Sensitive data is any data that, if exposed to the general public, would incur some form of cost to the organization who is entrusted with the data.
Such costs may include breach notification costs, loss of revenue from system downtime, loss of customers due to reputational damage, costs associated with redress and reparation, and possibly even costs associated with lawsuits and fines.
Examples of sensitive data include financial data, such as bank/payment card details, intellectual property and trade secrets, and personal data, which includes any data that can be used to identify an individual in some way.
With the increasing number of data protection laws that are sprouting up across the globe, it has never been so important to ensure that the sensitive data we store doesn’t fall into the wrong hands.
Data Privacy Laws
Sensitive data can fall into different categories, and these categories depend on the industry and the data protection laws that are relevant to that industry. For example, healthcare service providers in the United States are required to comply with The Health Insurance Portability and Accountability Act (HIPAA) which regulates the use and disclosure of Protected Health Information (PHI).
Financial institutions in the US are required to comply with the Gramm-Leach-Billey act (GLBA), which covers data such as names, addresses, bank details, income and credit histories, and Social Security numbers.
In recent years a number of data privacy laws have been introduced which focus on personal data, or Personally Identifiable Information (PII), as it is otherwise known. The EU General Data Protection Regulation (GDPR) is perhaps the most widely recognized, although many countries/regions have introduced their own customized regulations such as the California Consumer Privacy Act (CCPA), the New York SHIELD Act, The UK Data Protection Act 2018, and many more.
What Constitutes Personally Identifiable Information (PII)?
As mentioned, PII is any data that can be used to identify an individual. While names, addresses, birth dates and Social Security numbers are all considered PII, the definition has been expanded to include IP addresses, photos, usernames, social media posts, bio-metric and Geo location data, and more. It’s also worth noting that different data protection regulations define PII in a slightly different way.
Why is Personal Data so Valuable?
Data is sometimes referred to as the “new gold”, as cyber-criminals are able to use our personal data to commit a wide range of fraudulent activities. Naturally, if cyber-criminals are able to gain access to our credit card details, they will no doubt use those details for their own financial gain.
However, even data such as names and email addresses can be sold on the dark web. Cyber-criminals can use this data to carry out targeted phishing and email marketing campaigns, business email compromise (BEC) attacks, and more. Some personal data can also be used for the purpose of blackmail or extortion.
In recent years we’ve seen a surge in the number of attacks on the healthcare industry. A common question people ask is, “why do cyber-criminals attack healthcare?”. Well, in simple terms, healthcare service providers collect and store large amounts of personal data, and they’re typically an easy target.
However, protected health information (including health insurance details) is also very valuable. PHI can be used to purchase expensive medical services and equipment, prescription medications, and in some cases used to obtain government benefits like Medicare or Medicaid.
The Difference Between Structured and Unstructured Sensitive Data
Sensitive data can be stored in various different ways, in various different formats, and in various different locations. In some cases, data is stored in a structured format, such as data stored in an SQL database.
This type of data is relatively easy to protect, as it tends not to move around so much. However, these days, a lot of the data we process and store is unstructured.
Essentially, unstructured data is any data that cannot be stored in a typical relational database. Examples of unstructured data include Word documents, spreadsheets, PowerPoint presentations, photos, videos, and so on.
Unstructured data has a tendency to move around a lot. You can find it in email attachments, on portable drives, devices, cloud storage platforms, and more. As you can imagine, unstructured data is a lot harder to find than structured data, and thus harder to protect.
How to Protect Sensitive Data
Data Discovery and Classification
In order to protect your sensitive data, you first need to know exactly what data you have, where it is located, and how sensitive the data is.
Fortunately, you don’t have to manually search your drives, devices and email attachments for unstructured sensitive data, as there are solutions available which can automate the process of identifying and classifying sensitive data, and even classify the data at the point of creation.
These solutions are able to discover and classify a wide-range of data types, such as Personally Identifiable Information (PII), Payment Card Information (PCI), Protected Health Information (PHI), and any other types of data that are relevant to your industry.
Defining Access Controls
Unauthorized access to, and exposure of sensitive data is very often due to inappropriate access controls, or to be more precise, access controls that are not strict enough.
All organizations, regardless of their size, should adhere to the principal of least privilege (PoLP), which stipulates that users should only be granted access to the data they need to be able to carry out their duties.
Access controls need to be dynamically adjusted, as it’s often the case where a user only requires temporary access to a particular piece of data. In which case, access permissions need to be revoked when they are no longer required.
These access controls will need to be carefully monitored to ensure that the security team know when they change, by whom, and why.
Monitoring Access to Sensitive Data
In addition to monitoring access controls, you will need to monitor access to the sensitive data itself. You need a detailed summary of who is accessing what sensitive data, and when. The summary should include details about any sensitive data that is moved, copied, deleted, shared and edited.
A sophisticated data-centric audit and protection (DCAP) solution will provide organizations with a high level of visibility into how their sensitive data is being accessed.
They use machine learning algorithms to determine typical usage patterns for each user and send real-time alerts to the security team when a user’s behaviour deviates from these patterns beyond a certain threshold.
This gives organizations an easy way to spot anomalies and respond to them in a timely manner.
As they say, it’s not a question of if, but when, a data breach will occur. If the sensitive data we are entrusted with is stolen or exposed to the public in some way, there could be some very serious consequences.
As it currently stands, the average cost of a data breach is approximately $4 million, although it’s worth nothing that this number is distorted by a relatively small number of high-profile data breaches. It is imperative that organizations know exactly what sensitive data they store, where the data is located, who should (and does) have access to it, and why.
They need to ensure that users are granted the least privileges they need to do their job and have a clear set of guidelines that specify how permissions are granted, and how/when they should be revoked. Both the permissions and the sensitive data they have access to need to be closely monitored, to enable us to keep the data secure and comply with the relevant data protection laws.
If you’d like to see how the Lepide Data Security Platform can help you identify where your sensitive data is, govern access to it and analyze user interactions with it, schedule a demo with one of our engineers today.