I hear it from clients all the time: “Securing sensitive data is paramount to any organizational setup,” they say. I never deny it. In fact, you’ll find me flashing a thumbs up in solidarity every time such a debate pops up.
But then they tell me about their struggle to secure their customers’ and employees’ sensitive data. They tell me they want to grasp the ins and outs of this phenomenon, but it’s always been a futile endeavor. They confess that the many blogs they’ve encountered on this issue have barely scratched the surface. What a pity!
The end result? A namby-pamby grasp on a topic that’s otherwise been shaking the very foundations of data security across the world for a long, long time. Case in point: Pilfered user credentials were responsible for 20% of all breaches in 2021, with these breaches causing the average cost of $4.37 million.
Here’s what I think. The what, why and how of securing sensitive data is a topic that’s never really been explored in its entirety. Eek. Thankfully, this MOVEit blog seeks to answer all of these questions and more—and in a way that’ll leave no eyebrows raised (cheers, data security aficionados).
The What: Sensitive Data Is Much More Than Those Flashy Credit Card Numbers
If you’re like most people, your grasp of the term “sensitive data” hardly goes beyond account credentials and credit card numbers. Throw in names, birthdates and email addresses, and that’s probably the best definition of sensitive data you’ve ever come across on the net.
Spoiler alert: They lied to you.
In its most basic form, sensitive data is essentially an individual’s personal information. But as with any definition, there’s a lot more than meets the eye. Dissected further, sensitive data is either data that reveals confidential information, protected health information (PHI), or personally identifiable information (PII).
There’s more. Sensitive data tends to take on a completely different meaning in the business world. Things like trade secrets, financial plans, as well as research and development assets are all regarded as highly-sensitive pieces of information. Why? Because they’re inherently classified as high risk, which means their unintended disclosure could constitute a serious breach of security, confidentiality and privacy.
You’ve now got me, I hope? But it would be unfair if we went any further without looking at some key examples of sensitive data:
- Credit/debit card information
- Social security numbers (SSNs)
- Credit history
- HR records
- Intellectual property & trade secrets
- Account credentials
- Contact details
- Income and loan history
- Medical data
- Biometric identifiers
- Employment history
- Sealed bids
- Credit rating
- Email addresses
- Racial or ethnic data
- Sexuality or gender information
- Religious or philosophical beliefs
- Political opinions
In some quarters, more so in the European Union (EU), sensitive data is subtly referred to as personal data. And it makes perfect sense, given how “personal” and confidential some of this data is.
From here on out, the intricacies of sensitive data will only get more complex (or should I say juicier?). For example, did you know that sensitive data policies in the EU and the US differ considerably? While the former has an overarching law in the form of the GDPR (General Data Protection Regulation), the latter has a patchwork of different data protection regulations that apply to different industries, sectors and territories.
These include (but are not limited to):
HIPAA (Health Insurance Portability and Accountability Act): First signed into law in 1996, HIPAA provides data security and security provisions for safeguarding medical information.
PCI DSS (Payment Card Industry Data Security Standard): This refers to a set of requirements intended to ensure all companies that process, store, or transmit credit card information maintain a secure environment.
GLBA or GLB ACT (The Gramm-Leach-Bliley Act): Forget the fancy name; GLBA is as precise as data regulations can get. Also known as the Financial Modernization Act of 1999, this regulation aims to hold financial institutions accountable for how they share and protect their customers’ private information.
Enough about the ‘what’ of securing sensitive data. Let’s now shift gears and focus on the ‘why’ (hint: the figures in here will have you scrambling for a glass of water).
The Why: Reasons Why You Should Be Securing Your Company’s Sensitive Data ASAP
It’s 2022, folks! It’s the (sad) age of hackers and sophisticated breaches that are capable of bringing down even the sturdiest of defenses. If anything, data security should be a top priority for every security-conscious business—not an afterthought. However, if you still need a refresher, these seven reasons will have you giving your head a proper wobble.
1: Data Equals Trust
If recent breaches have shown us anything, it’s that the fallout for organizations can be far greater than just legal repercussions.
People generally expect that companies will safeguard their sensitive data, so any loss of this trust can have huge ramifications for future customers, and ultimately a business’ bottom line.
2: No Business Is Immune to Cyberattacks
Want to know what mistake most small and medium-sized businesses make, other than being flat-out unrealistic with their goals?
That’s right—assuming that they are not large enough to be hacked.
