WinZip Enterprise Blog

Protecting the world's most sensitive data for over 30 years.

Blog Home > WinZip Blog

WinZip Blog

Three common data security mistakes companies make, and how to avoid them

Nearly every company in the world has a need for data security and privacy, whether they store customer payment information in a profile for future use or develop groundbreaking ideas that could change the future of commerce. But due to the sensitive nature of this data, organizations must be sure that it is well-protected.

Security is an increasingly difficult challenge as more and more of the workforce transitions into digital and remote roles.

What was once a physical packet of paper carried from one cubicle to another is now digitally stored and transferred across states or even continents from one employee to another, presenting countless opportunities for hackers and other cyber criminals to infiltrate.

The higher volume of consumer, client, and employee data that organizations store and handle today places them at an increased risk for data breaches and other security concerns.

Companies are rapidly adopting complex computing environments to meet operational needs, which can include cloud infrastructure, data centers, and numerous devices and operating systems.

This complexity can hinder security, which means organizations must develop strong data governance strategies to better manage how data is stored, shared, and processed.

Many companies use the terms “data protection” and “data security” interchangeably, but they’re distinct components, and each plays a unique role in ensuring an organization’s data integrity.

Neither data security nor data protection is enough on its own; each company must have a comprehensive plan in place for both to ensure that data is neither lost nor accessed by the wrong people.

So, what exactly is the difference between data security and protection, and how can they work together to safeguard company data? Let’s take a closer look.

What is data protection?

Data protection is a method of keeping records safe from loss, corruption, or compromise using backup copies. Each company sets a recovery point objective (RPO), to determine how often backups are created. This can vary from a few hours to several days, depending on the amount of information a company needs to protect.

If information is compromised, the data can be retrieved from the most recent backup with minimal data loss and redundant work.

The timeframe within which a company must restore the most recent backup after compromise is the recovery time objective (RTO). This is a metric that identifies how long a computer system, application, or network can be down before it disrupts business operations.

For example, if a particular application has a one-hour RTO, the interruption will disrupt normal operations and contribute to revenue loss after an hour of downtime.

Mission-critical applications, such as transactional or financial services, will have the lowest RTO because they correlate directly to lost revenue.

Systems that are used infrequently or whose downtime will not disrupt day-to-day operations will have a longer RTO. For example, while an offline printer is inconvenient, it won’t incur the same level of financial loss as a financial service outage or disrupted email access.

What is data security?

Data security, on the other hand, focuses on confidentiality, availability, and integrity. The goal is to ensure that no unauthorized users gain access to or distribute confidential information. There are several data security methods a company can use to ensure that its information is safe.

One of the most common data security measures is encryption. Encryption essentially puts a company’s data into a coded format, allowing only authorized users to view the decoded information. A security algorithm, or key, is used to encrypt data, creating ciphertext.

In symmetrical encryption, the same key is then used by an approved party to decrypt the data into plaintext. In asymmetrical encryption, a different key is used to decrypt, creating an additional layer of security against would-be hackers.

Another example of data security is multi-factor authentication (MFA). Typically, this method requires a standard username and password setup, but with an additional layer of identity verification.

This might be in the form of sending a randomly generated code to a user’s personal cell phone or email address, which in theory should not be accessible to anyone but the intended user.

What are three common data security mistakes organizations make?

Poor access control, negligence, and other human error factors all contribute to data security risks. As varied as individual companies may be, they often make similar errors when it comes to data protection and security.

These errors can lead to hundreds of millions of dollars lost for a business along with heavy personal and financial consequences for the individuals affected. Let’s take a closer look at three of the most common data- security mistakes.

1. Not backing up data properly—or at all

Believe it or not, there are companies out there that do not duplicate their data for backup and have no data security policy at all. In 2018, a study found that 77% of business leaders surveyed did not have a consistent plan for cybersecurity.

Those companies that do have plans often find that they aren’t thorough or efficient enough, which allows threats to slip through the cracks. It is important to back up data often and completely to ensure easy recovery and minimal downtime for the business.

Some companies don’t consider all the factors when backing up their data. For example, simply having a server where data is stored is not enough. If that server is on the same property as the business, anyone with access to the grounds has some level of access to the data reserves, and if a fire or other site-wide disaster occurs, all the data can be lost.

Backing up data offsite or in the cloud is ideal, but that can require a large amount of bandwidth, especially for companies that deal with significant amounts of data. It is also important to vet the company entrusted with keeping your data safe.

