We live in a world of constant change. As technologies advance, so do the way we collaborate and conduct business in our connected world. Businesses collect vast amounts of data empowered by the technology advancements.
Criminals adopt different methods to access collected data looking for information that has the highest value to them. Laws, statues, regulations and government mandates go through iterations to adapt to this world of constant change. Businesses struggle to keep up and understand all the changes and frequently seek outside help in an effort to fully understand how things impact business, customers, and policies.
Developing effective data security and governance policies takes time; this is an evolving process. Businesses must assess how sensitive information is managed throughout the organization. Availability, integrity, life-cycle requirements, who has access to this data, how the data is accessed, various government compliance mandates, and state laws must all be taken into account.
Since data security and governance policies can affect the business positively or negatively, they must be designed with the needs of a business and its customers in mind. If a business does not know the value of the data it is collecting, it cannot put a value on securing and governing this data.
Securing and governing sensitive data involves many players that vary depending on the size of a company, the industry it serves, and various internal considerations. Typically, a combination of IT and business leadership, chief information security officer (CISO), chief data privacy officer (CDPO), chief compliance officer (CCO) and someone from the general counsel’s office are the usual players. This group may be chaired by the chief information officer (CIO) or chief data officer (CDO) who has the authority to make a final decision and ultimately will be held accountable.
Most businesses today are not as attuned to data security as they think they are. In order to guard against damaging data breaches, these companies must change their approach and rethink how they view their weakest link; their users authorized to gain access to the most valuable data – the crown jewels.
While external threats do remain a problem, businesses need to realize that most data breaches are committed by internal personnel, whether these are simple mistakes or of malicious intent, and that many instances of external threats in fact originate from within.
On a weekly basis, we see data and statistics indicating the large role that insider threats play in the never-ending data breaches. This evidence suggests the existence of a large blind spot within corporate data management, security and governance.
Policies can’t be followed unless they are defined in the first place. In order to put effective policies in place, a business must first know where their most sensitive data resides. Several studies show that approximately 30% of businesses claiming to know what their most important data is either do not give it the highest level of security or are unsure if they do, raising questions over who might be able to access it. So while the companies think their data is secure, the bad guys prove over and over that this is not the case.
Any company that collects and stores sensitive and/or confidential information should encrypt this data at the source, have strict controls on who can access it, what can be done with it once someone is given access and track/monitor usage.
We frequently see in the news that sensitive data on devices are compromised as the devices are lost or misplaced. A recent example is the LSU Health New Orleans School of Medicine breach where approximately 5,000 minor patients’ PHI was accessed from a doctor’s laptop. We also witness sensitive data sent through email resulting in large data breaches such as the recent Sutter Health data breach where a former employee emailed electronic versions of billing documents of 2,500 patients to a personal account. Or an authorized user maliciously accessing sensitive information in the Montefiore Health System data breach where 12,000 patients data was stolen.
These risks can all be eliminated easily: by securing the data at the source and governing usage – “data-centric persistent security”.