Today’s hybrid IT infrastructures make it more challenging than ever to identify and protect sensitive data. Across a smorgasbord of cloud services and employee-owned BYOD devices, sensitive data is often stored and shared in many different areas. And this data dispersal opens up a wider surface for issues such as data leakage and theft.
Financially motivated threat actors highly prize sensitive data, and they’re always on the lookout for opportunities to exfiltrate it. A compliance landscape characterized by a slew of regulations protecting information privacy, such as GDPR, HIPAA, and CCPA creates further pressure to safeguard any data assets that could compromise confidential customer details. The problem of sensitive data protection reaches such an extent that one report found 41% of organizations had at least 1,000 sensitive files open to all employees.
Given the critical need to protect sensitive data assets and the consistent difficulties in doing so, what are some actionable practices that will reduce exposure to leaks, theft, and breaches? This article provides six steps to better protect sensitive data and clarify what sensitive data actually means.
What is Sensitive Data?
Sensitive data is confidential information that needs protection because its unwanted disclosure could harm an individual or organization. This is an important definition to understand because sensitive data encompasses much more than just the personal sensitive data sources on customers or employees that various regulations seek to protect (e.g., protected health information or personally identifiable information).
Sensitive data sources also include intellectual property and trade secrets. Examples include algorithms, formulas, recipes, and even source code for custom applications. Other sources could include the results of customer surveys, contracts, and client lists. Many of these data sources are unstructured files such as PDFs, Word Docs, and spreadsheets that aren’t stored in a structured database format.
Organizations have always gathered, created, and stored sensitive data. But increased digitization and a data-driven economy have made breaches more widespread and severe. Often, single incidents result in hundreds of thousands of records being compromised. Robust sensitive data security protects your organization, employees, and customers from a host of potential negative outcomes resulting from unauthorized access to confidential information.
Six Steps to Protect Sensitive Data
Whether you’re a CISO, part of a corporate legal department, or you’re involved with DevOps projects that use or create sensitive code and information, here are six steps to safeguard sensitive data.
1. Discover and Classify
A foundational element in sensitive data protection is being able to discover all sources of sensitive data distributed throughout your IT environment. Among the chaotic sprawl of data created and collected across endpoints and cloud services, discovery is a high-pressure problem that existing approaches regularly fail to keep up with. Technology proves exceptionally useful in data discovery—look for platforms that automate the process with precision for managed and shadow data assets.
There are, of course, different degrees of ramifications associated with a leak or breach of disparate sensitive data sources. Or, to put it more simply, there are different degrees of data sensitivity. Proper classification is essential for getting the most appropriate protection measures in place based on the sensitivity of the information contained in different data assets. Ideally, any platform or solution for discovery also automates data labeling because manually sifting through detected data to classify it is tedious work that prevents you from keeping up with rapid data proliferation.
2. Encryption
Encryption takes sensitive information and applies an algorithm that makes it unreadable without access to a secret key. While some regulations like GDPR merely suggest appropriate data security measures, other regulations like HIPAA expressly require encrypting protected health information stored at rest.
Whether or not a regulation specifically mandates encryption, it’s a worthwhile best practice to immediately implement after discovering and classifying sensitive data. Start by encrypting the most sensitive sources for which a breach or accidental exposure carries the worst consequences.
Since encryption consumes system resources, its implementation comes with a risk of performance overhead, particularly when running queries on databases. Some level of performance hit is still worth it when you consider the costs of customer data breaches, although there are ways to minimize the performance overhead.
For sensitive data, encryption is essentially the last line of defense you can depend on. If an unauthorized user manages to access a file or database they shouldn’t, effective encryption is the final possible safeguard that keeps the data unreadable.