Five Key Principles of Securing Sensitive Data
Updated: Dec 17, 2020
For the sake of our Cybersecurity Insights framework, let’s define sensitive data:
Any information you must protect against unauthorized access is sensitive. The reason for this classified nature usually has to do with ethical or legal requirements, personal privacy, regulatory reasons, trade secrets, and other valuable business information.
Essentially, this information is an integral component of any given organization, if not the lifeblood. That’s why, according to IBM and the Ponemon Institute, it costs $3.86 million on average when a company’s data gets breached. This amounts to a 10% rise over the last five years.
A plethora of mistakes are leaving companies vulnerable to cyberattacks that compromise their data. These glaring weaknesses must be eliminated to protect companies from malicious cybercriminals.
Overcoming these hurdles necessitates a company following five distinct principles.
Read on as we take a close look into common mistakes regarding data protection and the 5 principles to rectify those errors.
Common Data Protection Mistakes and the Principles that Resolve Them
Challenge #1: Lacking a Systematic Policy and Cultural Educational about Sensitive Data Storage
A critical data protection error made by an overwhelming number of organizations is not understanding their sensitive data location(s). Such companies don’t set policies or create a system wherein data is continually categorized. Thus, they don’t establish controls to appropriately handle all data categories.
Beyond that, users lacking education causes more problems. Employees must fully grasp how sensitive this data is. Plus, they must learn their role in keeping it safe.
Principle #1: Craft a Data Categorization System for Sensitive Data Storage while Educating Employees.
First, there's a need to craft a viable system for data categorizations.
For instance, consider a storage policy that dictates all data sets with personal information to be classified as “sensitive.”
Such data would be encrypted in transit across a network and at rest. Furthermore, imagine the hypothetical company applies technical controls to further bolster this system. The chances are that the data won’t get touched.
The next step would be education – let’s look at it through the lens of payroll data:
This information is most frequently only made available to individuals who process and review the payroll. Generally, the applications used for these purposes come with built-in security controls that restrict access.
All laptops with this information should be secured, and payroll employees should be well-aware of how important their role is. This way, they'll help maintain those rigorous controls. Otherwise, if their laptop gets stolen, the entire staff will find themselves vulnerable to identity theft.
Challenge #2: Failing to Make Backup Files and Not Physically Protecting Them
Failing to provide backup for data is an easily avoidable oversight.
Here are some other mistakes made when it comes to backing up sensitive files:
Failing to implement a regular backup schedule makes it likelier to neglect the entire process.
Your recovery from an incident might take much longer than expected by not backing up the entire system.
Many organizations neglect to physically store these files. Some companies might find a location, but it's in an unsecured warehouse. Moreover, these less-than-ideal locations are meant to protect unencrypted customer accounts and password data.
Principle #2: Create a Continual File Backup System and Store the Copies in Fireproof safes or a Separate, Secured Building.
Setting your system up to automatically backup files will ensure this process is done regularly. The scheduler can be set up to run at the same time every day.
Most industry experts suggest scheduling backups a few hours after a workday to ensure everyone has left the office.
With physical protection, keep copies in a fireproof safe that can withstand even the most extreme catastrophe. This way, your office building could crumble to the ground, but you still could access your most valuable data.
You could take it one step further by storing it in another building with thorough security measures.
Challenge #3: Operating with Only One Password
Even when attackers use something more primitive like the brute-force attack approach, they could stumble across an organization’s password.
Not to downplay the severity of such a breach, but that's only a big deal if a company has one universal password to all its information.
That’s an incredibly thin defensive line to protect you from malicious hackers looking to steal information, given what’s at stake. Remember the stat from the introduction—such an incident could cost your business around $4 million.
Principle #3: Using a system of passwords so that access to data is restricted.
Creating multiple passwords for respective data segments is your best bet to keep your business’s sensitive information protected.
You can do this departmentally or by rank throughout the company. We mentioned earlier how payroll staff is the only department with access to the specific data they manage. As such, they'd have their own password.
This can also apply to confidential, top-level information only being available through specific passwords help by higher-ups.
Consider multi-factor authentication to encrypt as the data gets more sensitive. Moreover, regularly rotate all passwords, and use random generators to make them harder to guess.
Challenge #4: Getting Caught Off Guard
We all remember the Edward Snowden fiasco. He gained access to and snuck off with highly classified national security information he shouldn’t have been privy to.
This incident stemmed from the NSA governance protocol breaking down and not proactively neutralizing the insider threat with appropriate security controls.
Principle #4: Preparing for the Worst-Case Scenario
The principle here is easily explained. Companies must be more proactive in their approach to data protection. Meaning that they must educate themselves on the worst-case scenario and be fully prepared for that. For NSA, this was an insider threat. With other companies, it could be the same or another external force.
Your software vendors provide tools that you can leverage to bolster your security controls. Taking the time to familiarize yourself with these will equip your organization for the worst-case scenario.
Challenge #5: Ignoring the Human Element
Restricting the internet so employees can’t even access Facebook or YouTube is one way to ensure they’ll break the rules.
This can be a slippery slope and leave your systems vulnerable to more malicious attacks as time passes.
Principle #5: Be Supportive and Transparent with Employees
Talk to employees and learn what kind of access they want and need. Then decide how you can meet these preferences in the safest way possible.
With this list, you’ll equip your company with a robust data protection framework.
Is your Organization's Sensitive Data protected?
Insight is the start of knowing how well your organization's information is protected. Our Cybersecurity Assessment Service was developed to achieve the following:
Insight into current security vulnerabilities.
Develop an action plan to prioritize and address known issues.
Develop policies to prevent information breaches, without disruption to workflows.
Educate and arm all members of the organization to minimize risk exposure.
Develop a monitoring routine to prevent future risk.