Close
Enter your
text here

Security

According to the IGI, Information Governance Continues To Gain Traction: Information Governance Trends

Last week, the Information Governance Initiative (IGI) released Volume III of their State of Information Governance Report – the third (annual) edition of the Report, which is based on “extensive” surveying of Information Governance (IG) practitioners and providers.  So, is Information Governance gaining traction in organizations? (Well, duh, I gave the answer away in the title of this post, didn’t I?)  :o)

I couldn’t find a total number of respondents mentioned in the report, but it does note that the survey “reached an estimated audience of approximately 100,000 practitioners through our network and those of our partners and Supporters” and that “the majority of respondents came from our own community of IG practitioners.”  For what it’s worth.

Regardless, the report contains several findings, including these highlights:

  • Only 2 percent of respondents have never undertaken an IG project. When compared to last year, the number of respondents reporting they have never undertaken an Information Governance project fell by a dramatic 90 percent.
  • There was a 41 percent rise in the number of professionals who say the IG market is clearly identified, with just over a third of respondents (7 percent) agreeing or strongly agreeing that the IG market is clearly defined.
  • There was also a 26 percent rise in the number of organizations with an IG Steering Committee (to 46 percent) and a 41 percent rise in the number of IG leaders with “Information Governance” in their title (to 52 percent).
  • More organizations are also realizing more business value from their data with those extracting value from data rising from 16 percent last year to 46 percent this year.
  • Integration between IG and cybersecurity programs is accelerating, with 48 percent of respondents agreeing that IG is essential to strong cybersecurity.
  • This year, only 4 percent of respondents reported having no active IG projects – a 64 percent drop from last year. However, according to the respondents, the main barrier to IG progress remains a lack of organizational awareness, so there’s still work to be done.

The report cites a couple of factors as driving greater emphasis on information governance: the Equifax breach, which affected 143 million American citizens and new legal and regulatory developments, like the EU’s General Data Protection Regulation (GDPR).  Regarding GDPR in particular, the report states:

“GDPR asks organizations to zero in on the reasons they store data in the first place. Without consent and justifiable reasons for storing the data, organizations are required to delete it. It is a refocus from an attitude of ‘If in doubt, keep’ to one of ‘If in doubt, delete’. Facing a drive for better governance and defensible deletion across at least a subset of their data, organizations are now beginning to more loudly ask those questions that high-profile data disasters raise: Why does this information exist? Why are we holding on to it? What value does it have, and what kind of risk does it represent?”

Needless to say, GDPR will be a major driver in adoption of information governance.

The report is contained within a 63 page PDF, full of detailed information regarding the state of information governance today, but it also includes a two page state of the industry report “quick read” with some of the key findings on pages 3 and 4 (if you want to hit the highlights quickly).  To download a copy of the report, click here (requires an IGI profile to be set up, which is free).

So, what do you think?  Are you surprised by any of these results?  Does your organization have any active IG projects?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Only 53 Percent of Surveyed Security Officers Are Confident in Security of Data by Third Parties: Cybersecurity Trends

A recently issued report provides an interesting look at how Chief Information Security Officers (CISOs) and others responsible for security are addressing the challenges in today’s cybersecurity climate.

The report (The Shifting Cybersecurity Landscape: How CISOs and Security Leaders Are Managing Evolving Global Risks to Safeguard Data, by Ankura and Ari Kaplan Advisors), issued earlier this month, explores the roles of CISOs (chief information security officers), the adoption of cloud technology and how entities are auditing their vendors.  Ankura partnered with Ari Kaplan Advisors and interviewed 30 industry leaders in August 2017, to detect how corporations are adapting to today’s evolving threat landscape.  Most of these were large organizations (70 percent with over $1 billion in annual revenue, 80 percent with over 5,000 employees).

Interesting findings include:

  • 97 percent of the respondents indicated they were evaluating security practices of their vendors, partners, law firms, and third parties that interact with their data. For 17 percent of them, regulatory requirements have driven that effort.
  • However, only 53 percent said they were confident in the security of their data being managed by vendors, partners, and other third parties.
  • 57 percent of the participants noted that their organizations are periodically involved in litigation or investigations that require them to transfer information to law firms and eDiscovery vendors, among others. 27 percent frequently need to do so.
  • 87 percent of respondents were using third-party cloud providers to “host non-critical information” to save money and streamline business processes. 17 percent of the respondents noted that Office 365 is a common impetus for moving to the cloud.
  • 77 percent of respondents advised that the scope of their managed security services includes incident response. And, for 63 percent, that support included onsite response. However, only 37 percent were confident that their managed services provider would provide a legally defensible investigation if they were the victim of a breach or other cyber incident.
  • 80 percent of respondents reported having a Bring Your Own Device (BYOD) plan, though some noted that their plan is to prohibit personal devices. 63 percent believe that those gadgets contain company sensitive information.