In 2017, for example, voter information was compromised when a third-party security company accidentally stored names, addresses, political opinions, and more on a public server for nearly two weeks.

2. Not updating permissions as the company grows and changes

Data security management is key when keeping up with a fast-paced business. In the beginning, a smaller business might purchase or even build custom solutions for its data security needs.

The idea is to save money by building security features that are useful to the company in its current state, but this approach does not allow these measures to grow with the company.

Additionally, if a team member changes roles or leaves the company, it is important to restrict access to unnecessary server information immediately.

This cuts down on the potential for unauthorized access, either by that person or someone outside the corporation. The fewer people with access, the easier it is to track violations and risks.

According to ID Watchdog, 60% of data breaches are caused by insiders—people who either work directly for a company or are involved via contracting, partnerships, or client relationships.

Although not all these attacks were malicious at their onset (some were caused by well-meaning employees who were tricked), companies should try to monitor who has access to what information, and keep it updated based on the minimum level of access necessary for team members to perform their duties.

3. Using data security services that do not meet industry standards

While it may seem like a great, low-cost idea to have in-house developers design and implement a cyber security plan, such an important security feature should be thoroughly examined to ensure compliance with today’s data- security standards.

In 2002, the Federal Information Security Management Act was enacted, making it mandatory for federal agencies and their affiliates to have a data security plan that supports confidentiality, integrity, and availability of information.

In 2014, the act was updated and renamed the Federal Information Security Modernization Act (FISMA), streamlining the required security efforts.

In relation to FISMA, Federal Information Processing Standards (FIPS) were created. FIPS outline exactly what federal agencies must do to protect their data effectively. These regulations address cryptographic modules, hash algorithms, digital signatures, employee identification, and more.

There are specific regulations concerning access to healthcare information, outlined in Title II of the Health Insurance Portability and Accountability Act (HIPAA). These rules involve privacy, transactions and code sets, security, unique identifiers, and enforcement.

The US Department of Defense (DoD) also has its own set of regulations called the Defense Federal Acquisition Regulation Supplement (DFARS), and the National Institute of Standards and Technology (NIST) Cybersecurity Framework was created for critical infrastructure organizations, although it is adopted widely by noncritical entities.

While these rules and regulations were created for specific, high-level organizations, private businesses can benefit from following the same outline.

For example, one FIPS requirement states that companies must “identify, report, and correct … flaws within a timely manner.”

When Equifax failed to respond to a data concern in March of 2017, personal details of over 140 million people were leaked in an ongoing, months-long breach.

How WinZip Enterprise helps companies avoid common data security mistakes

WinZip has been a long-trusted name in personal data compression and transfer, but WinZip® Enterprise offers additional features, such as file-level encryption and protection of data at rest and in transit.

Encrypting at the file level provides an added layer of security, and the tried-and-true process WinZip Enterprise uses for zipping, sending, and unzipping data makes large transfers and frequent backups a breeze.

WinZip Enterprise also complies with all high-level security and encryption regulations, providing bank- and military-grade protection such as FIPS 140-2 validated encryption compliance (trusted for the DFARS) and FIPS 197.

The solution is fully customizable for IT administrators, so each business can select which features are applicable to its unique needs (e.g., which applications employees can use to send and share files), with custom billing plans to match.

Finally, WinZip Enterprise integrates with commonly used business applications, such as Google Drive, Microsoft 365, Microsoft Teams, and Dropbox, to make it easy for end users to collaborate safely and securely.

In today’s world of remote and mobile, distributed teams, it’s more important than ever to have a comprehensive security solution that secures your data regardless of where it’s stored or shared.

Learn how WinZip Enterprise can safeguard your company’s data today.

File compression is so old school, right? Wrong—here’s why

Every smart organization knows file security is a must, and many companies use complex and expensive tools to secure their data. But this complexity can cause issues when it comes to implementing policies and procedures for data protection.

For example, many password management policies require a certain level of password strength and require users to change passwords frequently. As a result, many users look for shortcuts to circumvent these policies. Reusing passwords, slightly modifying them, and using common phrases can all compromise organizational data in the event of a breach.

When employees are working outside of a shared workspace or server, the risk of data breach increases. This is due to a number of file security factors, such as not deploying antivirus software for devices or remote workers storing company data on personal devices and storage platforms.

So, how can organizations better protect their files and data? While many people consider file compression to be an old-school tactic for saving disk space, it also provides high levels of encryption, ensuring only authorized users can access company data.

