WinZip Enterprise Blog

Protecting the world's most sensitive data for over 30 years.

Blog Home > WinZip Blog

WinZip Blog

Cybersecurity in the insurance industry: what you need to know 

The size, scope, and vast amounts of data within the insurance industry makes it a key target for cybercrime. From our health to our cars, property, and several points in between, the average individual has several types of insurance coverage.

Data is both the foundation of and the driving force behind insurance products, policies, and pricing. Much of this data is considered personally identifiable information (PII), which means it could be used to identify an individual. Dates of birth, Social Security numbers, financial account information, and biometrics such as fingerprints are just a few examples of PII that could be found within an insurance company’s database.

Once a cybercriminal has acquired compromised PII data points, they can use this information for fraudulent activities. For example, stolen PII can be fed into an insurance company’s automated quote tool (such as with car insurance) to obtain even more PII. The more information a hacker has, the more equipped they are to commit identify theft and insurance fraud.

In this article, we will look at what makes cybersecurity challenging within the insurance industry, as well as solutions to enhance the security of personally and financially sensitive data.

Why is cybersecurity particularly challenging for insurance companies?

The insurance industry collects, processes, and analyzes massive amounts of structured and unstructured data. Structured data is organized and formatted in a way that makes it easily searchable in databases.

Examples of structured data in the insurance industry include:

  • Names
  • Addresses
  • Medical history
  • Claim history
  • Vehicle information

Unstructured data, however, does not have a predefined organizational structure or format. Unlike structured data, this type of information does not easily fit within a traditional, column/row spreadsheet or database. However, unstructured data contains critical information that insurers use to customize coverage options and detect fraud.

Examples of unstructured data sources include:

  • Emails
  • PDFs
  • Video files
  • Written reports
  • Data analytics
  • Photographs
  • Social media

The insurance industry faces unique challenges when it comes to cybersecurity. The large volume of PII data held by insurance companies is subject to compliance standards and regulations and is also a lucrative target for malicious actors.

Read on to learn more about why cybersecurity is challenging for insurance companies in particular.

Cybersecurity risks unique to the insurance industry

Data breaches and ransomware attacks are increasing in frequency and complexity. Since 2020, financial institutions have increased their use of digital and remote solutions for daily operations. After the health sector, the financial sector (including insurers and brokers) was the hardest hit by COVID-19-related cyber events.

In addition to the insurance policies themselves, some of the most sensitive data held by insurance companies is personal identifying information such as dates of birth, Social Security numbers, passports, and drivers’ licenses. These PII data points are highly valuable to cyber criminals in identity theft operations.

While the insurance industry as a whole is targeted by cybercriminals, companies that provide cyber insurance coverage are even more high-value targets. This is an insurance policy that protects businesses and their customers in the event of data loss, such as a breach or ransomware attack.

Should a hacker successfully compromise their networks, malicious actors will have access to policy details and security standards for cyber insurance coverage, as well as the maximum amount the policy will pay in a ransomware event. This information gives ransomware operations an easy way to determine a ransom amount that the victim will agree to.

The size and scope of the insurance industry, as well as the highly valuable data these companies hold, make these companies a lucrative target for malicious actors. With personal, health, identity, and financial information on file, a single gig of insurance data could be worth as much as $10,000.

In fact, the 2022 Cyber Insurance Risk report indicates that 82% of insurance companies are the focus of cybercrime such as ransomware attacks. Recent cybersecurity events include:

  • CNA Financial Corporation, one of the largest insurance companies in the United States, paid $40 million in ransom after a 2021 ransomware attack locked officials out of the CNA network. While the FBI and the Treasury Department discourage companies from paying ransom amounts, companies like CNA do so to recover their stolen data. However, only 42% of organizations successfully recover their data after paying the ransom.

  • In 2020, insurance and benefits broker Arthur J. Gallagher & Co. suffered a ransomware attack in which hackers obtained PII of thousands of Gallagher customers and employees. The affected individuals filed a class-action lawsuit against Gallagher for failing to protect their information and for failing to notify or assist the people whose data was compromised.

