Blog

What Unstructured Data is Sensitive?
Sensitive Unstructured Data

“Threat actors are having more success with breaching and exfiltrating sensitive unstructured data targets.”


DOWNLOADABLE RESOURCES


Your organization’s sensitive unstructured data is a rapidly growing threat surface increasingly targeted by cybercriminals and threat actors. While more attacks are directed at structured databases, cybercriminals are having greater success in stealing sensitive unstructured data.

It’s because this type of data poses a unique series of security and privacy regulation challenges, many of which are not addressed by today’s investments in network, device and application security, cybersecurity frameworks or traditional vulnerability management strategies.

Unlike structured data that resides in well protected IT perimeters, sensitive content exists in unstructured formats such as office documents, CAD/CAE files, or images and are distributed and published via file sharing, social media and email. You generate it when HR collects personal employee information, your sales teams add customer contact information into your customer relationship management (CRM) system, your engineering/security teams collaborate with third-party intellectual property (IP), and so on.

UNREGULATED SENSITIVE DATA

  • New product plans
  • Product designs
  • Customer information
  • Supplier information/third-party contracts
  • Competitor research
  • Customer surveys
  • Software code
  • Job applications, Employee contracts
  • Internal processes, and procedure manuals
  • Data Analytics: Google Analytics, Tableau and Salesforce reports

REGULATED SENSITIVE DATA

  • California Consumer Privacy Act (CCPA)
  • General Data Protection Regulation (GDPR)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Gramm–Leach–Bliley Act (GLBA)
  • Personal Information Protection and Electronic Documents Act
  • New York State Department of Financial Service
  • Payment Card Industry Data Security Standard

“A dangerous gap has emerged …”

Sharing and storing sensitive information in free-form documents that live outside carefully monitored or secured databases is now a widespread practice. This creates a gap that presents countless opportunities for unauthorized disclosure through inadvertent handling by employees, actions of malicious insiders, and cyberattacks.

Businesses are mobilizing to combat these threats. The first step is to ensure your organization understands the character, significance and challenges surrounding sensitive unstructured data. Focus on these topics to drive better organizational insights into why and what can be done now to close the gap.

 
  • Who cares about it?
  • What are the types?
  • How are sensitivity levels determined?
  • What are the next steps?
 

Who cares about sensitive unstructured data?

Unauthorized access or loss of sensitive data hurts your competitive advantage, damages your brand, and can incur significant regulatory penalties.

 

OVER

Image

of customers will stop spending for several months after a breach

ALMOST

Image

will never return to your brand

 

Image

In addition to customers and potential loss of revenue,

  • Breach of partner information exposes the business to legal damages and seriously impacts the relationship and reputation of both parties.
  • Regulators are responding to increased threats and individual rights. Over 80 countries now have published privacy laws. Non-compliance penalties are increasing and more strictly enforced. Your data may be subject to overlapping and often conflicting requirements.
  • Corporate Governance, Risk and Compliance(GRC) committees define the level and handling policies of sensitive information. New threats and trends must be reflected in policies to guide activities to implement systems and procedures to safeguard this content.
  • Security and IT professionals have spent considerable time focused on network perimeter tools and gap analysis shows shortfalls in safeguarding unstructured data. To fix this, they are turning to data-centric approaches and tools to protect the data itself rather than its location.
  • Employees create and share unstructured office documents, PDFs, CAD/CAE, internally and externally daily, and should work to protect content appropriate to its sensitivity level (e.g., confidential, internal, public).

What are the types of sensitive unstructured data?

Sensitive data is any information that must be safeguarded from unauthorized disclosure. The broadest categories are regulated or unregulated. The former, as required by laws, must be handled as sensitive. Unregulated data includes both business sensitive and publicly known information. It’s up to the business to determine what content it deems sensitive.

Regulated data arises from:

 
Image

Privacy Regulations: Information that personally identifies an individual and associates that individual with financial, healthcare, and other data.