Encrypting data at a file level ensures that you can safely manage and share data across platforms no matter the end users’ location. If a user’s device is lost, stolen, or compromised, file-point encryption allows IT administrators to wipe the company’s data from the affected device remotely.

File compression is so much more than a storage space optimization solution. Let’s take a look at the top three benefits of file compression for today’s modern enterprises (and their IT teams).

1. Compress files to save space and money

File compression is a great solution for businesses that handle, process, and store a large number of documents. When you have hundreds or even thousands of documents circulating within your organization, a large amount of disk or cloud space is required to store them all.

Some files, such as word-based documents, can be reduced to 90% of their original size via file compression. Compressing files can cause some companies to hesitate because of the risk of reduced image or audio quality. However, solutions such as WinZip® Enterprise compress MP3s by 15–20% and JPEGs by 20–25% with no loss of photo quality or data integrity.

Compressed files can also be sent much faster than uncompressed files due to their smaller size. On average, it takes a tenth of the time to transmit a compressed file as it would to send the uncompressed version of the same file. Faster transit times for sharing documents improves productivity because users spend less time waiting for files to transfer and download.

In addition, external storage for your files can get expensive. Enterprise-class hard drives can cost hundreds of dollars, which adds up quickly when most of your data lives on hard disk drives.

For example, if you have a 1 TB hard drive but you’ve exceeded the space allotment by another 200 GB, you’ll need to buy another hard drive. With WinZip Enterprise, you can simply compress those files into a ZIP folder that’s nearly half the original file size and reclaim more storage space.

2. Protect your data with lossless compression techniques

File compression consists of much more than just creating a ZIP folder on your desktop. In fact, there are two file compression techniques you should be aware of: lossy and lossless.

  • Lossy file compression means there is a permanent loss of data to make the file size smaller. This can be an effective compression technique when used once. However, for companies that send the same files back and forth between collaborating coworkers, this method will slowly reduce the quality of those files because you lose more and more data every time it’s compressed.

  • Lossless file compression keeps the exact same starting file size when the files are reconstructed. It simply means that no data quality is lost when compressed. This is done by removing any redundant information within the file.

    For example, if you take “TTTTHHHHHEEEEEEYYYYYYY” and compress it using the lossless technique, you get “T4H5E6Y7.” When you decompress this type of file, your computer knows to revert the information back to its original form automatically.

Using WinZip Enterprise to compress files won’t negatively impact their quality. This is because WinZip compression is always lossless, which means there’s no risk of losing important information within documents when using this compression technique.

3. Leverage file-level encryption security

Encrypting individual files offers greater security than encrypting an entire disk or device. With file-based encryption, each item has a unique key for access. Think of it like keeping a lockbox inside a safe—even if the safe is accessed, the lockbox is an additional layer of protection that keeps intruders from accessing your valuables.

WinZip Enterprise is a file encryption solution that secures your digital data at the file point—not the end point. This process enhances security for companies that handle large amounts of sensitive data while also reducing storage space requirements.

WinZip Enterprise is also compliant with Windows Information Protection (WIP), which protects corporate data on employees’ devices. With WIP, IT administrators can set internal security controls that apply protective tags to corporate data. These tags trigger an automatic encryption of the data whenever it is downloaded from or saved to the company’s applications, networks, and protected domains.

Not only is WinZip Enterprise compliant with WIP protocols, but it also uses Advanced Encryption Standard (AES) encryption to keep your data secure. AES is a military- and bank-grade cryptographic security method that WinZip Enterprise offers in two different strengths: 128-bit AES and 256-bit AES. When used properly in an overall security protocol, WinZip Enterprise’s AES encryption gives companies a high level of security in a way that is fast and easy to use.

WinZip Enterprise encryption also complies with all major standards, such as the Federal Information Processing Standard (FIPS) 140-2 and Defense Federal Acquisition Regulation Supplement (DFARS). FIPS 140-2 is a security standard developed by the US government to validate cryptographic modules. DFARS is a level of security used by the Department of Defense (DOD) for its external employees and contractors.

Use WinZip Enterprise file compression and customization to meet your company’s needs

WinZip Enterprise is an ideal solution for IT administrators that need file compression capabilities within as a highly customizable solution. Customization makes it easy to remove unwanted features, control access to cloud services and social media, and set and enforce password policies as well as encryption standards for all your users. This gives IT administrators the ability to create a “sandbox” for their users that allows them to use only approved sharing platforms.

