Every organisation fears the consequences of sensitive data getting into the wrong hands. But before businesses can protect it, they need to know where it is. James Paton, CEO of SynApps Solutions, scopes the challenge.
If the run-up to the EU’s updated General Data Protection Regulation (GDPR) drew attention to one thing above all, it was organisations’ lack of insight into where potentially sensitive data exists across their operations, and the extent to which this exposes them to risk and/or prevents them from harnessing its intrinsic insights to their full capacity.
This lack of visibility has much broader implications for companies than compliance-related headaches do. If intellectual property is dispersed across people’s laptops, desktops and different departmental servers, for instance, locking this down so that it does not get into the wrong hands becomes very difficult. If no one in the organisation has a full understanding of where points of vulnerability might exist - if they don’t know what data is stored and copied where – it becomes very difficult to introduce robust control and protection.
Before excessive media commentary and scare-mongering around GDPR began to numb business leaders to the wider implications of data treatment, the main thrust of business-related data initiatives was around how to use information more intelligently – by combining it and analysing it in new and smarter ways.
Know what you’re dealing with
These aspirations too are compromised if companies can’t pinpoint with confidence where data is, and how definitive and authoritative it is (does a more up-to-date version exist elsewhere, for instance?). Certainly, restricted data visibility can hamper consolidation initiatives, where information managers want to bring all related data together in a central repository. Security assessments and tightening of controls, and even initiatives to move data to the cloud as part of digital transformation programmes, are further drivers for organisations to get a better handle on where all of their sensitive data currently resides.
Last year Gartner highlighted the value of harnessing data discovery services in advance of data centre consolidation of cloud migration, noting that reducing the data footprint reduces both security risk and regulatory risk exposure. It advised: “Look at data that resides across multiple data silos (i.e., file shares, databases, big data and cloud repositories.) Focus on vendors with a wide data repository support for all systems where sensitive data is stored.”
And of course GDPR is not the only regulatory driver for organisations to seek deeper insight into where sensitive data resides and how it is handled. In retail, compliance with the Payment Card Industry (PCI) data security standard presents a major challenge, for example, affecting any merchandiser handling branded credit cards from the major card schemes. Listed companies, meanwhile, must keep track of market-sensitive information and be able to report on where it is under market abuse regulations. And public sector and health organisations must be vigilant about sensitive citizen/patient data. The list goes on.
Help on demand: ‘sensitive data discovery’ services
It is in response to many of these challenges that there has been new innovation in the form of ‘sensitive data discovery’ on demand: that is, managed services that any organisation can tap into if they need to trace and report on where particular types of data exist.
Run securely in the cloud, or in company’s own data centres, and fully resourced with highly qualified engineers, such hosted services remove a great burden from IT/compliance departments. Rather, it becomes possible for them to scan for instances of sensitive data across whole IT estates, and dynamically generate board-level reports, without having to allocate dedicated internal resources.
For organisations that want to go further, there are value-added services that can analyse the findings at a more detailed level, and suggest ways to bring sensitive data under more effective control.
By overcoming previously poor visibility to provide comprehensive sensitive data discovery, this kind of service can empower businesses to progress their bigger projects, such as digital transformation and cloud migration, fulfilling the CxO strategic agenda.
A transformation tool: prompting sharper practice
The potential a sensitive-data discovery service becomes even more significant where end users are engaged and involved in the remediation process, if sensitive data is found to exist where it shouldn’t – for example, unprotected on someone’s laptop. Alerts to individual users can prompt them to take appropriate remedial action in line with company policy.
Where all such activity is recorded and monitored, this alleviates the pressure on internal compliance teams to interpret and react to all of the findings from a data scan – which could run into thousands of information policy contraventions that need to be addressed. This also has the added benefit that, if an audit is launched, the organisation is fully covered by a comprehensive record of all steps that have been taken.
Beyond board-level HERO reports and information for internal governance purposes, data discovery services can also report on organisations’ exposure to risk, with associated values and ROI metrics – so companies can see issues that are still outstanding, what it would take to remediate them, and what intrinsic value that would have.
One of the most persuasive arguments in favour of using such services is the speed of deployment, and of getting actionable results – this could be within just a few hours, for instance. Which means IT teams could very efficiently and sustainably scan their organisations’ entire digital estate - across multiple systems and operating environments - on a quarterly or annual basis.
Data discovery as-a-service, and the ‘sensitive data’ variety in particular, are a potential game-changer for organisations seeking to regain control of their diverse information assets. This applies whether they are operating in the public or private sector, and whether the priority is compliance alone, or a combination of this and the drive to drive greater business value from the company’s combined intelligence.
The first step in transforming what you do with something must surely be to know what and where it is.
James Paton, CEO, SynApps