Search
Close this search box.
Facebook Instagram Linkedin

Month: October 2020

Categories
Data Protection

Fraud and Data Theft: 11 Tips for Customer Security

A Serasa Experian Global Identity and Fraud Survey 2020, shows that 57% of companies are facing increasing losses due to fraud and data theft year after year, despite claiming to be able to identify their customers accurately. That’s why we need to invest in data protection.

The reality shows that three out of five companies said there was an increase in fraud over the past 12 months.

In other words, the study carried out by Serasa Experian shows that companies’ concerns about the increase in fraud and data theft persist even with the investment in security and data protection made in recent years.

Furthermore, the average cost of a data breach in 2020 is $3.86 million, according to IBM’s data breach study. Despite the slight drop from 2019 (USD 3.9 million), it is still a very high amount to pay for fraud and its impacts with customers.

What happens when those responsible for protection are compromised by fraud and data theft?

In September 2017, consumer credit agency Equifax admitted its third cyber attack in two years, when hackers exploited a website vulnerability.

Key Facts About the Cyberattack suffered by Equifax

  • Some 143 million US customers have potentially become vulnerable by having their personal data compromised (with 400,000 in the UK);
  • Confidential information (including social security numbers, driver’s license numbers, dates of birth, medical history and bank account information) was compromised, leaving customers vulnerable to fraud and data theft;
  • Equifax has been criticized for being ill-equipped to manage the breach. It took five weeks to make the violation public, she set up a website for information and a hotline – where customers criticized the lack of information and the long delays;
  • In a notable gaffe, customers were also directed to a fake website in the company’s tweets;
  • Offers of a one-year free credit monitoring and identity theft service were deemed inappropriate;
  • A lawsuit has been filed accusing Equifax of negligence with customer data, with potential cost implications of $68.6 billion.

Consumers whose data has been leaked, stolen, or used in fraud don’t even know that their personal information is at risk for months or even years. But what choice do people have: don’t travel, don’t share, don’t use social media?

Ok, we can make these choices if we need to, but we still need to get health care services, use a bank or a credit union, be insured, or even get our Social Security benefits.

How can companies take the first steps to prevent fraud and data theft?

These are the top tips from experts to help you keep your company’s confidential information safe from fraud and data theft.

1. get rid of paper

If you must keep paper files, destroy them as soon as they are no longer needed. In practice, there are nine things that companies must destroy:

  • Any correspondence with a name and address;
  • Luggage tag;
  • Travel Itineraries;
  • Extra boarding passes;
  • Credit offers;
  • Price list;
  • Vendor payment receipts and paid invoices;
  • Cancelled checks;
  • Receipts.
2. Assess which data you most need to protect against fraud and data theft

Audit or evaluate your data. Every company is different. Each has different regulations, different types of data, different needs for that data, and a different business culture.

Hire an outside expert to assess what data you have, how you are protecting it (not how you think you are protecting it), and where that data is going.

While you may think it is an unnecessary cost, if you report to customers and prospects that you have done an external data assessment, you may find that it puts you at an advantage over your competitors.

3. Restrict access to your confidential data

Not everyone in the company needs access to everything. Does the project manager need pricing information? Does the seller need information about the operations?

By restricting the data to which each person has access, you limit your exposure when an employee decides what they want to steal or when the employee’s account is compromised by an outsider.
4. Apply internal and external data privacy controls

Make sure that third parties and service providers contracted by your company follow the same strict data privacy controls that you implement in your own organization.

Audit them periodically to ensure compliance with your security standards and reduce the risk of fraud and data theft.

5. Use strong passwords to protect computers and devices

Make it difficult for third parties to access your company and employees’ devices and computers if they are lost or stolen by protecting them with strong passwords and enabling remote wiping on all devices.

6. Install or enable a firewall

Even small companies with only a few employees have valuable data that needs to be protected. Make sure you have a firewall installed to prevent strangers from accessing your company’s network.

7. Secure your wireless network

Use a strong password and encryption and security to hide your wireless network from strangers. Don’t let neighbors or passersby get into your network or even see that it exists. You are increasing the risk of fraud and data theft.

8. Combat fraud and maintain good customer relations in accordance with LGPD

Adhering to the fundamental principles of the General Data Protection Law (LGPD) and preventing fraud and data theft, as well as having good customer relations, can go hand in hand.

Minimizing the amount of personal data collected, anonymizing this data and adopting privacy principles from the outset will not only ensure that your customers’ right to data privacy is preserved, but will also help mitigate your risks from the perspective of the LGPD.

