Today’s hybrid IT infrastructures make it more challenging than ever to identify and protect sensitive data. Across a smorgasbord of cloud services and employee-owned BYOD devices, sensitive data is often stored and shared in many different areas. And this data dispersal opens up a wider surface for issues such as data leakage and theft.
Financially motivated threat actors highly prize sensitive data, and they’re always on the lookout for opportunities to exfiltrate it. A compliance landscape characterized by a slew of regulations protecting information privacy, such as GDPR, HIPAA, and CCPA creates further pressure to safeguard any data assets that could compromise confidential customer details. The problem of sensitive data protection reaches such an extent that one report found 41% of organizations had at least 1,000 sensitive files open to all employees.
Given the critical need to protect sensitive data assets and the consistent difficulties in doing so, what are some actionable practices that will reduce exposure to leaks, theft, and breaches? This article provides six steps to better protect sensitive data and clarify what sensitive data actually means.
Sensitive data is confidential information that needs protection because its unwanted disclosure could harm an individual or organization. This is an important definition to understand because sensitive data encompasses much more than just the personal sensitive data sources on customers or employees that various regulations seek to protect (e.g., protected health information or personally identifiable information).
Sensitive data sources also include intellectual property and trade secrets. Examples include algorithms, formulas, recipes, and even source code for custom applications. Other sources could include the results of customer surveys, contracts, and client lists. Many of these data sources are unstructured files such as PDFs, Word Docs, and spreadsheets that aren’t stored in a structured database format.
Organizations have always gathered, created, and stored sensitive data. But increased digitization and a data-driven economy have made breaches more widespread and severe. Often, single incidents result in hundreds of thousands of records being compromised. Robust sensitive data security protects your organization, employees, and customers from a host of potential negative outcomes resulting from unauthorized access to confidential information.
Whether you’re a CISO, part of a corporate legal department, or you’re involved with DevOps projects that use or create sensitive code and information, here are six steps to safeguard sensitive data.
A foundational element in sensitive data protection is being able to discover all sources of sensitive data distributed throughout your IT environment. Among the chaotic sprawl of data created and collected across endpoints and cloud services, discovery is a high-pressure problem that existing approaches regularly fail to keep up with. Technology proves exceptionally useful in data discovery—look for platforms that automate the process with precision for managed and shadow data assets.
There are, of course, different degrees of ramifications associated with a leak or breach of disparate sensitive data sources. Or, to put it more simply, there are different degrees of data sensitivity. Proper classification is essential for getting the most appropriate protection measures in place based on the sensitivity of the information contained in different data assets. Ideally, any platform or solution for discovery also automates data labeling because manually sifting through detected data to classify it is tedious work that prevents you from keeping up with rapid data proliferation.
Encryption takes sensitive information and applies an algorithm that makes it unreadable without access to a secret key. While some regulations like GDPR merely suggest appropriate data security measures, other regulations like HIPAA expressly require encrypting protected health information stored at rest.
Whether or not a regulation specifically mandates encryption, it’s a worthwhile best practice to immediately implement after discovering and classifying sensitive data. Start by encrypting the most sensitive sources for which a breach or accidental exposure carries the worst consequences.
Since encryption consumes system resources, its implementation comes with a risk of performance overhead, particularly when running queries on databases. Some level of performance hit is still worth it when you consider the costs of customer data breaches, although there are ways to minimize the performance overhead.
For sensitive data, encryption is essentially the last line of defense you can depend on. If an unauthorized user manages to access a file or database they shouldn’t, effective encryption is the final possible safeguard that keeps the data unreadable.
While encryption can prove incredibly useful, don’t depend on it as a singular level of protection for sensitive data. Modern cybersecurity requires a defense-in-depth approach where you layer multiple controls to best protect systems and information.
Two-factor (2FA) and multi-factor authentication (MFA) attempt to strengthen the process of authentication — verifying that users are who they claim to be. Both of these authentication mechanisms improve security by requiring either two or more categories of information when verifying user identities before providing access to resources.
In a world of poor password hygiene and billions of stolen credentials, relying on passwords alone is not a safe practice. This rings particularly true for sensitive data protection. User accounts for any services or apps with access to sensitive data sources should be secured with either 2FA or MFA.
While improved authentication security is undoubtedly valuable, the use of extra authentication factors doesn’t negate the importance of a strong password policy in protecting sensitive data. This policy clearly sets out your organization’s rules for creating good passwords that aren’t easily cracked with brute force methods.
The policy should cover:
Data breach, theft, and exposure incidents typically garner much media spotlight, but other unwanted outcomes threaten sensitive information, one of which is data destruction. What happens if an employee accidentally deletes an entire database or a confidential PDF file? Or, what happens if a threat actor compromises your network and installs ransomware that blocks access to sensitive data assets?
In both scenarios, not having your sensitive data backed up leaves it inadequately protected. Just a single accidental or malicious action poses serious risks. Regular backups can mitigate many risks arising from unintentional data destruction, natural disasters destroying systems, and more.
Training staff effectively might sound somewhat trite, but the key word here is “effectively”. In one revealing survey from 2021, 69% of respondents said they received cybersecurity training from their employers, yet 61% of those same respondents failed a basic cybersecurity quiz. Despite widespread knowledge that cybersecurity training is essential, it’s clearly not being done well enough.
Solid cybersecurity training and awareness requires engaging material, non-generic lessons that focus on relevance and breaking lessons into small chunks rather than lengthy slogs. Continued reinforcement is also vital in ensuring staff remembers what sensitive data protection looks like.
The need to protect sensitive data looks to become more urgent as regulatory requirements become more stringent, the volume of data grows, and money-hungry malicious actors see data exfiltration as the means to achieve their objectives. Following these steps covers much of the groundwork needed to safeguard these data assets against loss, destruction, theft, or leaks.
Polar Security’s innovative platform automatically discovers and classifies your sensitive data. This critical step is fundamental to sensitive data protection in dynamic and distributed modern IT infrastructures. Not only does the platform discover and classify sensitive data, but it also maps data flows so that you can suitably protect it wherever it ends up in your environment.