Two years ago, the General Data Protection Regulation (GDPR) came into force globally and imposed strict regulations on how organisations should handle customer data. However, a recent Netwrix survey found that 61 per cent of organisations that comply with GDPR still collect and store more customer data than necessary. This increases not only compliance risks, but also cybersecurity issues, as large volumes of overexposed data can boost attack surface. Another survey shows that organisations do not use over half (55 per cent) of all data they collect.
Even though organisations have clearly been taking GDPR seriously, many are prone to specific mistakes which result in sensitive data overexposure. So why is that even after two whole years of GDPR compliance, do organisations collect and store more customer data than they need?
Mistake 1. Deploying ineffective software.
In many misdirected searches for quick and easy data security solutions, I’ve seen organisations purchase software that is simply ineffective. For example, some platforms might have functionality that prevents IT teams from effectively securing different types of sensitive data such as personally identifiable information (PII) of cardholder data (CHD), making them unable to achieve even their primary purpose. When it comes to data labelling, large numbers of false positives is a common issue for such tools. In the result, valuable data might be classified as non-sensitive, and remain overexposed increasing security and compliance risks. Other platforms might not have the capabilities required to support all critical data sources once the business adopts new changes. For example, under the current situation many organisations have implemented a Working From Home (WFH) model, and have been forced to move to the cloud, while some of their security technologies might fail to support cloud applications.
To avoid these oversights, organisations must take a measured and thoughtful approach to implementing data security technology that is best suited for their different and unique infrastructure. It is crucial to both establish the goals of the project and consider what needs to be done to ensure success of each specific goal. For example, to achieve overall better data security, an organisation needs to identify all critical data sources that may contain sensitive information, and to consider if the particular technology is capable of classifying all types of data, both structured and unstructured, from those sources. If the data is stored in formats other than text, such as images or PDFs, it’s important that the solution can find, identify and protect all formats both on-premise and in the cloud. Furthermore, to ensure secure data handling by all employees, an organisation must identify who is accessing sensitive data and at what times and have the ability to be alerted on suspicious activity around this data in real time. The more thorough approach an organisation takes when choosing and using a data security technology, the more control over sensitive data it will get.
Mistake 2. Failure to identify and remove sensitive data in temporary files.
Even if all an organisation’s major data handling processes are in compliance with GDPR, there are specific locations in a corporate IT environment that can often be overlooked and remain under the radar. In particular, temporary files, which are automatically generated as a result of various customer service operations may contain sensitive data. For example, financial institutions often fail to clean up log files for credit card replacements that might contain an individual’s date of birth, and even temporary PIN numbers issued with the new credit cards. Systems generate such data as a result of every single operation, which leads to an excess of overexposed sensitive data, much of which contains personally identifiable information (PII) and cardholder data (CHD). Another high risk area is scanned documents used in “know your customer” (KYC) processes - a measure in financial services that is necessary to verify the identity, suitability, and risks involved with providing a service to an individual. Such scanned documents often remain accidentally overexposed which leads to a much higher risk.
To avoid sensitive data overexposure in these overlooked areas, a workflow must be established that will enable an organisation to automatically clean up sensitive data in temporary files. It requires implementing technology that can identify specific types of sensitive data across all IT environments, including temporary files, and delete it where necessary. This workflow is particularly necessary for financial organisations that operate large volumes of highly sensitive customer information.
Mistake 3. Overlooking customers’ sensitive data shared in emails
While organisations may successfully implement the appropriate measures to safeguard customer data, align all processes with GDPR, and educate their staff, a risk still remains as customers may be unaware of how to treat their own sensitive data. For example, they may share their PII, CHD, or other sensitive data via emails while interacting with customer support. Despite it being the customer who creates the risk by sharing sensitive data in an insecure format, it is an organisation’s responsibility to ensure that they identify and protect the data while it is in their possession. Otherwise, sensitive data remains on an email server, which is considered as an insecure and inappropriate location from the GDPR perspective.
To avoid fines, an organisation should regularly review email servers to identify sensitive data, move it to a quarantine location, and delete the original message. Automating the process of removing sensitive data from the email server to a dedicated quarantine storage eliminates human security risks, though reviewing the information in quarantine location requires human supervision. Since the data shared by customers is not in a standard format, it requires human judgement on how to proceed with it. However, it doesn’t need to be a daily task if there is a designated quarantine location, as this approach saves time for the IT team and reduces the attack surface for the organisation.
Ultimately, organisations should not be lulled into a false sense of security simply by having cybersecurity technologies and compliant processes in place. The way that we interact with sensitive data is changing constantly. The Covid-19 pandemic has resulted in a huge, unprecedented shift in work culture and how users access their data. As such, some technologies that have been effective before, might fail to succeed in the new reality. Organisations should recognise the need to adapt to whatever changes occur in the future, while ensuring that the data they are collecting is secured.
Matt Middleton-Leal, EMEA & APAC General manager, Netwrix