9. Data minimization

Whether or not you rely on legitimate interest to acquire data, you should collect only the minimum data necessary to achieve your goal.

If you can combat fraud and data theft with only the smallest amount of non-direct identification information, it’s better. That will mean less data to protect later.

10. Anonymization

Make sure that all data is protected using tokenization or encryption.

In addition to increased security, a clear benefit is that mandatory breach reporting requirements are significantly reduced for anonymized data, as the risk of harm to the data subject is greatly reduced as long as the key is not compromised.

11. Privacy by design

Make data privacy an integral part of your organization’s thought process at all levels.

Make it a habit for all departments to ask questions about what data you need, how you will protect it, and whether or not you need consent. Not to mention that a well thought out privacy strategy will likely create a better user experience.

And don’t forget the authentication! Tampered and stolen credentials are a real threat to the security of your users’ data. This threat vector makes stronger authentication an essential component in the fight against fraud and data theft, as well as defending your users’ right to data privacy.

How EVAL can help your company fight fraud and data theft

EVAL has solutions for application encryption, data tokenization, anonymization, cloud protection, database encryption, big data encryption, structured and unstructured file protection on file server and cloud, and key management to meet different demands in the area of data security.

These are solutions for business to be compliant and protected against data leakage.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Cryptographic Key Management in Healthcare: A Real Challenge

The use of cryptography and cryptographic key management in healthcare to protect data at rest or media is a reality for medical institutions and users of services such as cloud storage, messaging and many others.

However, those responsible for these services are presented with many options for cryptographic mechanisms and consequently there are many choices to be made.

Poor choices in cryptographic key management in healthcare can result in little or no gain, even loss, creating a false sense of security in a healthcare organization’s data.

For example: encrypt a database and keep the cryptographic key in a file on the server.

In this article we intend to address some relevant aspects for the information security of data in the health area that are related to cryptographic keys.

With this we will show the importance of their correct management for the programming of cryptographic services.

To facilitate understanding, we will divide the article into three parts. Starting with the basics about cryptography, cryptographic services and finally cryptographic key management.

Cryptographic Key Management in Health and Data Encryption

Cryptography is a set of principles used to ensure the security of information in a healthcare institution.

To this end, cryptographic key management in healthcare employs techniques to transform one piece of information (cipher) into another (cryptogram) that is readable only to those who know the secret (secret key).

By keeping this secret safe, we prevent unauthorized persons from gaining access to the original information (decrypt).

  • Secrecy

The security of cryptographic services is based on the secrecy of the cryptographic key, which allows encryption and decryption, and not on the method of transforming the information, i.e. the algorithm used, which must be public.

  • Symmetric and asymmetric keys

In cryptography there are two basic types of algorithms: symmetric and asymmetric key. The former use a single key to encrypt and decrypt the data, while the latter adopt a pair of keys, one for encryption and the other for decryption.

Cryptographic services

There is really no 100% method, not for health or any other area, but some guidelines can help reduce or prevent attacks.

One of the first steps to be taken into consideration is the confidentiality of each patient’s data. Use a network where only authorized persons have access.

Looking for special storage for your data is also one of the ways to prevent data leakage. There are storages that can help digital health security in this regard.

As mentioned above, it is clear that encryption and cryptographic key management in healthcare are the most efficient ways to prevent data theft in healthcare.

Whether it is to protect data at rest, i.e. that is stored, or even to protect data in transit, i.e. that travels on the network, coupled with strict access control are essential to help the hospital keep data protected.

It is worth remembering that it is super important to protect the perimeter with a firewall on your network and also to protect the desktop / servers with antivirus, among many other tools.

  • Confidentiality

According to studies
email attacks grew by 473%
 2017-2019 for health alone. The maintenance of outdated legacy systems is one of the reasons for this high volume of attacks.

Another study estimates that spending on advertising alone, due to image risk,
increases by 64%
in hospitals that suffer data leaks.

Confidentiality has to start with the adoption of an Electronic Patient Record (EPP), which in addition to centralizing the medical data of each care (complete history), facilitates the achievement of prestigious accreditations in the sector, such as HIMSS (Health Information and Management Systems Society), linked to good health IT practices.

You need to train your staff constantly to avoid improper access and use of the applications provided within the institution.

Confidentiality of data through encryption, management of cryptographic keys in health and with proper access control, also ensures that information cannot be viewed by third parties and that only authorized persons have access to it.

  • Integrity

The technique for ensuring integrity is in short, when a given piece of information is not modified in an unauthorized way after its creation, during transmission or storage.