Image

Industry Regulations: Industry sensitive data. An example would be a weapon system or critical infrastructure governed by the International Traffic in Arms Regulations (ITAR) and North American Electric Reliability Corporation (NERC).

 

Personal Health Information (PHI), Personal Identifiable Information (PI), and Payment Card Industry Data Security Standard (PCI) continue to be the traditional definition of individual privacy. By gaining access to this valuable data, cybercriminals can steal identities and/or compromise bank accounts to easily earn a quick profit.

Modern day privacy regulations, such as GDPR and CCPA, have broadened the definition of what information is subject to regulations to include individual interactions in the digital space, putting companies under significant new obligations.

Unregulated data of a sensitive nature is determined by the business. It is data the business doesn’t want exposed and can be strategic, competitive, financial or operational in nature. Examples include:

  • IP: Patents, trademarks, formulas, R&D programs, source code
  • Strategic: Pending financial releases, on-going M&A transactions, internal risk deliberations
  • Operations: Inventory levels, pricing policies, customer lists

Today’s cybercriminals are opportunistic and look for companies involved in a current event or have an obvious vulnerability they can exploit for the most value. Examples include: stealing data about important drugs or vaccines being developed or exposing damaging information from an ongoing legal proceeding.

Interestingly, unregulated sensitive content breaches are often a hidden secret. It’s not subject to disclosure like regulated data so organizations often choose to avoid the reputational damage associated with publicizing a breach.

How are sensitivity levels determined?

Regulated data is always sensitive. Most unregulated is not as it includes publicly known information.

Your corporate GRC team or chartered committee determines what data is sensitive. They consider all internal and external mandates, the nature of the data, how it is being used, the likelihood of a breach, and its overall impact on your organization (financial and reputational).

Helpfully, policies have become standardized across industries with “templates and toolkits” that leave little to risk that you can implement with reasonable effort.

Best practices recommend three classification levels (e.g., confidential, internal, public), four at most. Any greater number have shown that the distinctions are too finite for employees to assess and result in subjective and inconsistent application.

To move from templated policies to meaningful execution, its critical GRC team help security and IT professionals in your organization prioritize sensitive unstructured data tasks by directing attention to such factors as:

  • Not all data leaks are equal: The business impact varies depending on the sensitivity of the data and the extent of exposure. Determine what sensitive data, if lost, would hurt your company’s finances and reputation the most.
  • Identify how your sensitive data is shared and stored: What data is at highest risk of being stolen? Not all threats are external. Insider threats are responsible for some of the costliest breaches.
  • Employees: Verizon’s 2020 Data Breach Investigation Report states “employees mistakes account for roughly the same number of breaches as external parties who are actively attacking you.” Education, automation, and centralized controls are critical.

The dynamics surrounding sensitive unstructured data can be daunting. Focusing on a few key steps provides a meaningful path forward:

1.


Consider current trends and update best practices. Most organizations have some form of GRC policies, but the focus has been on structured data security and handling. Locate all potential sources of unstructured data, independent of sensitivity. This helps operationalize the process and keeps your project on task.

2.


Look for gaps in the security infrastructure, taking advantage of data-centric approaches, processes, and tools that safeguard data rather than where the data is (servers, laptops, mobile devices).

3.


Employees need one thing – to get their work done. They will benefit most from automated sensitive data classification that minimizes impact to their workflows. They will be more receptive and committed to the effort if the policies are clearly communicated and outlined for them.

Six trends impacting your sensitive data right now


Explore the latest article
 
 

Sign up for emails on new Sensitive Unstructured Data articles

Never miss an insight. We’ll email you when new articles are published on this topic.