GDPR is one significant regulatory requirement affecting security considerations, with one respondent stating that “GDPR will influence the way many companies appraise their partners, given the expansion of responsibilities for both data controllers and processors under the new privacy framework set for implementation in 2018.”  Good thing we have a webcast on the topic tomorrow!  :o)

The report, a 24 page PDF, chock full of other statistics and findings, is available here.  As always, hat tip to Sharon Nelson of the Ride the Lightning blog for her coverage of the report.

So, what do you think?  Do any of these numbers surprise you?  Do you disagree with any of them?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Start Planning for Next Year, This Year: eDiscovery Trends

We’re getting close to the end of another year.  What do organized people in eDiscovery do when that happens?  Start planning for next year.

On his excellent Complex Discovery blog, Rob Robinson helps you get a “running start” in your planning for next year, with a preliminary list of eDiscovery-related industry events for 2018.  From Legalweek (a.k.a., Legaltech) at the end of January to The Masters Conference Orlando event in November, Rob has identified 41 initial eDiscovery and cybersecurity related events (with links to each) to consider adding to your calendar for next year.  Here are a few highlights:

These are just a few of the cool events related to eDiscovery and cybersecurity for next year.  In addition, you have terrific regional events, like The Masters Conference, which has events planned next year for Dallas, San Francisco, Chicago, Denver, New York, London, Washington DC and (as mentioned above) Orlando.

Of course, other events will undoubtedly be added to the calendar as the year progresses (for example, I would guess there would be another E-Discovery Day in December, though I doubt it will be on December 1 as that falls on a Saturday next year – consider it a “floating” holiday, haha).  Regardless, Rob’s list (once again) provides a great eDiscovery and cybersecurity related event list by which to plan your 2018 event activities.  Click here to access the list.

So, what do you think?  Do you have a favorite eDiscovery or cybersecurity event you like to attend every year?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Uber’s Response to Data Breach? Pay the Hackers to Keep Quiet About It: Cybersecurity Trends

Hackers stole the personal data of 57 million customers and drivers from Uber last year.  Their response?  Conceal the breach for more than a year, and pay the hackers $100,000 to delete the data (sure they did) and keep quiet about the breach.

As reported on Bloomberg (Uber Paid Hackers to Delete Stolen Data on 57 Million People, written by Eric Newcomer) last week, compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.

According to Bloomberg, the breach occurred when two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

Travis Kalanick, Uber’s co-founder and former CEO, learned of the hack in November 2016, a month after it took place, the company said. Uber had just settled a lawsuit with the New York attorney general over data security disclosures and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data. According to Bloomberg, Kalanick declined to comment on the hack.

Joe Sullivan, the outgoing security chief, spearheaded the response to the hack last year, a spokesman told Bloomberg.  Dara Khosrowshahi, the new CEO as of September, asked for the resignation of Sullivan and fired Craig Clark, a senior lawyer who reported to Sullivan.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in an emailed statement. “We are changing the way we do business.”

After Uber’s disclosure, New York Attorney General Eric Schneiderman launched an investigation into the hack, his spokeswoman Amy Spitalnick said. And it should come as no surprise that the company has already been sued for negligence over the breach by a customer seeking class-action status.

So, what do you think?  How severely should Uber be punished for failing to disclose the breach?  Please share any comments you might have or if you’d like to know more about a particular topic.

Hat tip (as always) to Sharon Nelson of Ride the Lightning for her coverage of the story.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Facebook Wants You to Send Them Your Naked Pictures to Prevent Revenge Porn. I’m Not Kidding: Data Privacy Trends

It sounds crazy, right?  Facebook wants you to stop worrying about your nudes being shared without your consent by actually sending it your nude photos.  It may not be crazy as it sounds.

In the article Facebook: upload your nudes to stop revenge porn, written by Lisa Vaas on the aptly named site Naked Security (what else?), the concept is introduced this way: “Facebook hasn’t given much detail, but from what little has been shared it sounds like it’s planning to use hashes of our nude images, just like law enforcement uses hashes of known child abuse imagery.”

