[BreachExchange] Taking control of sensitive data

[Audrey McNeil]

http://www.itproportal.com/features/taking-control-of-sensitive-data/

Why is sensitive data such a difficult topic for companies to address? In a
word, uncertainty.

Even today, when information is universally recognised as an organisation’s
most important asset, few companies have a firm grasp on their data.  Most
companies don’t know how much sensitive data they have, where sensitive
data is being generated and stored, or even what types of information
should be considered sensitive in the first place.

All this uncertainty, together with confusion about the right way to
protect sensitive information, tends to leave organisations paralysed.
Unable to develop effective data protection strategies, they settle for a
reactive approach, addressing security gaps only when a breach has occurred
and the damage has already been done.

The fact that so many companies take this approach doesn’t make it any less
of a problem. The value of information is so high—and the consequences for
mishandling it so severe—that no organisation can justify the risk of
leaving sensitive data unprotected.

Defining sensitive

Before it can protect its sensitive data, an organisation must first
understand what that term really means.

This is more complex than it sounds, because there is not (and never can
be) a universal definition of sensitive data. Types of information that one
organisation freely shares—customer names, for example, or product
schematics or financial results—might be considered secrets by another
organisation.

In general, however, we can say that information is sensitive if (a) its
ownership or use is restricted by a government or industry mandate; or (b)
it cannot be made public without potential damage to an organisation’s
reputation or ability to compete. The following list is just a sampling of
the many forms of data that might meet this definition:

- Personal health information
- Financial account data
- Student education records
- Consumers’ personal information
- Attorney/client information
- Intellectual property
- Employment records
- Business plans
- IT documentation
- Meeting notes
- Internal communications

Mandated sensitivity

Laws relating to data privacy and protection vary widely from jurisdiction
to jurisdiction. Some countries have had comprehensive data protection laws
on the books for decades, while others, such as the US, regulate only a few
specific types of information.

While we may never see a truly global standard for data protection,
Europe’s new General Data Protection Regulation is the closest thing to it.
With a long list of new obligations and the potential for fines up to 4% of
annual revenue, the GDPR is forcing companies around the world to take a
hard look at their data governance and security strategies.

Beginning in 2018, the GDPR will require organisations (regardless of where
they are located) to protect any data that relates to identifiable EU
citizens, with additional restrictions for “special” types of data,
including information on individuals’ political opinions, religious
beliefs, genetic data, and sexual orientation. Organisations will need to
ask for explicit permission before they collect sensitive data, and must
follow strict guidelines in how they store, process and exchange personal
information.

The GDPR is so broad in scope—and carries so much potential for financial
penalties—that every organisation operating in Europe should already be
evaluating its approach to collecting and sharing personal information.

Unique requirements

As cumbersome as the GDPR’s mandates may be, they should at least remove
the uncertainty an organisation might have regarding the sensitivity of
consumers’ personal information. The process of evaluating other forms of
data, such as financial information, customer lists, product details, and
internal communications, may be more complex.

If a company leaves its definition of sensitive data at the
legally-required minimum, it will likely leave critically important
information uncontrolled and unprotected. An overly-broad definition of
sensitive data, on the other hand, can create roadblocks to daily business,
making it difficult for employees to gain access to the information they
need in order to do their work.

In the interest of long-term data security, each organisation should
implement a company-wide data governance strategy that calls for the
evaluation of all forms of data collected or created within the
organisation. When the organisation fully understands how it is using its
data, it can determine which data requires protection and who should have
access to it.

Once a company has defined sensitive data in its own terms, it is
positioned to identify and protect the actual files and datasets that meet
the definition.

What to do about it

How should sensitive data be protected? The old answer to that question
involved a combination of network security and  user permissions, but that
approach is falling out of favor. With the ongoing shifts toward cloud
services and decentralised workforces, together with exponential growth of
data volumes, companies can no longer hope to keep sensitive data contained
within their own network.

A new approach, focused on data itself, is the key to keeping sensitive
information safe from cyber threats. An effective data protection strategy
includes three interrelated processes aimed at identifying and securing
sensitive information as soon as it exists:

Data discovery: Discovery involves scanning servers and user devices to
find files that contain sensitive information. Ideally, any file activity
on a device or storage location should initiate a new scan for sensitive
data. Discovery scans can be used to search for data based on format,
content, or both.

Data classification: Classification is the process of flagging sensitive
information using meta tags or other methods. Classification can be done
manually or in conjunction with the discovery process.

Data protection: Ideally, organisations should take an approach that allows
them to protect sensitive data as soon as it is identified through
discovery or classification. Data protection technology such as encryption
is specifically recommended by the GDPR and other cybersecurity
regulations.

The proliferation of cyber threats and the increasing public outcry over
data breaches have created an environment in which a single slip-up can
spell doom for an organisation. Fortunately, data protection technology
continues to evolve, giving companies options that didn’t exist a few years
ago. With the right tools and an organisation-wide commitment, even the
largest company can gain control of its sensitive data and protect itself
from hackers, spies, and government sanctions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170728/81167779/attachment.html>