     
    Collecting Laptops From Terminated Employees? Protect Unstructured Data
    Cybersecurity Data breach Data security Insider threat Privacy Secure collaboration

    Protect data on laptops from terminated employees I read a Tweet recently from “Accidental CISO” about collecting laptops from terminated employees during the pandemic that I deemed retweetable (if that is a word).  Some comments focused more on the hardware – how to get it back – but this got me thinking more about what is actually on the hardware. What sensitive information, like intellectual property, might reside on them?  It also made me think, in a situation like this, how the potential for insider theft is far greater.

    Files containing IP can be either printed on home printers, sent over email to personal accounts, saved on a USB stick, screen captured and so on.  These are not necessarily actions of malice, but obvious desperation to assist with the basic need for employment.

    Live Webinar: Overcoming Unstructured Data Security and Privacy Choke Points

    Why do so many data loss prevention projects either stall or de-scope? Why with significant industry expenditures in the space do we continue to experience record-breaking instances of data breaches and exfiltration? What are the latest methodologies and technologies security and privacy executives should consider to protect their sensitive data and comply with ever-increasing and pervasive privacy regulations such as GDPR and CCPA.

    Join Deborah Kish, former Gartner data security analyst, as she shares insights gleaned from hundreds of sessions with CISO, CIO, CDO, CPO and CCOs to offer an insider’s playbook to implementing an unstructured data security and privacy program. Whether migrating from existing DLP point solutions or wondering where your unstructured data lives today, Deborah will provide a life-cycle perspective as to the best methodologies and how to avoid the pitfalls that have plagued enterprise projects.

    Register for this webinar and learn how:

    • A file-centric approach overcomes data leakage shortfalls of traditional approaches and best meets new privacy requirements
    • Aligning data classification with your data protection methods will put your projects on the fast track
    • Automation and integration of discovery, classification, access control and file-based encryption is your best first line defense
    Fasoo Helps Customers Control Unstructured Data at Gartner Security and Risk Management Summit 2018
    Cybersecurity Data breach Insider threat News
    Fasoo shows unstructured data security at Gartner SRM 2018

    This year at the Gartner Security & Risk Management Summit in National Harbor, MD there was a lot of focus on reducing business risk through improved cybersecurity that focuses on protecting data as users create and share it.  One area of concern to many organizations is how to find and protect sensitive data without impacting how employees and customers work.  Data protection regulations, like GDPR, are making things more complicated, but companies need to balance security with productivity.

    At the Fasoo booth, a lot of people talked about issues with combining different technologies that still focus more on protecting the location of data rather than the data itself.  One executive from a manufacturing company talked about how her DLP system can tell them that sensitive documents were shared with external parties, but can’t really control their access or stop them from going out.  This is a common concern as companies use DLP, CASB and other technologies that can’t control access everywhere.

    Fasoo Highlights NYDFS Path to Compliance at Rochester Security Summit 2017
    Cybersecurity Data breach Insider threat News

    Ron Arden presenting on NYDFS compliance at RSS 2017Ron Arden, Executive Vice President & COO, Fasoo, Inc. spoke to security professionals and executives on how to meet the data-centric requirements of the NYDFS 23 NYCRR 500 cybersecurity regulations for financial services organizations at the 2017 Rochester Security Summit at the Rochester Hyatt in Rochester, NY.

    Ron delivered a presentation entitled “Do You Have a Pathway to Data Security and Compliance?” as part of the risk and compliance track during the October 19 – 20, 2017 event.  With deadlines approaching for some of the more challenging components of the NYDFS cybersecurity regulations, timing was right as Ron reviewed results from the recent Ponemon Institute survey on NYDFS readiness and Fasoo’s approach to help meet the technical challenges of protecting unstructured data or data stored in files.  This is an area that most organizations are struggling with, since about 80 percent of their information is not in databases, but is in office documents.

    Can You Stop Former Employees Taking Your Data?
    Cybersecurity Data breach Insider threat

    Can You Stop Former Employees Taking Your Data?It’s a good question and one that many organizations don’t think about thoroughly.  You take a lot of time onboarding an employee by doing background checks, checking references, and determining what information systems and data access the person needs to do her or his job.  You may have a comprehensive provisioning system that grants access to all applications and data.

