Taking control of sensitive data

Why is sensitive data such a difficult topic for companies to address? In a word, uncertainty.   

Even today, when information is universally recognised as an organisation’s most important asset, few companies have a firm grasp on their data.  Most companies don’t know how much sensitive data they have, where sensitive data is being generated and stored, or even what types of information should be considered sensitive in the first place.   

All this uncertainty, together with confusion about the right way to protect sensitive information, tends to leave organisations paralysed. Unable to develop effective data protection strategies, they settle for a reactive approach, addressing security gaps only when a breach has occurred and the damage has already been done. 

The fact that so many companies take this approach doesn’t make it any less of a problem. The value of information is so high—and the consequences for mishandling it so severe—that no organisation can justify the risk of leaving sensitive data unprotected.   

Defining sensitive 

Before it can protect its sensitive data, an organisation must first understand what that term really means.   

This is more complex than it sounds, because there is not (and never can be) a universal definition of sensitive data. Types of information that one organisation freely shares—customer names, for example, or product schematics or financial results—might be considered secrets by another organisation.   

In general, however, we can say that information is sensitive if (a) its ownership or use is restricted by a government or industry mandate; or (b) it cannot be made public without potential damage to an organisation’s reputation or ability to compete. The following list is just a sampling of the many forms of data that might meet this definition: 

  • Personal health information 
  • Financial account data 
  • Student education records 
  • Consumers’ personal information 
  • Attorney/client information 
  • Intellectual property 
  • Employment records 
  • Business plans 
  • IT documentation 
  • Meeting notes 
  • Internal communications 

Mandated sensitivity 

Laws relating to data privacy and protection vary widely from jurisdiction to jurisdiction. Some countries have had comprehensive data protection laws on the books for decades, while others, such as the US, regulate only a few specific types of information. 

While we may never see a truly global standard for data protection, Europe’s new General Data Protection Regulation is the closest thing to it. With a long list of new obligations and the potential for fines up to 4% of annual revenue, the GDPR is forcing companies around the world to take a hard look at their data governance and security strategies.   

Beginning in 2018, the GDPR will require organisations (regardless of where they are located) to protect any data that relates to identifiable EU citizens, with additional restrictions for “special” types of data, including information on individuals’ political opinions, religious beliefs, genetic data, and sexual orientation. Organisations will need to ask for explicit permission before they collect sensitive data, and must follow strict guidelines in how they store, process and exchange personal information. 

The GDPR is so broad in scope—and carries so much potential for financial penalties—that every organisation operating in Europe should already be evaluating its approach to collecting and sharing personal information. 

Unique requirements 

As cumbersome as the GDPR’s mandates may be, they should at least remove the uncertainty an organisation might have regarding the sensitivity of consumers’ personal information. The process of evaluating other forms of data, such as financial information, customer lists, product details, and internal communications, may be more complex.   

If a company leaves its definition of sensitive data at the legally-required minimum, it will likely leave critically important information uncontrolled and unprotected. An overly-broad definition of sensitive data, on the other hand, can create roadblocks to daily business, making it difficult for employees to gain access to the information they need in order to do their work.   

In the interest of long-term data security, each organisation should implement a company-wide data governance strategy that calls for the evaluation of all forms of data collected or created within the organisation. When the organisation fully understands how it is using its data, it can determine which data requires protection and who should have access to it.   

Once a company has defined sensitive data in its own terms, it is positioned to identify and protect the actual files and datasets that meet the definition. 

What to do about it 

How should sensitive data be protected? The old answer to that question involved a combination of network security and  user permissions, but that approach is falling out of favor. With the ongoing shifts toward cloud services and decentralised workforces, together with exponential growth of data volumes, companies can no longer hope to keep sensitive data contained within their own network. 

A new approach, focused on data itself, is the key to keeping sensitive information safe from cyber threats. An effective data protection strategy includes three interrelated processes aimed at identifying and securing sensitive information as soon as it exists:   

Data discovery: Discovery involves scanning servers and user devices to find files that contain sensitive information. Ideally, any file activity on a device or storage location should initiate a new scan for sensitive data. Discovery scans can be used to search for data based on format, content, or both. 

Data classification: Classification is the process of flagging sensitive information using meta tags or other methods. Classification can be done manually or in conjunction with the discovery process. 

Data protection: Ideally, organisations should take an approach that allows them to protect sensitive data as soon as it is identified through discovery or classification. Data protection technology such as encryption is specifically recommended by the GDPR and other cybersecurity regulations. 

The proliferation of cyber threats and the increasing public outcry over data breaches have created an environment in which a single slip-up can spell doom for an organisation. Fortunately, data protection technology continues to evolve, giving companies options that didn’t exist a few years ago. With the right tools and an organisation-wide commitment, even the largest company can gain control of its sensitive data and protect itself from hackers, spies, and government sanctions. 

Matt Little, Chief Product Officer, PKWARE

Image Credit: Alexskopje / Shutterstock