote working practices, accelerated by Covid, have become not just an outlier but the norm for many, with 40% of British adults working from home at least once per week . However, the number of workers on the move also means a corresponding increase in the number of devices in transit. These are devices that would otherwise be kept at a desk within a fixed office, where they can be more easily secured.

Furthermore, away from the scrutiny of IT teams, remote employees may be tempted to use personal devices for work purposes, negating any protections which have been applied to certified hardware. They may work on unsecured networks in places where their passwords could be shoulder-surfed, and, potentially, lose sensitive documents on unencrypted devices between work locations.

This all puts more demand on IT teams to improve security for data and devices in transit, while placing a greater onus on staff to ensure that no risks are taken when it comes to valuable company data. To maximise protection, it’s essential to consider encrypting files both in transit and at rest. This way, if a device is lost, left somewhere, or is stolen, the information it contains cannot be accessed and data integrity is guaranteed.

Zero Trust and a cybersecurity-aware culture

Improving cybersecurity to comply with NIS 2 essentially means protecting all possible points of entry that could be used by an attacker. Creating strong passwords, removing, or disabling all superfluous drivers, services, and software, and setting system updates to install automatically are all sensible approaches. However, Zero Trust is rapidly becoming the standard in security and involves removing the implicit trust given to individuals, tasks, and computer systems.

Applying a Zero Trust policy in line with the National Institute of Standards and Technology’s (NIST) risk management framework, which promotes a never trust and always verify approach to any request for systems access, greatly reduces the likelihood of unauthorised or unauthenticated user access. A Zero Trust approach ensures that any long-term access to information is revoked. This helps companies tighten controls on their networks and requires access only to be granted as and when it is needed. This denies attackers the opportunity to spread widely around a network, or sit for long periods of time undetected, waiting for an opportunity to strike.

Encrypting valuable data to guard against threat

Finally, it’s important to consider the measures that businesses can take to further safeguard data. Dedicated tools, documentation, and training will help mitigate risks and keep products and services up-to-date and protected. Secure encryption is another method, enabling the security of key files and any communications between client apps and servers to be enhanced.

Encryption, even when stored in the cloud, vastly improves the security of company files and can provide the required superior levels of protection. A PIN-authenticated, encrypted USB flash drive or HDD/SSD with on-device crypto-chip and AES-XTS 256-bit encryption will offer complete data integrity, even if brute force action is used. In addition, using a device with an internal microprocessor that is Common Criteria EAL5+ Certified, and encrypting data with a FIPS PUB 197 certified AES 256-bit encrypted encryption key brings into play military grade protection.

The expanding cybersecurity landscape is bringing with it many new challenges which require innovative responses. Complying with the NIS 2 Directive by taking steps to adhere to principles of Zero Trust, encrypt data, and educate staff as to their responsibilities will help ensure robust cybersecurity. Whether working on or off-site, such an approach will prevent the long-lasting negative impact associated with cyber-attacks and the loss of valuable information, ultimately resulting in safer data.

John Michael, CEO, iStorage

Halloween may be over, but the threat of frightening cyber-attacks are still out to get you – what exactly is out there?

Halloween may be over, but the threat of frightening cyber-attacks are still out to get you - what exactly is out there?

Forbes, alongside many other publications and IT professionals have labelled cyberattacks an ever-increasing issue. Malicious users who can do serious damage are a real threat and the damage they can do is shocking. As an overall topic, this message seems to get across to organisations, but do they know what it takes to keep up with fending off attacks, or how severe the threat is? Infosec reported:
“Weekly cyber-attacks have increased worldwide by 7% in Q1 2023, compared to the same period last year, with each firm facing an average of 1248 attacks per week.” *

In this blog, we will be detailing the common and severe forms of cyber-attacks, and how they affect a business. Attacks reach businesses of all sizes and can take on average 22 days to recover. **

A huge area of cyber-attacks is malware. Malware is short for malicious software and is a type of program or code that is created with the sole purpose to do harm to the computer, network, or server it is downloaded into. Malware is a large umbrella that covers many other different malicious threats. While it may be easy to simply wave off the idea that you would ever download such damaging software – there are many circumstances where it has proved successful through deceit and less informed users.

One such subset is ransomware. At iStorage, we often discuss the topic of ransomware, as it is a hugely damaging and growing issue in cyber security. Through the utilisation of malware distributed via phishing, this form of attack encrypts a user's data, rendering it inaccessible. The attacker then demands a payment in exchange for a decryption key. This situation can pose serious issues for users, impacting not only personal data but also crucial documents for working employees, potentially involving sensitive information. At its most severe, a ransomware attack can lead to a significant amount of company data being stolen and sold. In the best-case scenario, it involves substantial payments to regain access to the information. Instances of ransomware attacks have resulted in severe consequences, such as the complete downfall of a business due to detrimental payments, regulatory fines, or loss of trust in the company's reputation.

Phishing stands as the most widely recognised form of cyber-attacks. In this scheme, malicious actors’ endeavour to deceive users into engaging with them by enticing clicks that lead to unsafe websites or malware downloads. These deceptive attempts can take on different guises, spanning social media, text messages, or emails. This allows a gateway from the hacker to the user to blackmail or steal precious data. These links are disguised, and the messages can often be tailored to something the user will resonate with. This can include an email from their online banking account explaining that they need to deactivate their card after it has been compromised or something to do with work like a previous campaign.

To avoid these attacks, it’s imperative that companies (of all sizes) exercise and teach digital hygiene, have the right tools to secure information, and back up work. Recognising threats and keeping up with digital hygiene will allow employees to understand the threats, and ways to avoid them, making it a fortified front against attackers.

Practicing digital hygiene involves several key aspects: maintaining robust passwords, regularly updating software, and adhering to cybersecurity protocols like zero trust. Utilising appropriate tools, such as encrypted USB flash drives, hard drives, or solid-state drives, ensures comprehensive protection of all stored data. Additionally, creating encrypted offline backups safeguards your work outside the computer, ensuring that in the event of a ransomware attack, the offline protected data remains unaffected, allowing you to quickly restore and get back to normal.

* https://www.infosecurity-magazine.com/news/global-cyber-attacks-rise-7-q1-2023/
** https://www.provendata.com/blog/how-long-does-it-take-to-recover-from-ransomware/#:~:text=According%20to%20a%20Statista%20survey,investigation%20process%2C%20and%20system%20building