  • Cybersecurity insurance provider, Chubb,became a victim of a data breach in 2020. The security incident is attributed to the Maze ransomware group, which is known for encrypting networks and devices, exfiltrating data, and holding it for ransom. While the attack didn’t impact the operation of Chubb’s networks, the ransomware group posted a list of the data stolen from Chubb, including the names and contact information of senior company executives.

The importance of cybersecurity in the insurance industry

The insurance industry is subject to some of the most comprehensive data protection and privacy regulations:

  • Gramm-Leach-Bliley Act (GLBA). GLBA regulations protect consumers’ financial information and PII. Insurance companies must develop a comprehensive information security program that contains controls such as encryption, risk assessments, access controls, and multifactor authentication (MFA), among others.
  • Health Insurance Portability and Accountability Act (HIPAA). Health insurance companies are considered health plans that must comply with HIPAA provisions for data security and privacy. This includes (but is not limited to) best practices such as data encryption, audit logs, access controls, and risk assessments.
  • Bank Secrecy Act/Anti-Money Laundering (BSA/AML). The BSA is a collection of laws and regulations aimed at reducing the risk of money laundering in the United States. The insurance company is responsible for the effectiveness of its compliance program, which includes the activities of its agents and brokers. BSA/AML regulations apply only to high-risk insurance products such as annuities and permanent life insurance policies, both of which can be used to facilitate money laundering activities.

Regulations for insurance companies are increasing, with more states requiring companies to better protect consumer data. As of May 2022, Kentucky became the latest state to develop a cybersecurity statute based on the National Association of Insurance Commissioners (NIAC) Insurance Data Security Model Law. Currently, 21 states have adopted models to enhance cybersecurity in the insurance industry.

How WinZip Enterprise enhances cybersecurity in the insurance industry

The best way to mitigate risk is to protect data before adverse events occur. An insurance company’s files and databases contain a wealth of information that would negatively affect financial performance and public perception if it were compromised.

Following a data breach, 83% of customers will no longer use the products and services of the affected organization. A comprehensive data protection strategy should include best practices such as the following:

  • Customized access controls. Access controls restrict access to resources and data based on what’s necessary for a user’s job functions. This is known as the principle of least privilege (POLP), which helps prevent unauthorized access to sensitive information.
  • File-level encryption. File encryption gives insurance companies increased control and visibility over their sensitive PII. Encryption renders the information contained within a file unreadable to anyone without the appropriate decryption key, rendering the file useless to cybercriminals.
  • File tracking. To prevent and eliminate data loss, insurance companies should regularly review system activity. File tracking makes a record of every time a file is edited, moved, or deleted. This makes it easier to detect and control system vulnerabilities such as human error (e.g., accidental deletion of a critical file).

WinZip® Enterprise protects sensitive data with a customizable set of enterprise-grade tools for secure backup, file transfer, encryption, and more. Insurance industry IT administrators have granular control over the operating environment, making it easy to implement and enforce policies that uphold cybersecurity.

Using the Advanced Encryption Standard (AES) format, WinZip Enterprise encrypts data at the file level so that it is safeguarded while at rest and in transit. This type of encryption is ideal for insurance companies that must comply with various data security regulations.

Learn how WinZip Enterprise helps insurance companies stay safe amidst today’s leading cybersecurity threats.

What is the biggest threat to the security of healthcare data? 

Cybersecurity is a critical concern for healthcare organizations. Protected health information (PHI) is more valuable than other types of personal data, making it a key target for cyber criminals. This is because healthcare records contain a variety of personal information, such as an individual’s name, social security number, financial details, and more.

Health data is around 20 times more valuable than financial data on the Dark Web. The remediation costs following a healthcare data breach are also higher. This includes expensive processes such as investigation, incident response, breach containment, and more. The cost to remediate a health data breach is around $408 per record compared to $148 per non-health record. Despite the risks, the healthcare industry falls short in terms of cybersecurity.

Fortunately, there are tools and best practices that can help prevent cyberattacks in the healthcare industry. In this article, we will detail current cybersecurity challenges in healthcare environments as well as solutions that increase the security of your organization’s healthcare data.