Whether the change is accidental or intentional, the insertion, removal or replacement of data must be detected. Cryptographic mechanisms such as cryptographic digest, also known as hash, and digital signature provide the support for this service.

  • Authentication

The authentication service verifies the identity of a user in order to have some assurance that the person is who they say they really are. There are several authentication mechanisms, user and password is a well-known model, but so is authentication using a digital certificate.

In the digital certificate model, one can use the SSL protocol, or even login digital signatures as an authentication model. The digital certificate is interesting to use the ICP-Brazil model or another that the organization trusts, such as Internal Certificate Authority.

In the ICP-Brasil Certifying Authorities, it is in the process of issuing the digital certificate that the person needs to attend a face-to-face validation, now there is also the remote modality, with original documents that prove the identity of the applicant.
  • Irretractability

The non-retractability service provides the means to ensure that whoever created information cannot deny its authenticity, or at least that it is difficult to deny.

In this sense, it is linked to the digital signature, in which the owner of the private key cannot deny that he has held it for a particular purpose.

  • Authorization

Additionally, after authentication, it is possible to use the information of the authenticated user in the system to define the authorization of the information. The authorization service provides approval or permission for the execution of an activity.

As an example, the authorization service can be employed to define the permissions to use a cryptographic key that would consequently allow access to a certain piece of information.

Cryptographic key management in health

Cryptographic keys are the foundation of cryptography and the security of encrypted data lies in them. Breaches can lead to the compromise of keys and, consequently, the leakage of sensitive information such as patient records.

The increase in the use of encryption for data protection in healthcare institutions, mainly due to government regulation, means that they have to deal with multiple solutions to encrypt data, see LGPD.

Because of the diversity of vendors, organizations also need to define various procedures for managing cryptographic keys, and these are not always adequate.

Cryptographic key management consists of storing, protecting, organizing and ensuring the proper use of cryptographic keys, managing their lifecycle and maintaining backup copies in a secure and consistent manner.

  • Secure storage of keys

The keys should be stored securely, i.e. encrypted and with access control.

Encryption should preferably be performed by means of keys (
KEY
) protected on a cryptographic hardware, preferably.

  • Identification of keys

It should be possible to identify a key, its type, its purpose, who is authorized to use it and the period of use.

Life cycle of cryptographic keys

The lifecycle of cryptographic keys must be controlled so that they are used properly during their validity period – i.e. only authorized persons or systems can use them during a predefined time and with secure mechanisms so that they are not compromised.

We will describe the life cycle of the keys, according to NIST recommendation.

The life cycle of a key starts with generation and ends with destruction, passing through one or more of the states described below:

  • generation: moment of creation of the key, which is not yet ready for use;
  • pre-activation: the key has been generated but is not yet ready for use because it is waiting for the period of use or the issuance of a certificate;
  • activated: the key is available for use;
  • suspended: the use of the key is temporarily suspended. In this state, it can no longer perform ciphering or signing operations, but can be used for data recovery or verification of signatures previously performed.
  • inactivated: the key can no longer be used for ciphering or digital signing, but is kept for processing data ciphered or signed before inactivation.
  • compromised: indicates that the key has its security affected and can no longer be used in cryptographic operations. In some cases, as in symmetric keys, it can be used to recover the encrypted data for later encryption with another key.
  • destroyed: this status indicates that a key is no longer required. The destruction of the key is the final stage and can be achieved due to the end of the key’s usage cycle or the compromise of its security.

Generally speaking, both healthcare institutions and all organizations should focus on continuous improvement while managing their risks at a price that is compatible with their reality.

Companies should critically evaluate how to protect their systems. They should also consider the “root causes” of security incidents in their environments as part of a risk assessment.

As systems become more secure and institutions adopt effective measures to manage their processes, key management becomes increasingly essential. Protecting a healthcare organization’s data is critical to the security of its patients’ information.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Difference between encryption types for data protection

Companies can reduce the likelihood of a data breach, and thus reduce the risk of fines in the future under the General Data Protection Act (GDPR), if they choose to use encryption for data protection.

The processing of personal data is naturally associated with a certain degree of risk. Especially nowadays, where cyber attacks are almost inevitable for companies.

Therefore, encryption for data protection plays an increasing role in IT security for a large part of companies.

In general, encryption refers to the procedure that converts unencrypted text, also known as clear text, into information that is unreadable, in a form of interpretation using a key, where the output information only becomes readable again using the correct key.

This minimizes the risk of an incident during data processing, as the encrypted content is basically unreadable to third parties who do not have the correct key.