As mentioned, WinZip Enterprise encrypts your files at the file level, not the device level. When a device is encrypted, it will secure the files on that device alone. However, this doesn’t help if you have a remote working environment with many employees using unsecured devices. Having your documents encrypted at the file level ensures that no matter what device a file is sent to, it will be secure.

WinZip Enterprise also backs up your files and archives them in the event of data corruption or loss on an endpoint. If your device is lost or stolen, having an encrypted archive of your files stored in the cloud ensures nothing is lost.

File compression might seem like an outdated or limited tool, but it goes far beyond just reducing file storage requirements. It’s a solution that enhances file security and accelerates file transfer which improves employee productivity.

Learn more about the value of WinZip Enterprise file compression techniques. Get a quote or request your free proof of concept today.

How to protect sensitive data at the enterprise level

When it comes to protecting sensitive data, companies of all sizes in all industries need a strong, data-centric security policy. The expansion of mobile and cloud technologies has changed the way we work while also expanding the threat landscape of corporate data.

Without a comprehensive data protection strategy, businesses can expose sensitive information to the risks of loss, compromise, or corruption.

The larger your business, the more likely it is that you manage and store numerous types of data across multiple repositories. For enterprise organizations, growing data volumes require a strategic approach in how and where sensitive data is protected.

In this article, we’ll look at the most sensitive types of enterprise data, regulations around certain types of data (and the consequences of not adhering to such rules), and how solutions such as WinZip® Enterprise can provide protection for enterprise-level data.

What is sensitive data?

“Sensitive data” is an umbrella term for a variety of information that must be protected from unauthorized disclosure. There are three primary classifications of sensitive data:

Internal-only data includes information intended for internal use only. This data, if comprised or lost, would cause minimal harm to affected organizations and individuals. Internal-only data is accessible only to company personnel and may be subject to contractual agreements or regulatory compliance.

Examples include: Employee handbooks, business plans, third-party contracts, and internal documents that do not contain confidential information.

Confidential data requires specific clearance or authorization to access. This highly sensitive information could cause significant harm in the event of a data breach, exposing individuals and organizations to criminal or civil liability.

Confidential information is often protected by laws such as the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), and the Payment Card Industry Data Security Standard (PCI DSS).

Examples include: Cardholder data, protected health data, controlled unclassified information, social security numbers, and IT security information.

Restricted data has the strictest legal and regulatory requirements and is often protected with a non-disclosure agreement (NDA). Unauthorized access or compromise of restricted data could lead to criminal charges, hefty legal fines, and a catastrophic impact on a company’s reputation.

Examples include: Trade secrets, proprietary information, intellectual property, financial records, authentication data, and any data protected under state and federal regulations.

What are the challenges of protecting sensitive data?

An enterprise organization stores large volumes of data across multiple repositories, including databases, collaboration systems, and cloud storage services.

Another key component of sensitive information is in unstructured data. Typically, text-based, unstructured data is generated and collected from a range of sources such as emails, spreadsheets, PDFs, call transcripts, and survey responses.

Estimates suggest that 80 to 90% of company data is unstructured, making this a crucial area that requires protection. While databases can be secured with access controls and central management from IT teams, the accessibility of unstructured data often comes down to internal users.

In fact, a 2020 data breach survey found that 78% of IT leaders believe employees have accidentally caused data breaches, and 60% of surveyed employees believe they have accidentally shared sensitive information.

Every time employees send emails, share links, or put files in public folders, they expose sensitive data to loss and theft.

In addition to the challenges associated with protecting unstructured data, enterprise organizations also have to contend with how the increase in remote work has impacted data security.

As remote work has relocated employees, their devices, and corporate data outside the confines of the company’s physical environment, a reported 76% of IT leaders now see data breaches as an inevitability.

Prior to the pandemic, organizations could simply require that employees access sensitive information while in the office and on a dedicated company device.

However, with many enterprises planning to embrace a hybrid workforce moving forward, restricting data access in this way is no longer a viable option. Businesses must instead adapt to protect data wherever employees are, on whatever device they use.

What are the costs of non-compliance with data regulations?

There are numerous regulations in place to protect the sensitive information of organizations and individuals. These laws and regulations vary across counties, states, and countries, and non-compliance can lead to penalties and fines.

For global enterprise organizations, experts advise developing a data protection strategy that meets the most stringent set of regulations the company faces (e.g., GDPR), backed by a security framework that covers a broad set of requirements.

General Data Protection Regulation (GDPR)

Since 2018, all organizations that collect, store, or process the personal data of European Union (EU) residents must meet the GDPR provisions governing data protection. This includes not only companies within the EU, but also any organization based outside the EU that offers goods or services to EU residents or processes their personal data.

Non-compliance can lead to steep fines, which could be as high as 4% of a company’s global revenue. The GDPR places liability on both the organization that owns the data and outside data processors that help manage the data. If an organization’s third-party processor is out of compliance, the organization itself is also non-compliant.

California Consumer Privacy Act (CCPA)

Like the GDPR, companies don’t have to be located in the state of California (or the US) to be subject to its privacy laws. The CCPA deals with the ways large organizations collect and use data of California residents and provides consumers with numerous protections, such as the ability to request that companies delete their personal data.

Fines for CCPA violations can range from $2,500 per unintended violation to $7,500 per intentional violation. In addition, California consumers can demand to see all the information a company has collected on them, to review a full list of third parties that data is shared with, and can sue companies if privacy guidelines are violated, regardless of if a breach occurred.

Gramm–Leach–Bliley Act (GLBA)

While many people may assume the GLBA applies only to financial institutions, its regulations also pertain to companies that receive nonpublic personal information (NPI) from such financial institutions.

Any organization that offers financial products or services such as loans, insurance, or financial or investment advice must apply specific protections to ensure their customers’ data privacy. This also includes a requirement to disclose to customers how they share sensitive data with third parties.

Non-compliance can result in steep penalties for individuals and organizations. Financial institutions that violate GLBA rules can face fines of $100,000 per violation. Responsible individuals can also be charged up to $10,000 for each violation and may face up to five years in prison.

Securing and ensuring the confidentiality of customers’ private and financial information is key to maintaining GLBA compliance.

Health Information Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act

The HITECH Act regulates the use of health information technology and ensures that HIPPA-covered entities comply with its privacy and security rules. The HITECH Act also expands the application of HIPAA provisions to business associates, which are the individuals, organizations, and agencies that help covered entities carry out their healthcare activities and functions.

This includes functions and activities related to claims processing and administration, quality assurance, billing, practice management, data analysis, and many others. There are civil monetary penalties imposed for HIPAA and HITECH violations, and penalty tiers are determined by the level of culpability.

Examples of HIPPA and HITECH violations include unauthorized access of healthcare records, failure to perform organization-wide risk analysis, denying patients access to health records, insufficient electronic protected health information (ePHI) access controls, and failure to use encryption to safeguard ePHI on portable devices.

Payment Card Industry Data Security Standard (PCI DSS)

Merchants, vendors, financial institutions, and any other entity that processes payment card information must protect this sensitive data and comply with the PCI DSS.

There are 12 requirements for PCI DSS compliance, many of which relate to data protection. For example, maintaining a secure data environment includes provisions such as firewalls, password protections, encryption, access restrictions, and anti-virus software.

Not meeting PCI DSS security standards can have numerous repercussions. First, customers may lose confidence in your organization, which can lead to revenue loss if customers take their business elsewhere. There are also significant fines and penalties, which can run from $5,000 to $100,000 a month.

How WinZip Enterprise protects sensitive enterprise data

WinZip Enterprise is a powerful, customizable solution that gives organizations industry-leading file encryption, data management, and compression capabilities.

Its file-level Advanced Encryption Standard (AES) encryption protects data in transit and at rest, ensuring compliance with major standards such as the Federal Information Processing Standard (FIPS) 140-2 and Defense Federal Acquisition Regulation Supplement (DFARS) regulations.

In addition to bank- and military-grade encryption, WinZip Enterprise gives IT administrators full control over their data environments. The solution is fully customizable, ensuring that it meets your unique organizational needs.

WinZip Enterprise enables IT administrators to do things such as:

  • Enable the features they want and hide the rest from end users.
  • Control password policies, encryption methods, and the use of FIPS 140-2 compliant services.
  • Prevent data loss with Windows Information Protection (WIP) support.
  • Set protocols to control the movement of data and files.

Enterprise-level organizations handle a large volume of diverse data sources and formats, and the right security practices can help reduce the likelihood of—and damage caused by—fraudulent actions or data breaches.

Learn how WinZip Enterprise helps protect highly sensitive business data.

Learn more about WinZip Enterprise today!

Get a Quote

Connect With Us