Healthcare cybersecurity challenges

Data breaches and other security threats have increased sharply over the past few years, fueled in large part by the rapid and necessary shift to remote working conditions in 2020 as the pandemic reshaped how people work.

In addition to the challenges posed by an expanded remote workforce, healthcare organizations were also faced with an increased patient load. Resource limitations impacted every level of patient care, including healthcare data security.

For example, elective procedures were canceled to control the spread of the virus, but this also created revenue shortages. On average, elective procedures make up 60% of total revenue for healthcare organizations. These cancellations led to a revenue loss of around $22.3 billion nationally.

With limited space, staff, supplies, and revenue, many healthcare organizations were unable to prioritize cybersecurity measures. Cyberattacks spiked as a result, with more than 1 in 3 healthcare entities experiencing a ransomware event in 2020 alone.

While the pandemic has waned, cybersecurity threats have only increased. In the first five months of 2022, the number of data security breaches in the healthcare industry almost doubled compared to the same period in 2021.

The healthcare sector’s cybersecurity challenges include the following:

  • Staff shortages. Healthcare cybersecurity staff are increasingly overworked, understaffed, and undertrained. Around a third of health IT teams are not sufficiently staffed for cybersecurity, further straining existing team members.

    Skills gaps further hinder healthcare IT teams. Around 40% of IT staff lack cybersecurity expertise and an additional 39% of individuals are deficient in data protection skills.

Common healthcare data threats

From hospitals to pharmaceutical companies and care facilities, every aspect of the healthcare industry is susceptible to cyberattacks. Teaching and research hospitals are especially vulnerable because they manage, store, and transfer a large volume of sensitive data.

From 2018 to 2021, healthcare data breaches increased by 84%. The number of victims affected by these breaches also increased from 14 million in 2018 to 44.9 million in 2021. As of July 2022, more than 22 million health records have been breached in the US, a 4.6% increase from the same period the previous year.

Let’s look at some of the greatest threats to healthcare data security:

Phishing

Phishing is a technique where malicious actors trick their victim into giving them system access. Common phishing attack vectors include emails, websites, social media, and text messages. For example, hackers accessed a Colorado-based eye care practice employee’s work email and used it to copy patient data. This phishing incident compromised more than 26,000 people’s sensitive information.

Cybercriminals often use a phishing attack to gain access to a critical network or system. Once they’re in, they can easily exfiltrate sensitive files, compromise accounts, and infect businesses with ransomware.

Because phishing seeks to obtain sensitive data, healthcare organizations account for around half of all phishing attack victims. The cost of recovering from such an attack averages around $14.8 million, which is three times greater than it was in 2015.

Third-party data breaches

A third-party data breach occurs when a malicious actor gains access to sensitive health data via third parties such as vendors, suppliers, or business partners. The healthcare industry is the most common victim of this attack vector. Attacks by third parties were responsible for 33% of healthcare cybersecurity incidents in 2021.

For example, in 2020, vulnerabilities in Accellion’s file transfer system gave cybercriminals access to the private data of millions of individuals. Numerous healthcare organizations that used the software to transfer large, sensitive files within the network were impacted by the third-party breach.

According to the settlement proposal, Accellion did not guarantee the security of the software and the clients were solely responsible for their data security practices. The last security update for the software in question was issued in February 2019, creating the vulnerabilities that gave the threat actors access to connected client networks.

Ransomware

Ransomware is the biggest threat to the security of healthcare data. Two-thirds of healthcare organizations were affected by ransomware in 2021, compared to 34% in 2020.

Because the healthcare industry is heavily dependent on access to data to maintain operations, they are under immense pressure to recover information quickly. As a result, they are frequently targeted by ransomware groups because healthcare organizations pay the ransom demand 61% of the time.

When ransomware is used to attack a healthcare entity, the attackers successfully encrypt and subsequently ransom sensitive health data 65% of the time. This is higher than the national average of 54%, due to factors such as a reliance on legacy systems, understaffing, and resource challenges.

Ransomware attacks are costly not just in terms of the ransom demand, but also because they cause major healthcare disruptions. Hospitals across the globe have blamed a ransomware attack for patient deaths, such as when hackers compromised systems that caused a newborn’s heart monitor to fail.

