Cyber criminals have grabbed headlines for many highly publicized data breaches in recent years. However, the greatest source of blame for many of these incidents should be placed on the shoulders of organizations that don’t properly manage sensitive data. The obvious reason: Criminals harvesting personally identifiable information expend far less effort in companies where insufficient security controls expose mass amounts of data.
What’s most effective in data protection is a holistic approach. Where organizations go wrong is in confusing sensitive data management with data loss prevention (DLP) software. Let’s start by more clearly defining the terms.
DLP keeps critical data from escaping the confines of the network, usually by an employee unknowingly emailing it. Sensitive data management is a strategy that incorporates people, process, and technology using technology that focuses on data discovery, classification, security governance, and protection. Sensitive data management can include the usage of DLP technology, but, taken as a whole, it is a comprehensive strategy to identify where your data is, what is at risk, who has access, when it is touched, and how to protect it.
Most organizations incorporate seven steps into their sensitive data management best-practices:
- Defining what the organization deems as sensitive information
- Knowing where sensitive data is and who has access
- Classifying data in terms of importance and potential harm to your organization, if stolen
- Identifying who the data owner is
- Governing the accountability of data owners
- Determining if data is necessary or obsolete and if it poses unnecessary risk
- Eliminating data as soon it is no longer necessary or protecting it if it must exist
The consequences of not deploying an effective sensitive data managing strategy can be quite severe and take many years to undo, if it all, as many breached organizations have learned the hard way. Some consequences include:
- Compliance fines, legal costs, and insurance premium hikes. From HIPAA to SOX to PCI-DSS 3.0, there are any number of regulations that require organizations to protect this data and levy monetary penalties for not doing so. As a result, legal spend and insurance premiums also increase.
- Lingering sales drop. A Javelin Research study (sponsored by Identity Finder) shows that in the finance, retail, and healthcare industries, up to a third of consumers will stop doing business with organizations that are breached.
- Increased IT cost and inefficiency. Excessive data is not only a recipe for a breach nightmare, but it takes up space on your network and makes the task of locating data more difficult. What’s more, it is an organization’s responsibility to protect all the information customers have entrusted it with.
Organizations in all industries need to do a better job of managing sensitive data. Many are holding on to more data than they need and are at great risk that it could be stolen or exposed. In an era when cyber criminals are sharpening their skills on a daily basis, businesses should take inventory of every piece of data they own, classify it, protect it, and govern its access. Getting breached is bad enough, but losing data that had no business being there in the first place is even worse.