Posted on Sep 30, 2020
Moving towards a cloud-first IT strategy aligned with organizational business goals requires a digitally transformed cybersecurity program. When maturing security and compliance programs, organizations almost inevitably start with a risk assessment that requires identifying all data, devices, networks, software, and users. Fundamentally, organizations need to focus their programs by identifying sensitive data and then finding ways to adequately protect it from cybercriminals.
At a high level, sensitive data is information that a person or organization wants to keep from being publicly available because the release of the information can lead to harm such as identity theft or fraud. In some cases, sensitive data is related to individuals such as payment information or birth date. In other cases, sensitive data can be proprietary corporate information.
Some examples of non-public personal information (NPI), also referred to as personally identifiable information (PII), include a person’s:
Some examples of non-public corporate information include:
Every year, governments pass new regulations for how companies should be protecting data. Since the General Data Protection Regulation (GDPR) enforcement date of May 2018, more countries and local governments have sought to protect data privacy. In 2018, the California State Legislature passed the California Consumer Privacy Act of 2018 (CCPA). In 2019, 43 states and Puerto Rico introduced or considered nearly 300 data security or privacy regulations. During that same year, 31 states enacted new cybersecurity-related legislation. Additionally, over the last five years, many industry standards have been updated, including the International Organization for Standardization (ISO) 27701 in 2019.
Some compliance requirements, such as the Payment Card Industry Data Security Standard (PCI DSS), detail specific controls that organizations must use while others apply generalizations that allow for customization. Despite the number and diversity of these laws, nearly all incorporate a similar set of requirements for protecting sensitive data.
Compliance, in and of itself, is not security. Compliance is about following established rules so that the governing body does not need to levy fines for violating the law or standard. However, governing bodies come with bureaucratic processes that mean cybercriminals are more advanced in their strategies than the laws and standards take into account. With that in mind, a security-first approach to protecting sensitive data mitigates cyber threats while also acting as a baseline for meeting compliance requirements.
A risk assessment is one of the most important aspects of protecting sensitive data because it requires an organization to identify all of its users, devices, networks, applications, and information. After completing the identification process, you then need to categorize the users, devices, networks, applications, and information based on how negatively a data leak would impact the organization. Sensitive information is “high risk” while marketing information might be “low” risk. Finally, you need to assess all of these potential attack vectors and decide whether you want to accept, transfer, mitigate, or refuse the risk.
For the risks that your organization chooses to accept or mitigate, you need to set appropriate controls for preventing unauthorized access to sensitive data. For example, every organization with more than one employee collects PII as part of its human resources operations. A company cannot refuse to collect, transmit, or store this information. Therefore, it needs to put mitigating controls in place that prevent malicious actors from accessing or acquiring.
Since cybercriminals continuously evolve their threat methodologies, organizations often find that controls that protect sensitive data today may not be effective tomorrow. Continuously monitoring an organization’s IT ecosystem is a standard control in nearly every new regulation or industry standard. With more information stored in the cloud, malicious actors can more easily use commonly known vulnerabilities (CVEs) to gain access to sensitive data.
Monitoring only accounts for part of the continuous strategy. To truly protect the information, organizations need to identify new risks to their IT ecosystem and remediate any weaknesses. This process may sound easy, but research indicates that an average enterprise Security Operations Center (SOC), the department responsible for responding to new cybersecurity alerts, can see up to 10,000 alerts on a given day. Some of these alerts may be “false positives,” or potential risks that do not really exist. To remediate the most important weaknesses, organizations need to prioritize their risks appropriately and fix the highest-risk problems first.
Nearly every regulation requires organizations to not only say how they plan to protect sensitive information but also document their actions. To meet compliance requirements, organizations need to document all policies, processes, and activities to prove their security and privacy programs are effective. An independent third party, called an auditor, reviews the documentation then provides a report containing any findings, or problems, with the organization’s program.
As governments look more closely at the impact cybercrime has on people’s lives, regulations and industry standards increasingly require senior leadership to provide their Boards of Directors with updates. Governments look to hold corporate leadership responsible and require a meaningful review of risk to help protect customer information.
As organizations look to protect sensitive information, they need continuous visibility into their complex IT ecosystems. SecurityScorecard’s security ratings platform offers at-a-glance insight into the effectiveness of your data protection controls. Our platform’s A-F rating scale provides an outside-in view across ten groups of risk factors so that organizations can continuously monitor, remediate, and document their data protection activities.
As cybersecurity and privacy become even more important with accelerated digital transformation strategies, gaining real-time visibility into new risks to rapidly mitigate threats and protect sensitive data will be even more critical to businesses.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.