The role of file security in preventing cyberattacks

Today, cybercriminals can successfully breach 93% of company networks. With the growing risk of data breaches and ransomware, it’s more important than ever for organizations to protect their critical health data.

File encryption protects against cyberattacks and data loss by rendering the data useless to anyone without the correct password key. Encrypting at the file level adds an additional layer of security as data moves between devices, networks, and databases.

WinZip® Enterprise protects healthcare data through secure file sharing, compression, encryption, and management. With centralized IT control, WinZip Enterprise can be easily customized to meet the complex needs of health data security.

Discover how WinZip Enterprise can help healthcare organizations keep their data secure from ransomware and other cybersecurity threats.

What is on-premises secure file sharing at the enterprise level? 

On-premises file sharing is a method of file transfer that relies on local servers. An on-site data center is fully managed by the organization’s IT staff, and files are shared through the local network.

Before the development of cloud file sharing in the mid-90s, on-site solutions were the only option for storing and sharing files. Today, enterprise-level companies have a variety of options for secure file sharing, including on-premises, in the cloud, or a combination of both.

More than half of enterprises leverage on-premises infrastructure for secure file sharing and storage. By 2024, an estimated 63% of IT workloads will remain on-site. There are several reasons organizations choose to stay on-premises, from regulatory requirements to performance controls and more.

This article will explore on-premises secure file sharing solutions, including both its benefits and potential security risks. We will also look at how to enhance on-site data security with WinZip® Enterprise.

Benefits of on-premises file sharing

Back in 2018, a Gartner analysist predicted that 80% of enterprises would shut down their on-premises data centers by 2025. While the article’s title, “The Data Center is Dead,” seemingly suggested that on-site solutions would cease to exist, recent industry research argues that on-premises solutions aren’t dying but evolving.

By 2025, Gartner predicts that 85% of infrastructure strategies will include a combination of on-premises and cloud file sharing solutions. Rather than expanding their existing on-site infrastructure, 62% of enterprises are increasing rack densities to manage their resources.

For any organization with an established on-site IT infrastructure, the shift to the cloud is happening slowly. On-premises data centers are fully customizable, giving business leaders complete control over the type of hardware and systems that make up the IT infrastructure, how they run, and who has access to them.

In addition, there are instances where on-premises file sharing is the best option, such as mission-critical applications. These are programs that must operate continuously because any downtime could lead to service disruption and financial losses.

By keeping mission-critical apps on-premises, organizations have greater control over data security. On-site IT teams can monitor and control security tools such as access controls, firewalls, and encryption to safeguard sensitive information.

Across business industries, enterprises leverage on-premises solutions for legacy systems. These highly customized systems have been running on hardware located on-site for years (if not decades). They would have to be retooled to operate in a cloud platform, which is a complex, time-consuming process.

On-premises secure file sharing doesn’t require internet access, increasing operational efficiency because workflows are not impacted by outages or slow connections. This stable network connection also delivers low-latency access to applications, which means there is minimal to no delay in storing or retrieving data files.

Disadvantages of on-premises file sharing

Of course, there are drawbacks and security issues that must be considered with on-premises file sharing and storage. For example, the ability to quickly access data on a physical network does not extend to offsite personnel.

To meet the rising needs of a distributed workforce, enterprises would need to look at third-party solutions for offsite file sharing. For example, a VPN extends the onsite private network across a public network (i.e., the internet).

Since the IT infrastructure is on site, enterprises require high levels of IT support and maintenance to keep things running efficiently. For a large data center, the average yearly operational cost is between $10 and $25 million. This includes spending on application maintenance, networking, cooling systems, labor costs, and more.

While on-premises solutions are highly customizable, they are limited in terms of scalability. An established, in-house data center has a certain amount of physical space in the company that can house the servers and associated IT equipment. These hardware and software components require continuous power supplies as well as cooling and ventilation systems to prevent overheating.

To expand storage and workload capacities, enterprises must purchase and install more equipment. Since onsite space, power, and cooling systems are typically designed to support a specific rack density per square foot, adding or removing components could impact these operational capacities.

