[BreachExchange] Key elements of a secure, sensitive information sharing strategy

[Audrey McNeil]

https://www.helpnetsecurity.com/2017/09/07/sensitive-informa
tion-sharing-strategy/

It’s been said, data is like the new oil. What does this mean exactly? Like
oil, data is a commodity. But unlike oil, the value of data isn’t
susceptible to supply and demand. Data is always in demand. Why? Data
provides understanding. And the conclusions that are drawn from
understanding can be optimized or, even better, monetized.

Take for example an online retailer of baby products. If a customer buys
infant pajamas, the retailer can deduce they might also need a baby monitor
or a night light. The retailer will suggest these items upon check out and
in doing so increase the likelihood of additional purchases. They can also
deduce that, in 12 months’ time, the customer might need walking shoes for
the baby. And 24 months after that, a tricycle. After that, the retailer
may partner and share its data with complementary businesses like
pre-schools, pediatric ophthalmologists and zoos.

In addition to buying history, there is also the more banal data – yet, in
many ways more valuable data to hackers – like names, credit card numbers,
expiration dates, mailing addresses, billing addresses, and more. Medical
information, especially patient records, is a specific class of sensitive
data, protected by regulations like HIPAA. All together it’s not difficult
to see data is more than a valuable commodity, it is a digital asset.

Like other assets, sensitive data needs to be protected. Data security is
not only good business practice but in many highly-regulated industries
like healthcare and financial services, it’s required. Data breaches
involving hackers identifying vulnerabilities in an IT network, employees
being duped into opening an attachment containing malware or ransomware, or
departing employees taking customer or product information to a competitor
are just some examples of ways organizations can lose valuable data.
Coincidentally, these are also ways organizations can lose customers and
brand equity and increase the risk of fines from regulators.

So, what can organizations do to ensure their sensitive information stays
secure, not just when it’s stored but also when it’s shared externally with
trusted partners such as management consultants, lawyers, co-marketing
partners or third party data analysts?

Here are a few key steps that will not only enable organizations to reduce
the risk of a breach of private information, but also demonstrate to
regulators or auditors that they have the appropriate governance controls
in place to protect that information.

Know where your data is stored

As organizations grow, they accumulate more data and require more places to
store that data, both on-premises and in the cloud. Microsoft SharePoint
and OneDrive for Business, OpenText, Box, Dropbox, Google Drive, home
drives, and Windows File Shares are just some of the many content
repositories where users might store their data. It’s imperative for
organizations to know – and be able to demonstrate – where sensitive
information is stored across this increasingly expansive landscape.

Certain regulations, for example GDPR, require that data stays in a
specific country or region. Customer data, contracts, personnel files,
sales forecasts, patent applications, financials – if organizations know
where these files are stored, they can control who has access to them and
monitor what’s happening with them. If they don’t know, then it’s anyone’s
guess. This explains why some data breaches go undetected for months or
even years. Ultimately, you can’t protect something if you can’t find it.

Know who has access to your data

Not every employee should have access to every file in the organization,
and as files are shared beyond enterprise borders it becomes even more
crucial to control access. If access to the systems holding your sensitive
information can’t be managed, you have a significant governance issue. It
should be noted that permissions to sensitive information can (and should)
vary. Some employees or business partners may require full access to
content (edit, download, share, etc.) whereas others should have view only
access and be prevented from downloading or sharing.

It should also be noted that permissions are only the first step to
protecting sensitive information. Security features like multi-factor
authentication ensure the individual requesting access is not
misrepresenting their identity, and Data Loss Prevention (DLP) technology
can be integrated with file sharing to define policies to control when and
how sensitive data is sent outside the organization, further mitigating the
risk of unauthorized access.

Know exactly what’s happening with your data

A critical extension of knowing where your data is stored and who has
access to it is knowing what is being done with it. The ability for
organizations to have full visibility into all file activity, as well as
the ability to share this activity with auditors, regulators, law
enforcement agencies and legal teams is critical for identifying data leaks
and demonstrating compliance with industry regulations.

Suppose prior to resigning, an employee started opening, downloading,
forwarding and printing lots of files he hadn’t accessed previously. While
he may have been authorized to access that content at the time, should some
of this data later be found to have been leaked, the logs of this former
employee’s activity will be valuable in identifying the source.

In cases of a compliance audit, whether to confirm internal policies are
being followed, or to satisfy specific regulatory requirements, knowing the
details of who signed in, from what device, and precisely what he or she
viewed, edited or downloaded is crucial to proving controls are in place.

Having the knowledge of where your organization’s sensitive information
resides, which employees and business partners have access to it and what
they are doing with it enables organizations to mitigate the risk of a data
leak and demonstrate compliance with regulators. It also gives
organizations a sense of control over their data, which is increasingly
harder to do when the amount of data is increasing exponentially.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170911/62a03778/attachment.html>