Most regulatory acts require that owners of sensitive data must always know where the data is currently stored, what state it’s in, and how well protected it is. Two primary concerns surround the importance of having this knowledge — security and compliance, and they’re not the same thing.
Information security refers to practices that protect data from being accessed, copied, stolen, corrupted, or otherwise harmed by individuals not authorized to access it. This extends to networks that the data travels across and the storage resources it rests inside when not being used. Tools and techniques that increase data and network security include firewalls, intrusion prevention systems, malware filters, encryption, and more.
Organizations are in compliance when they observe and obey rules governing the use of information and information technologies. Such compliance exists at three basic levels. First is the level of compliance with the license from the software developer and provider that limits how their software may be used. Next is governance enforced by the organization for whom the software users work. Most sensitive are rules and regulations instituted by the government to control use of sensitive data. This includes personally identifiable information (PII), private health information (PHI), personal or business financial records, design and development information or similar. Applicable governmental regulatory acts include HIPAA for healthcare, PSI DSS for finance and credit cards, FERPA for education, or CCPA and GDPR, which are broader acts applicable to proper handling of data by all industries doing business in a specific geographic region.
Lapses or violations of compliance with various regulations often occur at a network endpoint where someone accesses data they shouldn’t, or in a way they shouldn’t. From a digital information management standpoint, compliance is best served by identifying the existence, location and status of all endpoints and all sensitive data entities.
Not the same, but both are critical
An organization may be fully compliant with all applicable regulations, but its data and networks may be nowhere near fully secure. Similarly, an organization’s data and network may enjoy an admirably high level of security but not be fully compliant with all applicable regulations. Both situations are quite common and equally dangerous.
Value is key
Data is considered sensitive when exposure of it to unauthorized parties, or simply loss of access to it, could significantly and negatively impact the organization financially, strategically, reputationally, or otherwise.
More vividly stated, the average cost of an organizational breach of sensitive data is $4.4 million. That’s purely lost value.
Even greater costs often accrue when sensitive data is used to compromise the individual or company to whom the data belongs. Compromised credit card information, for example, can be used to make unauthorized purchases worth thousands of dollars each time. Stolen Social Security numbers can be used to access all manner of resources belonging to an individual. Personal and business credit ratings have been severely damaged, as have brand reputations, proprietary product design and trade secrets and more.
Organizations protect sensitive data to preserve its high intrinsic value.
It’s all about knowing
Managing a network is one thing and managing sensitive data on that network is another.
Famed business consultant Peter Drucker taught us that you cannot manage what you do not measure. To manage a network, you must measure its performance, its capacities and its continued functionality.
To manage sensitive data, you must know much more.
- Existence — You need to know which data assets reside in all areas of your network. If you’re not aware that something exists, you cannot manage or protect it.
- Value — Once you have identified all of the data assets that exist on your network, then you need to know the intrinsic value of each data asset. You don’t want to find yourself spending more to protect something that is actually not worth the effort.
- All possible locations — To be sure you’re aware of all data assets residing anywhere, you must know every possible place included in that anywhere — every storage site and transport path available on your network. People do all kinds of odd things with data. They copy it onto USB thumb drives. They send it to personal cloud storage. They delete files. Awareness of any of these actions is critical.
- Changes and anomalies — For it to gain value, information must always be in motion and changing. But some changes don’t always make sense. For example, when a cybercriminal is moving data, that motion should instantly be detected and identified as an anomaly. Logging all changes provides a necessary audit trail if any of those changes cause problems later on. Identifying and alerting anomalistic changes can help to immediately protect data from unauthorized handling, or at least detect it soon enough to take action.
- Endpoints — Inappropriate data egression typically happens when it is not guarded or is poorly protected, or via unauthorized endpoints such as computers, tablets, smartphones, and others. You must maintain a complete and comprehensive knowledge of all endpoints on your network with alerts anytime an unauthorized device attempts to connect and access your resources.
Managing sensitive data goes far beyond simple “data management.” It requires knowledgeable people armed with a powerful, extensible platform that enables all manner of data interrogation. Cybercriminals are clever thieves. You must be even more clever to catch them.
Consider this proactive approach at your organization to prevent data leakage and regulatory exposure with minimal network impact.