This is not always cost effective, especially since enterprise-level servers can cost thousands of dollars each. In addition, increasing the size of on-premises technology is a complex process that requires considerable time and effort from an IT team, which leaves less time for other critical business tasks.

System reliability depends on server redundancy, in which a backup server can take over if a primary server is compromised. Every backup server takes up space, consumes energy, and needs to be kept cool, increasing on-site data center costs. While redundancy for on-premises file sharing and storage is cost-prohibitive, not having backup servers means that productivity suffers if a server is compromised.

How WinZip Enterprise improves on-premises file sharing security

When it comes to on-premises file sharing and storage, your files are only as secure as the people who manage them. This requires a host of IT skills, such as networking, database management, security, and hardware and software systems administration.

This combined skillset is increasingly hard to find due to a widening shortage of tech workers. Understaffed IT teams are more prone to human error, which is a primary contributor to data center downtime. Operational downtime costs enterprise-level companies an average of $700,000 per hour, meaning that even small mistakes can have expensive consequences.

Enterprises may need additional software or solutions to enhance and maintain their in-house security practices. WinZip Enterprise empowers IT teams with enterprise-grade tools to secure, manage, and protect on-premises file sharing and storage.

It’s also a highly customizable solution, enabling IT administrators to leverage features and settings that support the needs of onsite infrastructure. This simplifies security management processes, which are critically important for securing the data environment.

WinZip Enterprise can also find and flag duplicate files, which saves critical storage space in an on-premises solution. Another way WinZip Enterprise optimizes storage space is through file compression. These processes reduce files by 15–90% of their original size without impacting their quality. The compressed file also has a faster transfer speed, keeping productivity high and latency low.

Discover how to enhance your on-premises secure file sharing with WinZip Enterprise.

What is cloud file sharing and how does it affect data security? 

In an increasingly digitized, mobile workspace, people are looking to the cloud to facilitate anywhere, anytime access to work documents and files. Cloud file sharing is the process of sharing files over the internet rather than with internal, on-premises hardware and software.

Because the cloud is such a ubiquitous term, it can be difficult to determine how processes like cloud file sharing can and do impact data security. In this article, we will explain how cloud file sharing differs from traditional methods and detail the challenges and benefits of sharing files in the cloud. We will also describe how solutions such as WinZip® Enterprise help streamline and secure cloud-based file sharing.

Cloud file sharing is different from traditional file sharing

A traditional, on-premises data center’s footprint is only as large as the physical hardware itself. On the contrary, the cloud is a vast network of remote servers operating as a single ecosystem.

On-premises servers rely on physical drives to share files. Enterprise-level hard drives can cost thousands of dollars, so both upfront expenditures and equipment upgrades can be costly.

For example, if your files are stored on a 1 TB hard drive, you would have to purchase an additional drive if you exceed the storage parameters. There’s no wiggle room to scale storage capacity up and down in response to changing data volumes.

Cloud file sharing lets users access information over the internet, so there’s no physical components to manage. Infrastructural costs are relatively minimal because your cloud services can scale resources up as the workload increases.

In addition to size and capacity considerations, on-premises file sharing also has different security concerns than that of the cloud.

Traditional data servers rely on your internal IT department to maintain and protect the systems. While this might seem ideal, there is a global shortage of cybersecurity professionals.

The workforce would need to grow 65% to adequately staff every company’s IT team. Until then, the growing workload of updates, patches, security monitoring, and other critical tasks make traditional systems easy targets for cyberattacks.

Cloud service providers (CSPs) operate on a shared responsibility model with the user. This means that the CSP handles some aspects of cloud security, but others are up to you. For example, your baseline security requirements typically relate to what you store, how you store it, and who can access what within the cloud environment.

Challenges with cloud file sharing

Cloud-based file sharing is dynamic. As long as you have a reliable internet connection, you are not restricted to specific places or devices to share files. While this provides easy access and real-time sharing, it can also introduce cybersecurity risks. For example, accessing cloud file sharing through an unsecured network such as public Wi-Fi leaves your sensitive data vulnerable to theft and tampering.