Just as we generate hash values of documents in eDiscovery to identify duplicates, the same type of technology can be applied to photos.  So, the same photo, or identical copies of it, will always create the same hash.  A hash of your most intimate picture is no more revealing than this example provided in the article:

48008908c31b9c8f8ba6bf2a4a283f29c15309b1

Since 2008, the National Center for Missing & Exploited Children (NCMEC) has made available a list of hash values for known child sexual abuse images, provided by ISPs, that enables companies to check large volumes of files for matches without those companies themselves having to keep copies of offending images or to actually pry open people’s private messages.

The hash originally used to create unique file identifiers was MD5, but Microsoft at one point donated its own PhotoDNA technology (which creates a unique signature for an image by converting it to black and white, resizing it, and breaking it into a grid) to the effort.

Facebook hasn’t provided any detail as to whether that’s the technology it plans to use, but it has announced a pilot program with four countries – the UK, the US, Australia and Canada – in which people will typically be advised to send the photos to themselves via Messenger.  Facebook says that it won’t be storing nude pictures but will use photo-matching technology to tag the images after they’re sent via its encrypted Messenger service.  In theory, that would be enough to enable Facebook to take action to prevent any re-uploads, without the photo being stored or viewed by employees.

The author notes that she has submitted questions to Facebook for more info and poses an interesting question in the article: “For example, what safeguards are in place to ensure that people can’t take any old picture they want – a non-porn publicity photo, for example – and send it in, under the false premise that it’s a nude and that it’s a photo they themselves have the rights to have expunged from social media circulation?”

Good question.  Nonetheless, it’s an interesting concept and idea to prevent revenge porn – provided you can actually convince people to upload those photos and trust Facebook with them.

So, what do you think?  Do you trust hash technology to keep your most embarrassing photos from becoming public? As always, please share any comments you might have or if you’d like to know more about a particular topic.

Hat tip to Sharon Nelson and her Ride the Lightning blog (my go to source for interesting cybersecurity news) for the reference to the story.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

IT Will Scare You – eDiscovery Horrors!

Today is Halloween!  Hard to believe, but for eight years now, we have identified stories to try to “scare” you with tales of eDiscovery and cybersecurity horrors because we are, after all, an eDiscovery blog.  Let’s see how we do this year.  Will IT scare you?

Evidently, until just a few days ago, this firm failed to acknowledge a data breach that occurred last year (involving some of Britain’s wealthiest people) until international journalists had a chance to see the leaked information.

What about this?

More rich people compromised.  When you’re a lawyer and you find out that you’ve inadvertently produced client confidential information in litigation, it’s a bad day. When you find out that confidential information is personal information on thousands of the wealthiest investors in your client’s portfolio, it’s an even worse day. And, when you find out that disclosure is being covered by The New York Times, it’s a lawyer’s worst nightmare.

Or this?

Did you know that everything you’ve learned about how to create secure passwords for the past few years is wrong?

How about this?

You probably think that using three different evidence wiping programs before turning over a laptop for inspection will certainly lead to sanctions for spoliation.  Not necessarily.

Or maybe this?

Think data breaches are expensive?  Try this one.  A major data breach cost this health insurance provider over $100 million to settle the class-action lawsuit against it.

Have you considered this?

On this Halloween, a real tale of murder (no joke) and how the victim’s Fitbit may have blown her husband’s story of what happened apart.  Then again, maybe it’s not so surprising, considering how much data each of us generates every minute.

Finally, how about this?

If you want to fire a whistleblower and then put together a bad performance review of him afterward, it could cost you $10.8 million.

Scary, huh?  If the possibility of expensive data breaches, embarrassing inadvertent disclosures and more data being tracked about you than ever scares you, then the folks at eDiscovery Daily will do our best to provide useful information and best practices to enable you to relax and sleep soundly, even on Halloween!

Of course, if you seriously want to get into the spirit of Halloween and be scared, check out this video about some clown in the IT department.  This will really terrify you!

What do you think?  Is there a particular eDiscovery issue that scares you?  Please share your comments and let us know if you’d like more information on a particular topic.

Happy Halloween!  And, Go Astros!

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Last Year the Panama Papers, This Year the Bermuda Briefs?: Cybersecurity Trends

Last year, we covered the massive data breach at Panama-based law firm Mossak Fonseca (11.5 million documents, 2.6 total TB – yes, terabytes – of data stolen) that has come to be known as the “Panama Papers”.  Now, a Bermuda law firm has finally admitted to a data breach that evidently occurred last year.