Newsflash: There’s nothing that hackers relish more than breaching the feeble defenses of small businesses.
Why? Because such enterprises lack the resources (and the know-how) to counter or contain the high-caliber attacks orchestrated by malicious actors.
A big company can at least handle the financial burden caused by a seismic data breach, but even they are not immune to the reputational damage that’s likely to ensue.
Remember the well-publicized Equifax data breach in 2017 that saw 143 million US citizens’ data fall into the wrong hands? The one that caused a staggering $87.5 million to disappear into thin air? Well, almost two years after the breach, the company was still suffering from the negative aftermath of the breach. How’s that for reputation damage?
3: Cyberattack Attempts Are at All-Time High
Every 39 seconds, there is a new attack somewhere on the web. Also, out of all cyberattacks made daily, 4,500 of them are always successful.
Yes, you read that right.
Here’s yet another bombshell: 450,000 new pieces of malware are being created daily, ranging from Trojans to viruses to adware, and they are all after your customers’ sensitive data.
If this whole melodrama would fit into a single movie, it would probably be called “Rambo – The Final Battle.” Chaos after chaos after chaos.
4: Hackers Have Upped Their Game
Hackers are continuously looking to add to their armory, and that means that they never stop until they’ve found a quick, efficient and fool-proof way to steal innocent peoples’ sensitive data. Heck, they’ve even automated their attacks to make sure they’re consistently launching invasive attacks without having to lift a finger.
Just recently (April 2021, to be exact), Forbes published an article warning business owners about the meteoric rise of automated bot attacks. The International Security Journal (ISS) followed suit soon after, assertively cautioning all and sundry against taking the deadly bot for granted.
The sad part is that these automated attacks are here to stay, and they’re incredibly good at avoiding detection. The fight against this nemesis can’t come soon enough.
5: Protecting Sensitive Data is Your Responsibility
This is probably one of those declarations that doesn’t sit well with most people. However, for most data owners (any business owner, and probably the CISO, IT director, or CIO) it’s a no-brainer. It’s the law.
Under U.S. state and federal data privacy laws, it’s your responsibility as the data owner to protect your employees’ and customers’ sensitive data against theft, intrusion or destruction.
It’s that simple.
Failure to comply with these regulations could get you into the authorities’ bad books. Phew. Don’t you think that’s too high a price to pay for sheer ignorance and neglect?
6: Job Losses
If it’s really your responsibility to worry about data breaches, you could be forced to take the blame for any repercussions. Take the infamous Uber 2016 scandal, for example. The then-chief security officer Joseph Sullivan was charged for covering up a data breach that compromised the personal information of 57 million users and drivers.
In other high-profile cases, top-level executives at Equifax, Yahoo and Target have paid for security intrusions with their jobs.
Gone are the days when the importance of data security was considered a ‘techie’ concern. Today more than ever, data security should be treated as a company-wide concern and an essential part of your organization’s business infrastructure.
7: It’s the Right Thing to Do
All said and done, the question of securing sensitive data from the prying eyes of malicious actors really boils down to morals. How would you sleep at night knowing that your customers’ most personal data is at the mercy of hackers? Wouldn’t it disturb your conscience knowing that you truly could have done better to tighten your defenses?
If not for nothing else, do it because it really is the moral thing to do.
The How: Unraveling Exactly What It Takes to Secure Sensitive Data
So far, so good. The ‘what’ and the ‘why’ of this phenomenon are already behind us; it’s now time to tackle the gist of the matter: How can you actually secure sensitive data?
Fret not—we’ve done enough digging to guarantee a bevy of actionable tips in here. Your only job is to read to the very end (Got it? Perfect).
1: Take Secure File Transfer Seriously
It’s the age old dilemma: Should you safeguard in-transit data as you would when it’s at rest?
The answer is a resounding yes!
Most companies mistakenly assume that data in transit doesn’t need as much oversight, control and security as data at rest, and that’s where they miss the mark. The truth is that data in transit, especially the sensitive type, is exposed to a mind-blowing variety of risks, including:
- Insecure transfer of data to unauthorized USBs and unsafe websites.
- Exposure of data transferred within the organization caused by excess user rights.
- Eavesdropping attacks that intercept data packets sent via the internet.
- Excessive or unnecessary information sent to partners, vendors, and other external stakeholders.
- Data loss resulting from stolen USB devices and other storage media.