Unencrypted networks allow malicious actors to monitor all activity between the user and server. Hackers can also infect unsecure networks, infiltrating connected devices to spread malware, viruses, and worms.

This is why it’s important to remember that cloud security is a shared responsibility between you and the CSP(s). Otherwise, you leave the door open to costly security risks. Data loss is more than just recovering the value of the files themselves—you could also experience revenue loss, regulatory fines, reputational damage, and more.

While there are many cloud storage and file sharing platforms, they don’t each offer the same level of security for critical business data. Using consumer-level technology leaves you vulnerable to unauthorized access and data loss. When it comes to data security, cloud file sharing needs enhanced security controls, such as the following:

  • Permission-based user roles. Access controls allow you to control user access based on their job role, project assignment, or other relevant factors. In addition to reducing the risk of unauthorized access, permission-based user roles also increase user accountability because file sharing activity is trackable via audit logs.

  • Encryption. Encryption scrambles data into an unreadable format that can only be deciphered with the correct password or decryption key. Encrypted cloud services range in scope and services, so it is important to ensure you find one that meets your company’s requirements.

  • Automated backups and transfers. Enterprise-level cloud solutions often come with features such as backup scheduling. This automated process ensures data backups, audits, and transfers happen when they need to keep information secure.

Cloud file sharing benefits

Companies of all sizes and across all industries use cloud services, including 94% of enterprise-level organizations. In fact, spending on cloud infrastructure surpassed on-premises spending for the first time in 2020.

Enterprise spending on cloud services grew by 35% that year, reaching almost $130 billion. Meanwhile, spending on traditional, on-premises datacenter hardware and software dropped by 6%. This shift to the cloud is in response to its numerous benefits, including:

  • Accessibility. Whether someone is working from home, at the office, or anywhere in between, they can share files and other digital assets securely with other stakeholders. The cloud also syncs data files across all devices, ensuring that multiple people can work on the same file without creating duplications or other errors.

  • Cost. On-premises datacenters have upfront and ongoing costs that require ongoing investment and expertise. Because clouds are managed in coordination with the CSP, associated costs are typically more manageable and predictable than unexpected on-premises expenses.

  • Secure collaboration. Collaboration is key to a team’s success, but unsecured devices and networks increase the risk that the files will be compromised. Enterprise-level cloud file sharing employs encryption and password protection to increase the security of shared files. If an endpoint device (e.g., phone, laptop, tablet) is compromised, cloud services can remotely wipe the data from the device.

  • Eco-friendly. On-premises data centers consume a lot of energy and could contain substances that are harmful to the environment. Companies that use cloud computing can reduce their carbon footprint while decreasing infrastructure costs at the same time.

Enhance cloud file sharing security with WinZip Enterprise

Despite its obvious advantages, the cloud is not without data security concerns. Different providers offer varying levels of security, and most service agreements lack specific details when it comes to how protections are implemented.

To make your cloud file sharing processes more secure, consider using a solution like WinZip Enterprise. This solution secures and manages files with 128 and 256-bit AES encryption.

WinZip Enterprise gives your IT admins centralized control over the file sharing environment, including granular access controls. It integrates with several leading cloud storage systems and messaging platforms, ensuring that your data is safe across cloud systems.

Learn how WinZip Enterprise can help your organization make the switch to cloud file sharing and make your cloud-based file storage more secure.

What is File Security and What Does It Mean for Your Business? 

It’s estimated that almost 50% of working professionals will continue working remotely post COVID-19. The new normal with remote and hybrid work environments has altered how companies use technology to facilitate day-to-day operations.

Remote workers regularly access cloud-based systems and internal servers across multiple platforms and devices to communicate and collaborate with their coworkers, regardless of their physical location. In addition, 70% of organizations report allowing their remote workers to access corporate assets from personal devices.

As a result of this shift from in-person work environments to remote workplaces, organizations are now more vulnerable than ever to heightened cybersecurity risks. It is estimated that cybercrimes will cost companies worldwide nearly $10.5 trillion annually by 2025.

Some of these cybersecurity risks include data breaches or data loss due to phishing, ransomware, and other attacks that can prove catastrophic to a company’s bottom line and public reputation. According to IBM, the average cost of an organizational data breach is $4.35 million.

