The Nightfall blog is a knowledgebase for cybersecurity professionals with news and insights from the world of cloud security. Each week we’re publishing new content to help you stay up-to-date on cybersecurity topics and to prepare you for the issues and threats that occur every day on the job.
This month, we’re happy to present our original research on the top 100 data breaches of the past 15+ years. Our report uncovers knowledge and data that shows how dire the data breach problem has become in the new millennium. We’re sharing this report to help you understand your own level of risk and to give you some tips on how to build an infosec strategy that protects sensitive information within your cloud environments. We’re also sharing a set of blog posts on HIPAA compliance in many popular SaaS apps like Google Drive, Zendesk, Atlassian Cloud, and more. To complement those pieces, we also have a short series on data compliance for PCI, PHI, and PII. Finally, catch up with the latest from the CISO Insider podcast — a two part discussion with Segment CISO Coleen Coolidge.
Thank you for subscribing to our updates! We wish the very best to you and your loved ones.
The Anatomy of mega-breaches: An analysis of the top 100 data breaches of the past 15+ years
Over the past 15+ years, the security industry has seen the growth of a concerning trend – the rise of “mega-breaches” impacting 1 million or more records. In order to investigate how the trend of mega-breaches has taken shape over the last 15+ years, we took a look at the top 100 breaches between 2004 and 2020, ranked by the number of records impacted. Based on our analysis, we found that on average mega-breaches increased 36% year over year. After 2016, mega-breaches impacting more than 500 million records became more frequent. In 2020, yet another concerning milestone was reached when multiple breaches impacting billions of records occurred.
Our research indicates that this upward trend in the severity and frequency of mega-breaches is just beginning. We created this report to help security teams understand the need to invest in tools that will provide better visibility into where in the cloud their data is stored, as well as tools that can track and manage vulnerabilities in their systems and programs.
Read the full report to get more data on mega-breaches and resources that can help you manage your attack surface.
CISO Insider S2E2 — Assuming good risk as a CISO with Coleen Coolidge, Part 1
Segment CISO Coleen Coolidge joins CISO Insider to talk about what she’s learned on her journey in cybersecurity. We talk about topics like the value of doing compliance well as an affirmation that your team is doing security the right way, approaching mergers and acquisitions as the acquirer with a learning mindset, and the bravery that’s required for CISOs to excel as good people managers and good security practitioners.
Read and listen to part 1 of our chat.
CISO Insider S2E3 — Controlling your affect with Coleen Coolidge, Part 2
In part two of our chat with Segment CISO Coleen Coolidge on CISO Insider, we discuss what it takes for CISOs to be successful in ever-changing times, planning for the post-COVID world, managing obstacles to success, investing in mental health, building resilience, and social education.
Get the full episode now.
Is Dropbox HIPAA compliant?
Dropbox is a widely-used file-sharing and storage tool, and is a critical part of many organizations’ tech stacks. However, organizations working in the healthcare space should be aware that Dropbox is not HIPAA compliant out of the box. As is the case with most applications, it has to be configured properly before it can be used by a HIPAA-covered entity.
Read more for a list of most important steps you should take to ensure HIPAA compliance when using Dropbox to share and store sensitive information.
Is Google Drive HIPAA compliant?
How can healthcare organizations use Google Drive while remaining compliant with HIPAA? Because there is no such thing as a HIPAA certification, evaluating if an app can be used by HIPAA bound organizations can be difficult. Luckily, Google Drive and certain Google Workspace services can be used by HIPAA covered entities if certain conditions are met and maintained while your organization remains a Google customer.
Read more to learn how users can achieve HIPAA compliance when using Google Drive to collaborate across the cloud.
Is Zendesk HIPAA compliant?
As an omni-channel customer service solution, Zendesk allows for companies to meet customers where they are by providing a variety of options for customer support, intake, and management of the overall customer experience process. The list of organizations turning to Zendesk has increasingly begun to include healthcare organizations of all stripes — which means these organizations must have HIPAA compliance to secure protected health information (PHI).
Read more on how healthcare organizations can leverage Zendesk and ensure compliance while using the service, including the steps required to execute a business associate agreement (BAA) for protecting sensitive information within the platform.
Is Atlassian Cloud HIPAA compliant?
At the tail end of the COVID pandemic, with companies remaining remote, the demand for cloud services in the enterprise is the highest It’s ever been. Healthcare organizations, which more directly encountered the acute challenges posed by the pandemic, were among the first to be shaped by the current wave of digital transformation. Companies like Atlassian have been built from the ground up to enable digital transformation, so it’s no surprise to us that we often get asked if Atlassian Cloud is HIPAA-compliant.
Read more to get answers to questions on HIPAA compliance for Atlassian like:
- Can Atlassian products be configured to be HIPAA-compliant?
- Could Atlassian Cloud become HIPAA-Compliant in the future?
Evaluating content inspection engines for data classification applications
Many organizations recognize the need to discover, classify, and protect their sensitive information stored in cloud applications (SaaS) and infrastructure (IaaS) via a dedicated cloud content inspection process. Since cloud-native detection engines are a relatively new technology, many corporate Information Security teams or Product Security developers are not yet familiar with how to effectively evaluate cloud content detection.
