Organizations have a lot of data; more than we realize, and it continues to grow.Each day, we create and store all this data in our systems then pack it up and save it somewhere – just to put it away, even temporarily… until it is needed. The challenge is how to easily manage, categorize, and locate specific information in your vast network. Imagine trying to locate your crying child’s favorite blanket you packed away in one of the hundreds of cardboard boxes for your move; you know you packed it, but you need to find it now.
Companies need to be able to easily identify sensitive data stored within the confines of your organization. Whether it be a forgotten database, a folder shared temporarily on the LAN or an unencrypted laptop device that frequently goes off premise, you undoubtedly have sensitive data residing in places you are unaware of. Confidential information doesn’t always reside where it was intended to be. This causes an acute dilemma since you cannot protect what you don’t know about. The enormity of this problem was outlined in a 2016 report by the Ponemon Institute that found the following:
“57 percent of survey respondents stated that discovering where sensitive data resides within their organization is the greatest challenge of executing a data encryption strategy.”
Risks of Unsecured Sensitive Data
Information such as credit card numbers and social security card numbers that reside on unsecured platforms can expose your company to undo risks including:
Cybercriminals specifically target organizations with large deposits of sensitive data such as customer ID and financial information. The average cost of a data breach in the U.S. during 2019 was $3.9 million dollars. Costs resulting from a data breach include litigation costs, regulatory fines, as well as lost business and asset values. In addition, the reputational damage can take years to overcome. While accidental data loss may not involve the malicious cyber attacks of an intruder, lost data is lost data, which involves the same level of costs and aggravation for those involved.
What is Sensitive Data Scanning?
Sensitive Data Scanning involves a software tool that seeks out sensitive data throughout your enterprise. It can be programmed to seek out numeric patterns that are formatted like Social Security or credit card numbers. It can be automated to seek out different file types as well. Once an initial scan is implemented, an organization need only run incremental scans to discover new or modified files. These software scanning tools seek out data located in file shares, web servers, databases, and Macs and Linux and desktop systems. Scanning results are compiled and then reviewed, eliminating any false positives discovered.
Sensitive Data Scanning vs. Data Loss Prevention
Many organizations may already implement data lost prevention (DLP) policies and tools to protect personal identifiable information (PII). Examples of DLP include preventing employees from sending Social Security Numbers in email or uploading tax forms to public cloud storage. Many email security solutions today include DLP tools as part of their security package. Sensitive data scanning on the other hand identifies all PII related data in your enterprise so you know how much of it you have, where it is, and how secure it is. It can identify confidential data that has been forgotten long ago that is residing indolently on an insecure platform. While DLP focuses on the movement of data, sensitive data scanning focusses on its discovery and location.
Why Sensitive Data Scanning is Important
The best way to protect data at rest is to encrypt it. While encrypted data can still be confiscated by an intruder, it is of little value without the decryption key. Once PII or confidential information has been found in an unencrypted environment, management can either choose to encrypt its current location, or move that data to storage that is already encrypted. Many Sensitive Data Scanning tools can also provide insights into what types of policies and rules are being violated involving discovered data.
While there is no uniform approach to data encryption involving data at rest amongst the major cybersecurity standards, encryption is at least recommended by HIPAA (Health Insurance Portability and Accountability Act) and GDPR (General Data Protection Regulation). PCI DSS (Payment Card Industry Data Security Standard) on the other hand requires that all credit card data be encrypted and the loss of unencrypted sensitive data is a direct violation of CCPA (California Consumer Privacy Act). Data encryption may not be mandatory in all cases, but not having it can prove costly regardless.
Data Breaches that Might have been Prevented
The idea of identifying sensitive data in order to properly secure it may seem highly reasonable, but too many organizations continue to ignore this candid procedure.
- Just last summer, more than 160 million records involving more than 10,000 users was discovered unencrypted and completely exposed by the movie subscription service company, MoviePass. The company did work to secure the data once found although no one knows if the data was compromised.
- A Portland, Oregon based Medicaid organization reported last January that an unencrypted laptop containing confidential information on more than 654,000 of its members was stolen from an office belonging to one of its transportation vendors.
- The University of Rochester Medical Center agreed to a $3 million settlement with the Office for Civil Rights at the U.S. Department of Health and Human Services last year after experiencing two separate breaches. It was ruled that OCR failed to conduct an enterprise-wide risk analysis which could have prevented the theft of confidential data residing on an unencrypted flash drive and laptop.
How HALOCK Security Labs can Help
No company executive or IT leader ever wants to find themselves citing the phrase, “if only…” Data breaches or accidental data loss can occur on any given day. The longer you delay the discovery of sensitive data, the more likely it is that it will be exposed. Fortunately, the steps to prevent that are easily obtainable with the right partner.
To help identify your data vulnerabilities while designing strategies to minimize your risk, let’s talk on how we can find and secure your sensitive data.
Learn more about our comprehensive Risk Management Program to help prioritize your investments while balancing your security, compliance, and business obligations.