While it’s easy to jump on the EDI (Electrical Data Exchange) bandwagon, today’s savvy and highly advanced cyber-attacker would take mere seconds to intercept unstructured data transported via this medium. It’s a piece of cake for them, really.
If you’re going to secure sensitive in-transit data, you need a platform that handles both structured and unstructured data without compromising on security. Plus, you need a transfer ecosystem that doesn’t require a lot of translation. That’s where Managed File Transfer (MFT) technology comes in.
With an MFT-first tool like MOVEit from Progress, you are assured of a single, secure and translation-free automated solution with a single pane of glass to view all transfer activities. Never will you have to sit on thorns wondering whether your sensitive pieces of data actually got to the other endpoint unperturbed.
2: Encryption, Encryption, Encryption (With a Bit of MFA Magic!)
More than just a buzzword, encryption should really be the anthem for all businesses out there seeking to exhaustively secure sensitive data.
At its core, encryption tackles two common data protection vulnerabilities in today’s economy: A workforce that’s always on the move and the rapid surge of remote work. With devices frequently leaving the safety of company networks, encryption ensures that, in case of theft or loss, the sensitive data they contain is inaccessible to outsiders.
For most IT and business leaders, however, achieving optimum data encryption—whether in transit or at-rest—has always felt like a distant, untenable dream. In retrospect, though, it could be that these executives ignore multi-factor authentication (MFA) or swept it under the rug entirely. MFA and encryption are pretty much two sides of the same coin—they’re inseparable and quite rightly form a winning combination.
To use a subtle analogy, encrypting sensitive data without using multi-factor authentication to control its access is a bit like leaving your car unlocked, but locking your valuables inside the glove box. If your car is ransacked, the criminal will only have to break the glove box to gain access to your valuables—and may actually succeed.
Now I know what you’re thinking: “So all I need to do is leverage both of these technologies and then I’ll be all sorted?”
Well, not yet. There’s one more thing you have to do. One more.
Integrate both of them with MFA tools to manage access to your sensitive files and data.
Progress’s MOVEit Transfer does exactly that, with top-of-the-line MFA capabilities that enable you to securely control user access—whether the data in question is in transit or at rest. The icing on the cake is the single sign-on functionality that’s always available on the go.
3: Put Your Employees at the Heart of Your Data Security Program
You probably don’t need to hear this right now, but the truth is that your employees could be the Achilles heel to an otherwise robust data security program. In fact, research has it that 71% of employees inadvertently share sensitive and business-critical data using instant messaging and business collaboration tools. Quite a sad statistic, don’t you think?
The key here is to roll out a well-thought-out security training program. It should be straightforward enough to allow for easy grasp, but still in-depth enough to touch on all key aspects of securing sensitive data. Everyone in your organization needs to be acquainted with this hot topic as well as the protocols and best practices that come along with it.
4: Create and Implement Robust BYOD Policies
Bring your own device (BYOD) policies have surged in popularity in recent years. In fact, 82% of companies today let employees use personal devices for work. But there’s a caveat here: Most BYOD policies are so feebly set up that they provide a freeway for hackers to infiltrate company networks and wreak untold havoc.
If only companies could chart the path less traveled and actually give their BYOD policies a complete shakeup…
As a starting point, any BYOD policy worth its weight should include:
- Supported (and unsupported) device types
- Allowed and banned apps
- A robust security policy
- A service/support policy
- An employee exit protocol
- The rules for wiping devices
- An acceptable use policy
- Guidance and education material
Of course, you could add more contents to this document. In the meantime, though, use these as your absolute North Star in your quest to securing sensitive data.
5: Only Save What’s Absolutely Necessary
Yet another pointer that sounds like a no-brainer but it’s grossly ignored. The more information you collect about your customers and employees, the more resources you need to protect them. Companies often retain more sensitive information than is necessary, and their customers are the ones who bear the brunt if a data breach occurs.
To limit what hackers could steal, only save the information you absolutely need to keep your business afloat. Everything else is junk and needs to be disposed of correctly.
The Future of Securing Sensitive Data is with MOVEit
You might be wondering why we keep mentioning MOVEit by Progress time and again. Well, it’s because we’re extremely proud of the tool it’s become—an industry-leader in matters data security.
Get ahead of the curve with an award-winning MFT platform that doesn’t just secure in-transit data; it secures it while at rest too. The whole package comes with advanced security features and proven encryption (FIPS 140-2 validated AES-256 cryptography) that adds the much-needed layer of security around your files.