Some cloud DLP vendors capitalize on this lack of standardized evaluation criteria, promoting attention-grabbing statistics on their websites such as “99% accuracy.” While these numbers may make you feel like you’re getting a great solution, they are actually somewhat meaningless without some additional context, and ultimately can distract you from the key questions you really should be asking.
Read tips from our expert team of data scientists and machine learning engineers to know what to look for when evaluating a detection engine for data loss prevention (DLP) or other content inspection, beyond the splashy numbers.
Cloud security architecture: 5 Best practices
Cloud programs like Slack and Google Drive allow businesses to work collaboratively and efficiently, often at a low cost. However, these cloud platforms open a business up to new levels of risk: sharing information via cloud programs can put customer data at risk through inadvertent mis-sharing and data proliferation. Cloud security architecture best practices can help infosec teams recognize and remedy vulnerabilities that result from using cloud service providers.
Read up on five best practices that enable IT teams to gain visibility into a cloud ecosystem and protect information effectively.
What Is DevSecOps and how to implement it
DevSecOps follows the same trend as Agile and DevOps: how can developers create software that’s better, faster, and less expensive? The DevSecOps motto — “software, safer, sooner” recognizes security as a critical component of modern product development.
Security was previously an afterthought in the product development lifecycle. Now it’s becoming an integral part of the process. New methodologies like shift left offer clear advantages to companies seeking to protect valuable data while still moving quickly. Read more on the meaning of DevSecOps, some key benefits, and DevSecOps best practices.
Nightfall’s DLP API adds data discovery and classification to your applications
As a cloud-native data loss prevention solution, Nightfall DLP can natively integrate with popular SaaS applications in order to protect against the proliferation or exposure of sensitive data in these environments. With our native integrations, Nightfall helps keep client data safe on apps including Slack, GitHub, Google Drive, Confluence, and Jira.
Did you know that Nightfall also exists as a standalone DLP API? With the Nightfall Developer Platform you can embed the same great features found in our native integrations into any application of your choice, including custom-built internal applications as well as applications or services that you provide to your own customers. And with robust developer documentation and tutorials, custom Nightfall integrations can be deployed much easier than you might think.
Read how the Nightfall Developer Platform is different from DLP SDKs already on the market, and how to use this standalone DLP API — plus see how Nightfall customer Aaron’s uses the Nightfall Developer Platform in tandem with the ServiceNow developer platform to classify information they are sending into ServiceNow via their employee-facing application.
Is Slack secure? Vulnerabilities and solutions
Slack has become one of the most integral platforms for businesses over the last decade, with more than 12 million active users. Despite its popularity, however, there are some Slack security concerns that linger from some of the platform’s most severe security breaches. Slack remains an appealing target for many hackers that use a combination of social engineering and old-fashioned malware to access user data.
Here’s what you need to know about Slack security and how to protect your sensitive information on the platform.
PHI compliance: What it is and how to achieve it
For organizations that work in or partner with the healthcare industry, HIPAA compliance is of paramount importance. Keeping a patient’s medical records and personal information safe isn’t just a matter of avoiding penalties. It’s also key to building trust with patients and, ultimately, providing great patient care.
Read more on what health organizations and their partners need to know about protected health information (PHI) and how to protect PHI, including compliance requirements, the information that makes PHI identifiable in cloud systems, the difference between PHI and individually identifiable health information (IIHI), and more.
PII compliance checklist & best practices
By 2023, more than 60% of the world’s population will be covered by some form of personal data protection legislation. From GDPR to CalPRA, privacy regulations are on the rise. These compliance regimes aim to protect a user’s rights to their data — which, in practice, means that businesses need to implement more effective approaches to security.
Read more on how to protect PII across your cloud systems, what the current landscape of PII compliance looks like, and a checklist with concrete steps to implement PII compliance best practices.
Open source data loss prevention for helpdesk ticketing systems
When your customers need help, ticketing systems provide the first line of communication between your company and your customers. Solving a problem or resolving an issue for your customers often requires collecting a lot of information and context throughout the support interaction. These interactions can be captured through a myriad of channels including but not limited to messaging apps, SMS, social media, help centers, forums, bots, video conferencing, and more.
Some of the most popular ticketing systems that power these services include providers like Zendesk, Salesforce, Freshdesk, HubSpot, Kustomer, and more. In this connected world, information is exchanged quickly and is relied upon by companies to deliver best-in-class customer support experiences, and it is imperative that companies are good stewards of their customers’ data.
Read how cloud-native DLP can help protect customer information within support ticketing systems and helpdesk platforms.
The Basics of PCI compliance: Merchant levels and requirements
PCI compliance is important for your customers and your business. Merchants that fall short of PCI compliance standards not only put their customer data at risk, they also may face hefty fines ranging from $5,000 to $100,000 per month for the merchant. If you don’t achieve PCI compliance, these fees start to add up quickly and you’re putting your entire organization at risk of being dropped by your credit card merchant.
The goal of PCI compliance is to protect customer data from falling into the wrong hands. By implementing common-sense security measures, you can achieve PCI compliance with relative ease. Read more about the basics of PCI compliance and learn how to uncomplicate this essential part of your regulatory requirements.