In many organizations, traditional methods of data storage have been ad-hoc with data security procedures not being given due consideration. For instance, let’s take the example of banks and the payment card industry. During the process of enrollment, customers are often asked to fill out their data in a physical form. The information in these forms is then manually entered into the system often in an unencrypted format. In many cases, the forms are scanned physically and stored in the system. There are no specific guidelines on how scanned data is to be stored in the system or emailed within the organization, such that it is not vulnerable.
A large majority of data breaches occur due to inadvertent storage of sensitive data. Generally speaking, the term sensitive data relates to any information whose unintended disclosure, modification, or loss could result in significant financial, legal, or reputational impacts to an organization or an individual. This includes data such as Social Security Numbers (SSNs), credit/debit card numbers, Personally Identifiable information (PII), Passwords, Biometric Data, Medical Records (PHI), State identification card numbers, Trade secrets and digital signature, etc.
Keeping sensitive information secure from theft and vulnerability in today’s digital world is not as easy as putting a lock on the file cabinet – especially with the widespread adoption of cloud computing. Even if you take every precaution with your online accounts and identifying information, there are many ways that information can land in another individual or company’s data management systems, where it can then somehow be made vulnerable to data theft or data leakage.
At SISA we have scanned thousands of computers/servers/storage devices/emails/databases etc. and identified sensitive data in audio files, images, screenshots, scanned copies, log files, temp files, recycle bin, excel sheets, notepad, xml files, webpages, compressed/ zipped files and many other files.
Let’s say your company has designed an application such that it does not capture sensitive data. But someone may accidentally run the application in debug mode, so it captures sensitive data. There could be even more simple instances like an employee emailing sensitive information to a colleague innocently during the course of work. As per Shred-it’s 2018 State of the Industry Report, 84% of C-suite executives and 51% of Small Business Owners in the US who participated in the survey said that employee negligence is one of their biggest information security risks. Also, this threat is further magnified when employees work remotely.
During the process of scanning voice data for organizations such as BPOs, banks and insurance companies, we’ve often found a lot of sensitive data imbibed in the recorded voice conversations. Similarly, on several instances, we have found sensitive data in image format such as .jpg .gif .png .bmp and many other extensions. Companies can easily avoid such data breaches by actively observing their practices and incorporating data discovery programs.
When an organization tries to become compliant, however, there are very strict guidelines that require that there should be no redundant or unauthorized data stored in the system. Uncovering this non-compliant data is very tough. Often, this is hidden away in obscure systems or buried under layers of folders.
Companies sometimes try to use manual searches to track down this data. However, given the huge volumes of data that every organization possesses, it is physically impossible to dig through all the data in an effort to find non-compliant data. Therefore, manual testing can only be done on a sample basis, which severely impacts its effectiveness and accuracy. Therefore, in most cases, manual methods to ensure compliance are simply not sufficient.
The other approach that organizations take in order to save costs is to use free open source tools for payment data discovery. While these perform the task better than manual methods, there are inherent risks associated with using software downloaded from the Internet. It can bring in malware etc. which can severely compromise company data.
For companies involved in issuing or processing payment data, non-compliance can have dire consequences. Not only are they liable for heavy penalties, any data breach can severely impact organizational reputation. For public companies, a data breach can drastically bring down share prices and consequently hurt revenue and profits.
Therefore, the best approach is to use a trusted data discovery tool to ensure compliance.
The tool should not only be able to identify non-compliant data, but it should also be able to mask, truncate or delete unencrypted payment card data stored in network systems, hard drives, databases, emails. Besides, the capability to generate reports to meet PCI DSS compliance is important.
1. Know Your Files
When you are dealing with a file, it is important to know if it contains sensitive data. Some tips to help with this include:
2. Evaluate Your Retention Needs
When you have finished using/reviewing a file that contains sensitive data, it is important to consider if the file needs to be retained.
3. ERASE sensitive Data That Is No Longer Needed
If you have files that contain sensitive data and do not have to be retained, then it is best to delete them. When it comes to sensitive data, always remember that less is more! Especially get rid of all unencrypted data in your organization.
4. PROTECT sensitive Data That Must Be Preserved
If sensitive data needs to be retained, then it should be protected. Some simple steps that you can take to help improve the security of sensitive data include:
Data discovery is not a one-time activity. Having a data discovery program and observing few basic habits goes a long way toward preventing accidental data exposure and data breaches.
If you’d like to see how SISA Radar helps ensure superior data governance to ensure compliance, sign up for a data discovery tool free trial.
For a deeper understanding of zero trust security, its principles, and best practices, read our latest whitepaper on Six best practices for effective implementation of Zero Trust Security.
Customer Success Stories
SISA ProACT MDR solution
Powered by Forensic Intelligence
Get Daily Updates on our Latest Threat Advisories