Cyber-criminals have grabbed headlines for highly-publicized data breaches in recent years. However, the greatest blame for many of these incidents is squarely on the shoulders of organizations that don’t properly manage sensitive data. Harvesting personally identifiable information requires far less effort due to insufficient security controls and the mass amounts of information exposed by organizations every day. The problem is exacerbated by employees with too much access and those who accidentally share mismanaged data.
While compliance helps drive business need, it is clearly not enough as evidenced by the 2013 Target breach and many subsequent retail industry breaches in 2014. A holistic approach to risk that includes data discovery, data classification and data protection is the most effective in preventing critical information from getting into the wrong hands.
Related: Target CIO Out Following Data Breach
Changing the breach mindset.
Organizations in all industries must stop working under the assumption of “if,” and instead, build strategies around “when” a data breach will occur. The bad guys are only getting better at what they do, and are often ahead of the security curve. When companies rely too heavily on securing the perimeter instead of managing the items within the perimeter, they’re setting themselves up for a more damaging breach.
A strong defense is important and necessary, but consider this analogy. If the world thinks you keep a pile of cash in your car, someone will try breaking in to steal it, even if the door is locked. If they knew it was secured in a safe or didn’t know it existed, they likely would not bother breaking in.
Greater attention to Sensitive Data Management.
Sensitive data management is a strategy that incorporates people, process and technology focused on data discovery, classification, security governance and protection. Sensitive data management can include the usage of data loss prevention technology, but as a whole it is a comprehensive strategy to know where your data is, what is at risk, who has access, when it is touched and how to protect it. Most organizations incorporate these steps into their sensitive data management best practices:
- Defining what the organization deems as sensitive information.
- Knowing where sensitive data is and who has access.
- Classifying data in terms of importance and potential harm to your organization, if stolen.
- Identifying who the data owner is.
- Governing the accountability of data owners.
- Determining if data is necessary or obsolete and if it poses unnecessary risk.
- Eliminating data as soon it is no longer necessary or protecting it if it must exist.
The consequences of not employing effective sensitive data management strategies are quite severe, as many breached organizations have learned. It can take many years to undo the damaging impact of data breaches that are exacerbated by improper sensitive data management controls, if they can be remedied at all. Some consequences include:
- Compliance fines, legal costs and insurance premium hikes. From HIPAA to SOX to PCI-DSS 3.0, there are any number of regulations that require organizations to protect this data and levy monetary penalties for not doing so. As a result, legal spend and insurance premiums also increase.
- Lingering sales drop. Studies have shown that in the finance, retail and healthcare industries, up to a third of consumers will stop doing business with organizations that are breached.
- Increased IT cost and inefficiency. Excessive data is not only a recipe for a breach nightmare, but it takes up space valuable on your network.
Organizations in all industries need to do a better job of managing sensitive data. Many are holding on to sensitive data they don’t even know they have and are at great risk that it could be stolen or exposed. In a day when cyber criminals are sharpening their skills on a daily basis, businesses should take inventory of every piece of data they own, classify it, protect it and govern its access. Getting breached is bad enough, but losing data that had no business being there in the first place is even worse.