A sensitive data management strategy can <i>include</i> the use of DLP technology, but it also involves a comprehensive understanding of where your data is and what specifically is at risk.

Todd Feinman, President & CEO, Identity Finder

November 25, 2014

3 Min Read

Cyber criminals have grabbed headlines for many highly publicized data breaches in recent years. However, the greatest source of blame for many of these incidents should be placed on the shoulders of organizations that don’t properly manage sensitive data. The obvious reason: Criminals harvesting personally identifiable information expend far less effort in companies where insufficient security controls expose mass amounts of data.

What’s most effective in data protection is a holistic approach. Where organizations go wrong is in confusing sensitive data management with data loss prevention (DLP) software. Let’s start by more clearly defining the terms.

DLP keeps critical data from escaping the confines of the network, usually by an employee unknowingly emailing it. Sensitive data management is a strategy that incorporates people, process, and technology using technology that focuses on data discovery, classification, security governance, and protection. Sensitive data management can include the usage of DLP technology, but, taken as a whole, it is a comprehensive strategy to identify where your data is, what is at risk, who has access, when it is touched, and how to protect it.

Most organizations incorporate seven steps into their sensitive data management best-practices:

  • Defining what the organization deems as sensitive information

  • Knowing where sensitive data is and who has access

  • Classifying data in terms of importance and potential harm to your organization, if stolen

  • Identifying who the data owner is

  • Governing the accountability of data owners

  • Determining if data is necessary or obsolete and if it poses unnecessary risk

  • Eliminating data as soon it is no longer necessary or protecting it if it must exist

Natural consequences
The consequences of not deploying an effective sensitive data managing strategy can be quite severe and take many years to undo, if it all, as many breached organizations have learned the hard way. Some consequences include:

  • Compliance fines, legal costs, and insurance premium hikes. From HIPAA to SOX to PCI-DSS 3.0, there are any number of regulations that require organizations to protect this data and levy monetary penalties for not doing so. As a result, legal spend and insurance premiums also increase.

  • Lingering sales drop. A Javelin Research study (sponsored by Identity Finder) shows that in the finance, retail, and healthcare industries, up to a third of consumers will stop doing business with organizations that are breached.

  • Increased IT cost and inefficiency. Excessive data is not only a recipe for a breach nightmare, but it takes up space on your network and makes the task of locating data more difficult. What’s more, it is an organization’s responsibility to protect all the information customers have entrusted it with.

Organizations in all industries need to do a better job of managing sensitive data. Many are holding on to more data than they need and are at great risk that it could be stolen or exposed. In an era when cyber criminals are sharpening their skills on a daily basis, businesses should take inventory of every piece of data they own, classify it, protect it, and govern its access. Getting breached is bad enough, but losing data that had no business being there in the first place is even worse.

About the Author(s)

Todd Feinman

President & CEO, Identity Finder

Todd Feinman is President and CEO of Identity Finder, which he co-founded in 2001. He is an identity theft expert and an internationally published author, writing Microsoft's reference book on securing Windows and McGraw Hill's university textbook on managing the risks of electronic commerce. He has appeared on many television and radio shows including CBS, ABC, FOX, NBC, and FOXNews. He has written dozens of articles and presented at numerous global conferences on the topics of identity theft, data leakage, security, and privacy. Todd has a Master of Business Administration from Harvard Business School and a Bachelor of Science from Lehigh University.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights