Published in the Cyber Defense Magazine September 2020 Edition
Sensitive unstructured data is everywhere, it means different things to different businesses and comes in two forms. Unstructured data that:
- Is used for analytical purposes.
- Resides in file formats such as Microsoft Office, text files, images and CAD/CAE format.
The second form is often overlooked, can cost your business its competitive advantage, and subject you to regulatory fines if stolen or leaked. In a world where a pandemic has wreaked havoc on employers and employment, this sensitive unstructured data is at highest risk mainly because it covers more surface area, continues to grow rapidly, and is quite often invisible to the enterprise. Therefore, it is important to know what and how much of it you have in typical office file formats. More importantly, understand how to and why it is important to protect it.
The Organization for the Advancement of Structured Information Standards (OASIS) has published a standard for unstructured information management. The standard indicates that “…unstructured information represents the largest, most current and fastest growing source of knowledge available to businesses and governments worldwide.” Therefore, it is believed that more than 90% of an organization’s data is unstructured rather than data stored in traditional databases. We know it exists and we know it is growing but we also know that most businesses typically don’t take measures to protect it. Most feel it is a “hard to tackle” task to find unstructured data and get it under control and tamed, let alone protected.
The reason why it is often overlooked is because the risks associated with unstructured data generally are not taken into consideration. The risks are for:
- Privacy or Industry Regulatory Compliance
- Intellectual Property Protection
Privacy or Industry Regulatory Compliance
When employees create files that contain sensitive information, copies of those files naturally proliferate. There will be multiple version of the files and sharing of those versions between employees via e-mail and network file shares. It’s rare that employees will go back and delete these files later and anything sent via e-mail may be archived in .pst files; file shares will be backed up to various media. This not only creates a larger attack surface, but will add significant complexity should an organization face litigation and discovery requests from data subjects. Organizations that are subject to the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) will struggle to satisfy data destruction demands and the “right to be forgotten”. If an organization handles cardholder data it’s crucial to keep credit card numbers within Payment Card Industry (PCI) controls – something rarely applied to unstructured data due to cost and complexity.
The Norwegian Supervisory Authority (Datatilsynet) is an example of non-compliance to GDPR and fee assessments “due to insufficient technical and organizational measures to ensure information security”. In July 2020, the authority found that the Municipality of Rælingen was in violation of articles 32 and 35. The company did not conduct a DPIA and prior to the start of the processing it had not taken adequate technical and organizational measures in accordance with Article 32 of the GDPR, resulting in an increased risk of unauthorized access to the personal data of the pupils. Also, and still under investigation, in the UK, British Airways is potentially facing a fine of £183.39M from an incident that compromised approximately 500,000 customer’s personal data. There are several examples, but not having technical measures in place is very common across violators.
Intellectual Property Protection
When thinking about how unstructured data is expanding your threat surface, think about who is the threat. Unstructured data in files is an attractive and easy target for internal threat actors with limited protection. Let’s face it, when a data theft story breaks out, it is typically not because a cyber-criminal stole a bunch of Word files from a folder on someone’s laptop. Instead, it is the insider saving information on a USB drive or taking a screenshot of sensitive information in a spreadsheet. This is costly to the business because in most instances, it is information that has been sold to competitors, or used to expose explicit information for political purposes or gain.
A couple of examples of insider theft include the Sony hack where an employee in Human Resources had salary information on 30,000 Deloitte employees and publicized it; and the Morgan Stanley employee who stole account information from 350,000 of its wealth management clients and posted some of the information on the internet. GlaxoSmithKline had IP, trade secrets and presentation data compromised in two ways; documents emailed from inside GSK to private email accounts, using USB and other storage devices and copied onto personal devices. This particular incident also led to mounting legal fees and a $500M fine to the victim in all of this, GSK. These examples are just a blip on the map, but should serve as reminders that businesses must know that sensitive information in files exists, is protected appropriately, and that only the right people can access them. Not to mention the responsibility of the business to protect the information if it is subject to industry or privacy regulatory mandates. Put simply, unauthorized access or loss of sensitive data can compromise competitive advantages, damage the brand, and expose the organization to significant regulatory penalties and even litigation.
As most businesses are focusing on securing structured databases and identity and access management, they must also include unstructured data in their data security initiatives. But before even thinking about moving forward, you need to assess your own situation and then you can move forward with a plan to first understand what sensitive unstructured data you have. It’s not as hard as you may think.
Where Do You Start? Know the Data. Control the Data.
Your current governance, risk and compliance (GRC) policies may be a little outdated. Now is the time to take them out, dust them off, and update them to include sensitive unstructured data. With privacy regulations rapidly changing, it is important to not learn privacy through impact and avoid being the victim of a violation. It is difficult under the best of circumstances to respond to a DSR or incident from a structured database, but even more challenging with information that is unstructured. Knowing where your sensitive unstructured data is and what it is will be a critical part of your GRC policy. Getting there is not as daunting as you might think and in just a few steps, you will be on your way to high visibility, control, protection and improved response time to incidents and DSRs. Business unit by business unit, talk to the person in charge and ask:
- What documents do you create or work with that contain sensitive information?
- Where do these documents reside?
- What applications do you use that contain sensitive data that you may download into reports or other documents?
- Do you upload documents into applications, file shares, content management systems or any other external application or information system?
- Is this data shared internally, and if so, how and with whom?
- Is this data shared externally, and if so, how and with whom?
This is an important part of the process, because it will give you more insight into the kind of data you have. It will also provide you with an opportunity to implement some best practices of how the data is handled and protected and automate critical functions such as discovering and classifying documents that contain sensitive information.
About the Author
Deborah Kish is Executive Vice President of Marketing and Research at Fasoo. She is responsible for leading Fasoo’s research and product strategies in the unstructured data security and privacy space. Fasoo provides unstructured data security and enterprise content platforms that enable our customers to protect, control, trace and analyze critical business information while enhancing productivity. Fasoo has successfully retained leadership in the unstructured data security market by deploying enterprise-wide solutions globally, securing millions of users.
Deborah can be reached online at (firstname.lastname@example.org,Twitter: @deborahkish, LinkedIn: @deborahkish) and at our company website: www.fasoo.com.