According to The Register (Panic of Panama Papers-style revelations follows Bermuda law firm hack, written by John Leydon), Bermuda-based firm Appleby only admitted it had suffered the breach – which actually happened last year – after a group of journos from the International Consortium of Investigative Journalists (ICIJ), who had seen the leaked information, began asking awkward questions.

In a statement, Appleby denied allegations of any tax evasions or other wrongdoing by itself or its clients while admitting that it was “not infallible”. The law firm went on to state that it had shored up its security since the hack, stating “We are committed to protecting our clients’ data and we have reviewed our cyber security and data access arrangements following a data security incident last year which involved some of our data being compromised. These arrangements were reviewed and tested by a leading IT Forensics team and we are confident that our data integrity is secure.”

The Daily Telegraph (subscription required) reported that the leak involved some of Britain’s wealthiest people, who were said to be consulting lawyers and public relations executives in preparations for possible fallout from the hack.

Hat tip (as always) to Ride the Lightning, who noted that Appleby employs 470 staffers and operates from 10 offices across the world. It has stated that it offers services to global public and private companies, financial institutions as well as “high net worth individuals.”

It seems like a lot of “high net worth individuals” are getting their information stolen these days.  As Willie Sutton was reported to have said about why he robbed banks (though he denied saying it in later years) – because that’s where the money is.  Glad I don’t have that problem!  ;o)

BTW, if the term “Bermuda Briefs” takes off, you heard it here first…

So, what do you think?  What should happen to a law firm (or any organization) that fails to report a data breach in a timely manner?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Windows 10 Fails to “Go Dutch” When it Comes to Protecting Privacy: Data Privacy Trends

After yesterday’s story regarding SCOTUS taking up the Microsoft Ireland case, I’m not trying to make this “bad news week” for Microsoft, but with GDPR looming next year, this seemed like a good story to cover…

According to Silicon (Windows 10 Data Collection Branded A Breach Of Dutch Privacy Law, written by Roland Moore-Colyer), the Dutch Data Protection Authority (DPA) has declared that Windows 10 breaches the data protection law in the Netherlands over the way it processes personal information.

A report filed by the DPA says that Microsoft failed to clearly inform its users on what type of data it was collecting and using and the agency claimed that Windows 10 users “lack control of their data” due to the way Microsoft harvests information.

“It turns out that Microsoft’s operating system follows about every step you take on your computer. That results in an intrusive profile of yourself,” said Wilbert Tomesen, vice-chairman of the DPA.

“What does that mean? Do people know about this? Do they want this? Microsoft needs to give users a fair opportunity to decide about this themselves.”

Microsoft said it had made compiling with Dutch law a priority to avoid having any sanctions posed against it, but also responded justifying why it collects Windows 10 data and explaining that a recent update spells out its data collection policy.

“Since launching Windows 10, we’ve been on a journey listening to feedback from customers and collaborating with regulators around the world,” said Marisa Rogers, Microsoft’s Windows and devices group privacy officer.

“As a result, we’ve made improvements to ensure all versions of Windows 10 meet our customers’ privacy needs and expectations. For example, we’ve worked with Swiss and French data protection authorities to incorporate their guidance, subsequently improving the privacy controls in Windows 10 Home and Pro and earning their positive assessments of the changes.”

“This year we have released a new privacy dashboard and several new privacy features to provide clear choices to our customers and easy-to-use tools in Windows 10. Next week, we have even more privacy improvements coming in the Fall Creators Update.”

Given its current Dutch conundrum, Microsoft’s current feelings about the Dutch may mirror those of this guy

With the General Data Protection Regulation (GDPR) standard designed to strengthen and unify data protection for all individuals within the European Union (EU) going into effect next May (May 25th, to be exact), expect to continue to see more scrutiny on all companies and their data privacy policies.  And, if you think GDPR doesn’t apply to your firm, you may be wrong about that.

So, what do you think?  Is your organization preparing for GDPR?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Also, I’m excited to report that eDiscovery Daily has been nominated to participate in The Expert Institute’s Best Legal Blog Contest in the Legal Tech category!  Thanks to whoever nominated us!  We’re fading fast, but if you enjoy our blog, you can vote for it and still help it win a spot in their Best Legal Blogs Hall of Fame.  You can cast a vote for the blog here.  Thanks!