Encryption is the best way to protect data during transfer and is a way to protect stored personal data. It also reduces the risk of abuse within a company, as access is limited to only authorized people with the right key.

Encryption for data protection and the GDPR: what you should know

In today’s age of computers, encryption is often associated with the process where an ordinary plain text is converted into cipher text, which is the text made in such a way that the intended recipient of the text can only decode it and hence this process is known as cryptography.

The process of converting ciphertext into plaintext is known as decryption.

The main uses of encryption are as follows:

  • Confidentiality: the information can only be accessed by the person for whom it is intended and no other person except them can access it;
  • Digital Signature: In which information is signed so that the sender of the information can be identified, with integrity and non-repudiation.
  • Integrity: the information cannot be modified in storage or in the transition between the sender and the intended recipient without any addition to the information being detected;
  • Authentication: the identities of the sender and recipient are confirmed. As well as the destination/source of the information is confirmed.

Types of encryption for data protection:

In general, there are three types of encryption for data protection:

  • Symmetric key cryptography

It is an encryption system where the sender and receiver of the message use a single common key to encrypt and decrypt messages.

Symmetric key systems are faster and simpler, but the problem is that the sender and recipient need to somehow exchange the key in a secure way.

The most popular symmetric key cryptosystem is the Data Encryption System (DES) and the Advanced Encryption Standard (AES). Advanced Encryption Standard (AES);

  • Hash functions

There is no use of any key in this algorithm. A fixed-length hash value is calculated according to the plaintext, which makes it impossible for the content of the plaintext to be retrieved. Many operating systems use hash functions to encrypt passwords;

  • Asymmetric key cryptography

In this system, a key pair is used to encrypt and decrypt information. A public key is used to encrypt and a private key is used to decrypt.

The public key and the private key are different. Even if the public key is known to everyone, the intended receiver can only decrypt it because only he knows the private key.

To maintain confidentiality in the storage and transit of data

Encryption allows data to be stored encrypted, allowing users to stay away from attacks by hackers.

Reliability of transmission

A conventional approach that enables reliability is to perform encryption of the transmission channel, either symmetric or asymmetric or even a combination of the two encryptions.

If you use symmetric cryptography, you need a key to encrypt the information, then you need to find some way to exchange the key, which turns out to be a problem to be solved, which is the exchange of keys in a secure way.

It is worth remembering that this method performs well.

Another way is to use asymmetric cryptography, in which the recipient’s public key can be used so that the message can be opened only by the recipient who has the corresponding key, the private key.

The problem with this type of use is performance.

Identity Authentication

For authenticity, which aims to know if the sender of the message is himself, makes use of PKI, (Public Key Infrastructure).

This is done by encrypting the message with the sender’s private key, just as anyone can have their corresponding public key, it can be verified that the message was generated by the appropriate sender.

Why is encryption for data protection crucial for GDPR compliance?

While there are no explicit data protection encryption requirements in the General Data Protection Act (GDPR), the new legislation requires you to apply security measures and safeguards.

The LGPD highlights the need to use appropriate technical and organizational measures for personal data security.

Because encryption for data protection makes information unreadable and unusable to people without a valid cryptographic key,encryption strategies for data protection can be extremely beneficial to your company in the event of a data breach and the requirements under the GDPR.

Remember the LGPD requirement to notify customers affected by a security incident?

By encrypting your data, you reduce the chance of fulfilling this obligation due to cyber attack issues or other types of problems.

No information is technically “breached” if the data is unintelligible to the attacker.

How to choose the most appropriate way to ensure data security?

The Thales CipherTrust Data Security platform guarantees the entire structure and integrity of your company’s data, and the format of the fields in the database, whatever it may be: Oracle, SQL, MySQL, DB2, PostGrid, you name it.

Simple, comprehensive and effective, Cipher Trust provides capabilities to secure and control access to databases, files and containers – and can protect assets located in cloud, virtual, big data and physical environments.

With CipherTrust, you can protect your company’s data and anonymize your sensitive assets, ensuring security for your company and avoiding future problems with data leakage.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Where We Are

Rua Paulistânia, nº 381, 2º andar,
Sumarezinho
São Paulo - SP,
ZIP CODE: 05440-000

Contact

(11) 3670 - 3825
(11) 3865 - 1124
[email protected]

Facebook Instagram Linkedin
logo-tales-azul
keyfactor-logo
logo-valid-certificadora-digital
google-safe-browsing
Privacy Policy

Copyright © 2023, EVAL TECNOLOGIA EM INFORMÁTICA. All rights reserved - CNPJ 05.278.889/0001-97