Stracs Weekly Newsletter - Latest News in Data Privacy

Hi folks,

Hope you are all having a great week. Another busy week in the data loss prevention world.

In this edition, I answer the question: What is Cloud Data Loss Prevention (DLP), and share my recent blogs on a Complete Guide to Slack Data Loss Prevention and How to Redact an Email in Outlook or Office 365.

Additionally, we share articles about the comeback of ransomware operation, LockBit, a system breach at U-Haul, affecting 67,000 customers, and on HHS OCR's request to Congress for increased funding to support its HIPAA-related initiatives. We also highlight security roles at ThousandEyes, Notion and DocuSign.

Lastly, if you need help scanning sensitive data or eliminating data leaks from SaaS, Endpoint, Cloud, and Generative AI, and the ability to instantly detect & remediate (redact, block, alert) PII, PHI, PCI, Sensitive Data or comply with PCI, HIPAA, SOC 2, GDPR, CCPA, etc, book a call with me here

Warmly,

Aatish

Strac’s Latest Views on Securing User Data

What is Cloud Data Loss Prevention (DLP)?

Here, I offer an overview of Cloud Data Loss Prevention (DLP), detailing its significance, benefits, key features, best practices, and how to choose the right solution. Cloud DLP ensures the security of sensitive information throughout its lifecycle in the cloud, offering benefits such as preventing data breaches, data classification, visibility, shadow IT prevention, continuous monitoring, and seamless data security. Key features include content and context awareness, timely alerts, machine learning insights, and automation. Best practices include sensitive data discovery, user group definition, data prioritization, zero-trust encryption policy, and user behavior monitoring. When choosing a Cloud DLP solution, organizations should consider features like content-based monitoring, comprehensive scanning, encryption capabilities, activity tracking, and excellent customer service. Additionally, I highlight Strac’s solution which has intelligent redaction features and compliance adherence to various regulations. Book a call with me here to talk more about this.

Read more here

A Complete Guide to Slack Data Loss Prevention

In this article, I provide a comprehensive guide to Slack Data Loss Prevention (DLP), highlighting the importance of data security, Slack's security measures, the absence of built-in DLP in Slack for HIPAA compliance, the role of third-party tools, Slack Connect's DLP feature, essential functionalities for a DLP solution, implementation of Slack DLP, and the role of Strac in ensuring compliance and securing Slack data. I also discuss the significance of data security, compliance with regulatory standards, and the need for robust DLP measures to prevent data breaches and unauthorized sharing of sensitive information. Book a call with me here to talk more about this.

Read more here

How to redact an email in Outlook or Office 365

In this blog, I provide guidance on redacting sensitive information from emails in Outlook or Office 365. I emphasize the importance of redaction for data protection and compliance with privacy laws. While Outlook lacks a manual redaction feature, the Strac Office 365 Email Redactor app can be used for automatic redaction and compliance reporting. I also discuss limitations of Outlook's recall feature and the proactive nature of redaction compared to recall. Additionally, I highlight our capabilities at Strac for email data loss prevention and redaction of old emails to comply with privacy laws. Book a call with me here to talk more about this.

Read more here

Recent Data Privacy News

HHS OCR Tells Congress It Needs More Funding for HIPAA Work

The Department of Health and Human Services' Office for Civil Rights (OCR) informed Congress about its increasing workload due to rising health data breaches and HIPAA complaints. Despite this surge, OCR lacks sufficient funding to manage its responsibilities effectively. The number of reported breaches and complaints has notably increased, with hacking incidents being the most common type of breach. OCR attributes its challenges to stagnant funding levels, reduced penalty collections, and increased workload due to regulatory changes. Limited resources hinder OCR's ability to enforce HIPAA effectively, including conducting mandated audits. The agency is also involved in updating HIPAA regulations and supporting cybersecurity initiatives within the healthcare sector.

Read more here

Ransomware Operation LockBit Relaunches Dark Web Leak Site

Russian-speaking ransomware group LockBit has relaunched its dark web leak site, following a takedown by law enforcement under Operation Cronos. The group's leader, LockBitSupp, issued a statement accusing the FBI of exploiting a PHP vulnerability to breach their servers. Despite law enforcement's efforts, LockBit vows to continue its criminal activities. However, experts believe LockBit has been significantly weakened by the takedown and question the credibility of their claims. Law enforcement's actions have caused doubt and fear within the criminal underground, impacting LockBit's reputation and operations.

Learn more here

U-Haul says 67,000 Customers Affected in Records System Breach

U-Haul disclosed a data breach affecting 67,000 customers in the U.S. and Canada. The breach, which occurred in December, involved unauthorized access to a system used by U-Haul dealers to manage reservations and customer records. Compromised data included driver's license numbers, but not payment information. U-Haul is investigating with a cybersecurity company and offering affected customers free credit monitoring. The company is also implementing additional security measures to prevent future incidents.  

Learn more here

Security Jobs on the Market

ThousandEyes (part of CISCO) is hiring an Information Security Engineer, FedRAMP

Looking for: “An exceptional Information Security Engineer with strong project management skills to support our Information Security and Privacy Risk Management function.”

Skills required: The successful applicant will be performing work in FedRAMP moderate or FedRAMP high environments, and therefore, must be a U.S. Person (i.e. U.S. citizen, U.S. national, lawful permanent resident, asylee, or refugee), 5 to 7 years of experience in the information security or related domain[s], BS or MS degree in computer science (or equivalent), practical use and implementation of information security principles and practices; understanding of IT methodologies, such as the software development lifecycle, secure infrastructure such as code and related operations, familiar with vulnerability management tools, understanding of cloud computing services, strong scripting skills, automation and containerization.

Learn more here

Notion is hiring a Product Security Engineer

Looking for: “Software Engineers that have a passion for security…” 

Skills required: secure software development expertise, full stack development expertise, security architecture expertise, thoughtful problem solving, ability to advocate for and lead cross functional projects, pragmatic and business oriented, empathetic communication.

Learn more here

DocuSign is hiring a Security Compliance Manager

Looking for: “a Security Compliance Manager responsible for maintaining and leading new and ongoing DocuSign security commercial certification audits and self-assessments…”

Skills Required: BA/BS degree in Computer Science, Information Systems, a related field or equivalent work experience, 5+ years of relevant work experience in security, compliance, auditing, assessments or other GRC related experience, 2+ years of experience leading security compliance audits and/or customer audits, experience with the audit lifecycle including experience testing controls and writing test scripts in various environments and functions, experience in working with cross-functional departments and partners to provide security compliance issues, risks, and recommendations, industry certification such as CISSP, CISA, CISM, CRISC, ISO27001 Lead Auditor, CompTIA Security+, AWS/Azure Security, and/or equivalent GRC certification, experience reviewing compliance evidences required for audit, experience coaching and preparing technical teams and SMEs for audit interviews, experience engaging with internal, external, and customer auditors.

Learn more here