Moving towards a cloud-first IT strategy aligned with organizational business goals requires a digitally transformed cybersecurity program. When maturing security and compliance programs, organizations almost inevitably start with a risk assessment that requires identifying all data, devices, networks, software, and users. Fundamentally, organizations need to focus their programs by identifying sensitive data and then finding ways to adequately protect it from cybercriminals.
What is sensitive data?
At a high level, sensitive data is information that a person or organization wants to keep from being publicly available because the release of the information can lead to harm such as identity theft or fraud. In some cases, sensitive data is related to individuals such as payment information or birth date. In other cases, sensitive data can be proprietary corporate information.
Some examples of non-public personal information (NPI), also referred to as personally identifiable information (PII), include a person’s:
- Social security number
- Bank account information
- Credit/Debit card information
- Health information
- Racial or ethnic data
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic or biometric data
- Sexuality or gender information
Some examples of non-public corporate information include:
- Trade secrets
What are some regulatory and industry standards that require protecting sensitive data?
Every year, governments pass new regulations for how companies should be protecting data. Since the General Data Protection Regulation (GDPR) enforcement date of May 2018, more countries and local governments have sought to protect data privacy. In 2018, the California State Legislature passed the California Consumer Privacy Act of 2018 (CCPA). In 2019, 43 states and Puerto Rico introduced or considered nearly 300 data security or privacy regulations. During that same year, 31 states enacted new cybersecurity-related legislation. Additionally, over the last five years, many industry standards have been updated, including the International Organization for Standardization (ISO) 27701 in 2019.
Some compliance requirements, such as the Payment Card Industry Data Security Standard (PCI DSS), detail specific controls that organizations must use while others apply generalizations that allow for customization. Despite the number and diversity of these laws, nearly all incorporate a similar set of requirements for protecting sensitive data.
How to protect sensitive data with a security-first approach to compliance
Compliance, in and of itself, is not security. Compliance is about following established rules so that the governing body does not need to levy fines for violating the law or standard. However, governing bodies come with bureaucratic processes that mean cybercriminals are more advanced in their strategies than the laws and standards take into account. With that in mind, a security-first approach to protecting sensitive data mitigates cyber threats while also acting as a baseline for meeting compliance requirements.
A risk assessment is one of the most important aspects of protecting sensitive data because it requires an organization to identify all of its users, devices, networks, applications, and information. After completing the identification process, you then need to categorize the users, devices, networks, applications, and information based on how negatively a data leak would impact the organization. Sensitive information is “high risk” while marketing information might be “low” risk. Finally, you need to assess all of these potential attack vectors and decide whether you want to accept, transfer, mitigate, or refuse the risk.
For the risks that your organization chooses to accept or mitigate, you need to set appropriate controls for preventing unauthorized access to sensitive data. For example, every organization with more than one employee collects PII as part of its human resources operations. A company cannot refuse to collect, transmit, or store this information. Therefore, it needs to put mitigating controls in place that prevent malicious actors from accessing or acquiring.
Monitor control effectiveness
Since cybercriminals continuously evolve their threat methodologies, organizations often find that controls that protect sensitive data today may not be effective tomorrow. Continuously monitoring an organization’s IT ecosystem is a standard control in nearly every new regulation or industry standard. With more information stored in the cloud, malicious actors can more easily use commonly known vulnerabilities (CVEs) to gain access to sensitive data.
Monitoring only accounts for part of the continuous strategy. To truly protect the information, organizations need to identify new risks to their IT ecosystem and remediate any weaknesses. This process may sound easy, but research indicates that an average enterprise Security Operations Center (SOC), the department responsible for responding to new cybersecurity alerts, can see up to 10,000 alerts on a given day. Some of these alerts may be “false positives,” or potential risks that do not really exist. To remediate the most important weaknesses, organizations need to prioritize their risks appropriately and fix the highest-risk problems first.
Nearly every regulation requires organizations to not only say how they plan to protect sensitive information but also document their actions. To meet compliance requirements, organizations need to document all policies, processes, and activities to prove their security and privacy programs are effective. An independent third party, called an auditor, reviews the documentation then provides a report containing any findings, or problems, with the organization’s program.
Report to the Board of Directors
As governments look more closely at the impact cybercrime has on people’s lives, regulations and industry standards increasingly require senior leadership to provide their Boards of Directors with updates. Governments look to hold corporate leadership responsible and require a meaningful review of risk to help protect customer information.
SecurityScorecard enables sensitive data protection
As organizations look to protect sensitive information, they need continuous visibility into their complex IT ecosystems. SecurityScorecard’s security ratings platform offers at-a-glance insight into the effectiveness of your data protection controls. Our platform’s A-F rating scale provides an outside-in view across ten groups of risk factors so that organizations can continuously monitor, remediate, and document their data protection activities.
As cybersecurity and privacy become even more important with accelerated digital transformation strategies, gaining real-time visibility into new risks to rapidly mitigate threats and protect sensitive data will be even more critical to businesses.