7 Non-Financial Data Types to Secure
Credit card and social security numbers aren't the only sensitive information that requires protection.
April 14, 2018
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltc94608acf452fd67/655cf371ab171e040a838b2a/329050_DR23_Graphics_Website_V5_Default_Image_v1.png?width=700&auto=webp&quality=80&disable=upscale)
(Image: Tumisu VIA Pixabay)
Medical Information
If you're part of the healthcare industry then you know how serious medical information is. HIPPA is there to remind you, in case you're apt to forget. If you're not working in a hospital, clinic, or insurance company then it can be easy to think that medical information isn't something that concerns you, but the growing alliance of IoT, HR, and employee wellness means that you may well have more health data in your records than you believe.
Companies are collecting data on everything from weight loss and smoking cessation to DNA tests and exercise patterns on their employees and, in some cases, on their customers. All of these are information types that can help build a complete picture of an individual, target the individual for spam or spear-phishing campaigns, or simply be used to harass people based on their personal information.
Even if your company isn't bound by HIPPA, health-based information must be considered exceptionally sensitive and must be protected as such.
(Image: Geralt VIA Pixabay)
Browser History
Where have you been in your travels on the Web? If someone knows the answer, they know an amazing amount about you and your interests. That level of knowledge is both intensely private and very sensitive. And its sensitivity is part of what makes it both attractive to criminals and well worth protecting.
The browser history that lives on a personal computer is one thing, and we know that spyware often looks at local browser history as part of its data-gathering duties. When an organization uses tracking cookies as part of its Web application suite and stores the information as part of its customer data, then that central store becomes extremely valuable — and vulnerable.
(Image: Geralt VIA Pixabay)
Survey Data
What 17th Century European noble were you in a past life? Which pet is perfect for you? Should our elected officials be doing more to protect palmetto bugs? The Web is full of surveys today, each of which purports to give you fun information to share on social media, and each of which can collect incredibly personal information to do so.
Companies use the personal information to target users for ad and marketing campaigns. Criminals can use that same information to target individuals for spear-phishing, spam, and disinformation attacks. Once a company has data from a survey, whether the immediate point of the survey is entertainment or political action, it should treat that data as PII and take steps to protect it accordingly.
(Image: Geralt VIA Pixabay)
Comments
On the modern Internet, everyone can have an opinion — and it often seems like everyone does. Those opinions can seem loud, harsh, ignorant, insightful — but together they can help form a rich picture of an individual. And that rich picture can be sensitive when it could be used to target that person's work, finances, or reputation.
Reputation is one of those factors that enterprise IT security rarely talks about, but in the consumer/individual world it is incredibly important because an individual's reputation has a currency of its own. When data that a company collects and holds can be used to change or damage that reputation, then the data must be protected.
The debate on whether comments should be allowed at all has raged for years and is unlikely to go away any time soon. But if your organization allows users to make comments, then it should protect those users from having their comments scraped, stolen, and combined with other information to help criminals bring them to harm.
(Image: Succo VIA Pixabay)
Employment Details
How has an employee been performing in their job? When are their hours? What are their special skills? Details like these, that don't tend to have social security numbers or bank account details attached, are still sensitive information when it comes to an individual and should still be considered critical PII.
When we protect employee data, we tend to focus on those pieces that connect directly to a bank account or other financial factor. But a company may have a legitimate need to keep all kinds of information that can be used to target the employee for intimidation, blackmail, or harassment — all things that can be enormously damaging to the individual and costly for the company to remediate.
These non-financial employment details are pieces that factor into the complex picture of an individual. More than that, though, many companies collect private information so they can help their employees go through difficult situations. It would be a huge breach in the company/employee relationship if that same information, through carelessness, were used to cause harm to the individual.
(Image: Geralt VIA Pixabay)
Passwords
When a password is stolen, it can allow access to an account. When that password for the account is changed, the danger is over, right? Not so fast.
Humans tend to re-use passwords because, well, they're human. And that means that a criminal who knows the password for a user's account on one system has a better-than-even chance of knowing their passwords on multiple systems. Given this, a password breach is not a simple occurrence that can be quickly remedied with a forced password reset. When a password file is breached, the effects can ripple out across scores of sites and services.
Enterprise IT security tends to be somewhat myopic, focusing only on an event's impact on the business itself. But "herd immunity" is a real thing in IT security; Secure practices at each business tend to reinforce and amplify the security at all businesses. Be a good citizen — treat password files as stores of information that have an impact on everyone. Everyone will be grateful.
(Image: TheDigitalArtist VIA Pixabay)
Synthesized Data
It's one of the mysteries of sensitive data that every security clearance holder knows: It's possible to take public, non-sensitive data, collect it, and put it together in a way that is highly sensitive. Since the dawn of Big Data, it's become easier and easier for companies to do just that.
When your company is gathering data and doing that Big Data voodoo on it, the results should be protected just as more traditionally sensitive data is shielded. Though some professionals like to pretend that Big Data stores are immune to theft because of their size and complexity, hacking teams such as the Lazarus Group have shown that they are willing to get into a network and slowly exfiltrate huge data stores over months or years.
When modern business runs on diverse data types, modern IT security must protect diverse data types. IT professionals shouldn't fall prey to the fallacy that data without dollars attached isn't sensitive: Reputations, finances, and regulatory compliance are among the things that can be damaged and suffer if data tunnel-vision is allowed to flourish.
(Image: Geralt VIA Pixabay)
Synthesized Data
It's one of the mysteries of sensitive data that every security clearance holder knows: It's possible to take public, non-sensitive data, collect it, and put it together in a way that is highly sensitive. Since the dawn of Big Data, it's become easier and easier for companies to do just that.
When your company is gathering data and doing that Big Data voodoo on it, the results should be protected just as more traditionally sensitive data is shielded. Though some professionals like to pretend that Big Data stores are immune to theft because of their size and complexity, hacking teams such as the Lazarus Group have shown that they are willing to get into a network and slowly exfiltrate huge data stores over months or years.
When modern business runs on diverse data types, modern IT security must protect diverse data types. IT professionals shouldn't fall prey to the fallacy that data without dollars attached isn't sensitive: Reputations, finances, and regulatory compliance are among the things that can be damaged and suffer if data tunnel-vision is allowed to flourish.
(Image: Geralt VIA Pixabay)
{Image 1}
As more and more personally identifiable information (PII) has moved online, cybercriminals have been able to gain access to deeper stores of data and build more complete pictures of their victims. Whether the information concerns health, movement, or political views, it adds up to a rich, complete version of an individual that can be stolen, mimicked, or manipulated.
The largest data breach so far, the Yahoo incident, didn't involve financial data - instead exposing the real names, email addresses, dates of birth, telephone numbers, and security questions of roughly 3 billion people to hackers. The next largest, that of Adult Friend Finder, gave names, email addresses, and passwords to the attackers. In neither of these cases were credit card or social security numbers released, but both were highly damaging to many of those effected and in the case of Yahoo, devastating to the company itself.
This shows that if criminals are willing to attack an organization to gain non-financial information on users and customers, then the IT department should be willing to treat that information as important, too.
Here's a look at seven data types many companies have collected and hoarded with abandon, and that need to protected just like financial data. If your organization has terabytes of any of these data types sitting in a warehouse, lake, or cluster, then it may be time to start the audit to see just how exposed it — and your company — truly are.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024