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

To No One’s Surprise, Worldwide Spending on Cybersecurity is Up: Cybersecurity Trends

Can you guess what the global spend on cybersecurity will be this year?  Gartner recently provided a forecast, see how close you can come to guessing the amount.  The answer is at the bottom of this post – the picture of this well-known astronomer should provide some clue.

In their press release from August announcing the forecast and report (I would quote the title, but that would give away the answer), Gartner forecasted fast growth in the security testing market (albeit from a small base) due to continued data breaches and growing demands for application security testing as part of DevOps. Spending on emerging application security testing tools, particularly interactive application security testing (IAST), will contribute to the growth of this segment through 2021.  So, if you want to get into a career growth area, security testing sounds like a good one.

Gartner says that security services will continue to be the fastest growing segment, especially IT outsourcing, consulting and implementation services. However, hardware support services will see growth slowing, due to the adoption of virtual appliances, public cloud and software as a service (SaaS) editions of security solutions, which reduces the need for attached hardware support overall.

Another factor that will lead to increases in security spend, according to Gartner: The EU General Data Protection Regulation (GDPR) has created renewed interest, and will drive 65 percent of data loss prevention buying decisions today through 2018 (not to mention some eDiscovery buying decisions too).  And, if you don’t think your firm or organization is subject to GDPR, you may want to read this.

However, by 2021, Gartner reports that more than 80 percent of large businesses in China will deploy network security equipment from a local vendor.  China’s recently approved cybersecurity law will contribute to further displacement of U.S.-manufactured network security products with local Chinese vendors. Despite an increase of 24 percent in 2016, Gartner expects end-user spending growth in Asia/Pacific to return to single-digit yearly growth from 2018 onward, as a result of a decline in average selling prices (ASPs), due to the more competitive pricing of Chinese solutions.

So, how big is the global cybersecurity market?  According to Gartner, worldwide spending on information security products and services will reach $86.4 billion in 2017, an increase of 7 percent over 2016, with spending expected to grow to $93 billion in 2018.  In other words, “billions and billions” as famous astronomer Carl Sagan was known to say.

More detailed analysis is available to Gartner clients in these two reports: Forecast Analysis: Information Security, Worldwide, 1Q17 Update and It’s Time to Align Your Vulnerability Management Priorities With the Biggest Threats.

So, what do you think?  Has your organization increased spending on cybersecurity products and services? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Here’s a Factor That Can Reduce the Potential for Account Hacks: Cybersecurity Best Practices

The data breaches just keep coming.  Equifax is the latest hacking victim to a tune of 143 million US customers – approximately 44 percent of the population.  Perhaps if they, and other organizations recently breached, had added a factor to their authentication process, those breaches might not have occurred.

By “factor”, I mean two-factor authentication.  Two-factor authentication, also known as 2FA, two step verification or TFA (as an acronym), is an extra layer of security that requires not only a password and username but also something that only that user has on them, such as a piece of information only they should know or have immediately available to them (such as a physical token).  Using a username and password together with a piece of information that only the user knows makes it harder for potential intruders to gain access and hack into their system.

According to the latest Verizon Data Breach Investigations Report (DBIR) (covered by us here), 81 percent of hacking-related breaches used stolen passwords and/or weak passwords.  Almost two-thirds of us use the same password for all applications that we access.  And, with best practice recommendations for establishing secure passwords changing, it’s clear many people have been doing it wrong all these years and that just a password may not be enough to secure many accounts anymore.

This is where two-factor authentication can help, by offering an extra layer of protection, in addition to just the password. It would be highly difficult for most cyber criminals to get the second authentication factor unless they are very close to you or right there with you when you’re attempting to sign into the application.  According to this infographic from Symantec, 80 percent of data breaches could have been eliminated with the use of two-factor authentication.

Probably the most common form of two-factor authentication is where the application sends you a code (via text or email – the means for sending may vary depending on the platform) once you provide your password that you have to enter to then be able to access the application.  Unless a hacker can also access your email account or see your texts, that second layer of security helps protect against hacking of your account via just your password.  Two-factor authentication is a terrific way to provide that extra layer of security and it’s important to consider whether your provider can support two-factor authentication when considering cloud providers (in general or when evaluating cloud eDiscovery platforms).

Also, if your organization has been affected by the recent hurricanes and you need the ability to access your data for a period of time while you rebuild, or to save costs in hosting for a case so that you can apply those savings to rebuilding your infrastructure, CloudNine can help.  Click here to find out more and also how to help out those who were affected.

So, what do you think?  Do your cloud providers support two-factor authentication?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.