By simply practicing proper file security, businesses can thwart these cyberthreats and avoid the legal and financial consequences that are associated with improper cybersecurity practices.

In this article, we will explore what file security is, why it’s essential for organizations, and best practices. We will also detail how poor file security exposes businesses to cyberattacks, as well as how to use tools like WinZip® Enterprise to enhance your organization’s file security practices.

What is File Security?

You can think of file security this way: Database, network, and endpoint security is like a bank vault. File security is like having a secure lockbox stored within the vault. Even if someone breaks through the vault door, they can’t get to what’s inside the lockbox. Most organizations have data protection plans in place that are solely focused on overall database, network, or endpoint security. Although these are important factors to consider, vulnerabilities can still be exploited if someone is able to access the network or a connected device.

If unauthorized persons gain access to a business’s storage infrastructure, all the information stored within is at their fingertips. Without file-level security provisions, they can then open files and folders and retrieve sensitive company information.

The goal of these file security provisions is to protect each individual file within a company’s inventory, instead of granting authorized users access to an entire database at once. This practice makes it much more difficult for malicious third parties and other unauthorized individuals to gain access to critical business-related information.

Why Proper File Security is Essential for Organizations

From physical theft to unauthorized access, phishing attacks, and more, there are many ways in which security is compromised and data loss occurs. When data is not sufficiently protected, it can result in revenue loss, ransomware attacks, reputational damage, and other legal and financial consequences.

While every business professional needs file security, it is especially vital in heavily regulated industries that handle sensitive data. For example, healthcare companies and financial organizations hold high-value data that makes them a key target for malicious actors. This sensitive information includes items such as:

  • Cardholder data
  • Protected health information (PHI)
  • Personally identifiable information (PII)
  • Social security numbers
  • Financial records

Modern privacy regulations are growing, and Gartner predicts that by 2023, 63% of the world will have their personal information protected by some sort of privacy law. Proper file security is key to compliance with applicable compliance provisions.

Examples of regulations that impact companies that handle sensitive data include:

  • Health Insurance Portability and Accountability Act (HIPAA). HIPAA is concerned with privacy and security of protected health information (PHI). Healthcare entities and their business associates must use best practices such as encryption to ensure the safe use and access of sensitive data.

  • Gramm-Leach-Bliley Act (GLBA). The GLBA requires financial institutions (including those who provide financial products or services) to encrypt data at rest and in transit on external networks. File security provisions safeguard nonpublic personal information (NPI), which is financial data that could be used to identify an individual.

  • Federal Financial Institutions Council (FFIEC). The FFIEC guidelines require data at rest to be encrypted when the company’s risk assessment indicates that such protective services are necessary.

  • Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS security standard identifies 12 compliance requirements, including data encryption, for organizations that handle cardholder data.

  • Federal Information Processing Standards (FIPS). FIPS applies to all non-military government agencies and contractors, including anyone who handles sensitive but unclassified (SBU) information. FIPS 140-2, for example, identifies the security requirements for cryptographic modules to ensure that sensitive data is properly protected.

  • Federal Information Security Modernization Act (FISMA). FISMA requires federal agencies (as well as government contractors) to implement information security practices that reduce the risk of unauthorized data access. This includes the creation of a comprehensive system security plan with best practices such as data encryption.

File Security Best Practices to Follow

Prioritizing file security is the best way to ensure that your company’s important business information remains safe in the event of a data breach. Follow these best practices to keep your organization’s sensitive information secure and the integrity of your company intact:

Enforce File-Level Encryption Across Your Organization

File-level encryption secures your data across its lifecycle, including when it is in transit or at rest. This is a more targeted type of security than full-disk encryption, which prevents unauthorized access at the device level.

Data is considered “at rest” when it is not actively moving between devices and networks, such as when it is stored in a device or database. The data state is easily accessible without the proper security protections in place, making data at rest a popular target for malicious cybercriminals.

For instance, if files and folders that exist on employee devices are not properly encrypted, then the data they contain can be easily accessed by unauthorized users if the device falls into the wrong hands.