    But how about when someone leaves?  It’s great that you de-provision access the INSTANT someone becomes a former employee, but how do you protect the confidential data she or he may have been taking out each night for the last few weeks?  Organizations spend a lot of money guarding against cyberattacks from hackers and other external people, but many don’t do enough to protect their data from threats of former employees.

    Fasoo Helps Customers with Compliance at Gartner Security and Risk Management Summit 2017
    Cybersecurity Data breach Insider threat News

    Fasoo helps customers comply with GDPR and NYDFS 23 NYCRR 500This year at the Gartner Security & Risk Management Summit in National Harbor, MD there was a lot of focus on managing and mitigating risk to a business and how to  improve cybersecurity through data-centric protection.  One area of concern to many organizations is how to comply with some of the newer cybersecurity and data protection regulations, like GDPR, as governments are trying to improve customer and business data security.

    With all the recent malware, ransomware and data breaches, there was obviously a focus on how to prevent harm to one’s business.  As businesses move more into the realm of digital business, the concept of trust is becoming a larger issue.  If your customers do not trust you with their data, they will be less likely to do business with you.

    Fasoo Talks About NYDFS and Cybersecurity at FinCyberSec 2017
    Cybersecurity Data breach Insider threat News Print security

    Ron Arden Talks About NYDFS and Cybersecurity at FinCyberSec 2017Ron Arden, Executive Vice President and COO of Fasoo, Inc., presented Countdown to Compliance with NYDFS 23 NYCRR 500 during FinCyberSec 2017 at the Stevens Institute of Technology in Hoboken, NJ on May 31, 2017.  Ron was part of a day long event that focused on technical, regulatory, process and human dimensions of cyber threats faced by financial systems and markets.

    Dr. Paul Rohmeyer, who organized the conference, started the day with opening remarks that set the stage for how the world of business and cybersecurity has changed in the last year.  With constant attacks, like the WannaCry ransomware attack and the ever changing business and technology landscape, financial services companies have a lot to address as they look to safely promote new business models.

    Practical Advice At Buffalo NYDFS 23 NYCRR 500 Pathways to Compliance Event
    Cybersecurity Data security News

    Practical Advice At Buffalo NYDFS 23 NYCRR 500 Pathways to Compliance EventFollowing our successful event in Rochester, the second of the NYDFS 23 NYCRR 500 roadshow events at Phillips Lytle LLP in Buffalo, NY on May 17, 2017 brought together executives, insurance, legal, and security professionals in a great forum to discuss challenges for financial services organizations to meet the new cybersecurity regulations that went into effect on March 1, 2017.  A full house heard some practical advice designed to assist entities regulated by the New York Division of Financial Services (NYDFS) comply with the new regulations.

    Jennifer Beckage of Phillips Lytle LLP started with her “Survival Guide to Navigating the NYDFS Cybersecurity Regulation”.  Jennifer talked about the challenges covered entities face not only developing their own cybersecurity programs, but how those spill over to their service providers.  Developing, implementing and monitoring vendor management programs will affect contracts, day-to-day operations and the technology used to secure and control information shared.

    Data Loss Prevention, Data Classification and Persistent Data-Centric Security
    Data security

    Data Loss Prevention, Classification and Persistent Data SecurityTechnology advancements and rapid digitization of corporate information has made it easier for modern companies to conduct everyday business transactions. Today, business data is easier to access and share, giving companies the opportunity to reach more customers and conduct business quicker. At the same time, the unprecedented volumes of data created, accessed, shared, stored and the variety of sources is forcing companies to re-evaluate their cyber-security approach.  The collaborative nature of how business is done has extended the corporate perimeter. As a result, companies are seeing an ever increasing need for higher visibility into data, how their users access and use it and the secure it using encryption.