Data in-transit is also susceptible to cyberattacks if not properly encrypted. Malicious actors will often intercept data during cloud-based or internet file transfers. For example, cybercriminals can access company networks through unsecure Wi-Fi routers, stealing sensitive data in a matter of moments.

Leveraging file encryption helps companies reduce the risk of insider and third-party threats by ensuring that only authorized users can access organizational files and folders that hold sensitive data. This is because encrypted files can only be decrypted with the right password or key, rendering them unreadable to unauthorized individuals.

Manage User Access and Permissions

It is reported that 61% of all data breaches involve credentials that are either stolen via social engineering schemes or hacked by cybercriminals. By managing user access privileges and leveraging permissions-based user roles, companies can control who has access to what data, significantly increasing file security.

Organizations with robust data security plans utilize the principle of least privilege (POLP) to minimize the areas in which data exfiltration can occur. The POLP limits user access rights to only what is necessary to carry out assigned workplace tasks. With custom controls in place, system administrators can also immediately revoke user access to designated files directly after task completion.

Often, unintentional employee errors and intentional insider attacks occur when POLP is not properly managed. Because of this, businesses should regularly audit their access controls to determine if POLP still applies. Use audit logs to properly identify company file accessing and sharing history to detect potential breaches in file security.

Require Multi-Factor Authentication for User Accounts

In addition to managing user access privileges and leveraging permissions-based user roles, companies should also require their employees to use multi-factor authentication (MFA).

Multi-factor authentication is a layered approach used to secure sensitive data. It requires a combination of at least two credentials to verify a user’s identity.

Multifactor authentication credentials may include:

  • A knowledge factor such as a password, personal identification number (PIN), or passphrase.

  • An inherent factor such as a fingerprint or facial features detected by facial recognition software.

  • A possession factor such as a security token or smartcard.

Enabling MFA ensures that even if a cyberhacker were to uncover your account password, they would not be able to break into your account without a second method of authentication. Remember, it only takes one compromised account to result in a data breach for an entire organization.

How Poor File Security Exposes Businesses to Cyberattacks

With the influx of businesses shifting to remote and hybrid working environments comes a stampede of cyber attackers ready to infiltrate company computer systems with one common goal: to steal or tamper with sensitive information.

Poor organizational file security practices only further this agenda, leaving important company files exposed to a wide variety of cyberthreats. As of June 2022, 34.9 million records have been compromised by data breaches. Here are two examples:

  • In April 2022, the Yuma Regional Medical Center (YRMC) disclosed that it fell victim to a ransomware attack that exposed the PHI of 737,448 individuals. Although the medical facility’s daily services were mostly unaffected, a subsequent investigation found that the attacker gained access to some of YRMC’s external systems and removed files containing sensitive information. The stolen data affects current and former patients and includes names, medical information, social security numbers, and health insurance information.

The number of credential stuffing incidents that occur is on the rise, which is not surprising considering that 67% of all Americans use the same password for different online accounts.

Weak password protocols threaten file security, and businesses that employ security practices like multi-factor authentication are better protected against credential stuffing attacks. Although this practice is encouraged by security experts, only 11% of organizations require their employees to use multi-factor authentication to authenticate their login attempts.

How WinZip Enterprise Enhances File Security for Businesses

To mitigate the risk of data breaches, many organizations utilize business-level file encryption and compression services such as WinZip Enterprise. This solution features extensive file security capabilities including Advanced Encryption Standard (AES) encryption that ensures data protection, no matter if the data is in-use, in-transit, or at-rest.

WinZip Enterprise’s military-grade encryption services also help businesses comply with federal data protection regulations including the Defense Federal Acquisition Regulation Supplement (DFARS) and the Federal Information Protection Standards (FIPS).

WinZip Enterprise also enables users to compress their business files and encrypt them at the same time, reducing file transmission time and maximizing storage space. With WinZip Enterprise, users can even add password protection to their encrypted ZIP files, adding an extra safeguard to an organization’s file security plan.

Explore how WinZip Enterprise can help your organization set up and improve file security.

Learn more about WinZip Enterprise today!

Get a Quote

Connect With Us