Can You Identify Your Sensitive Data? Here's Why You Need to Protect It

Modern businesses, even those in traditional markets, are awash with data. What may have started as a single spreadsheet or a folder of key documents has exploded into fast-growing data files covering employees and customers, databases of parts and materials, finance records and collaborative cloud servers full of marketing and operational processes. All are key to the day-to-day running of any SMB or enterprise.

What is sensitive data?

While all data is important, sensitive data is that which has critical operational value to the business or is protected under regulatory schemes. Wide-spanning regulations such as the California Privacy Rights Act (CPRA) or the European Union’s General Data Protection Regulation (GDPR) can impact businesses around the world, and come with hefty fines for loss or misuse of data.

As companies grow fast (or in recent times as distributed organizations with teams spread around the globe), knowing where that data is located is vital. Database admins, CIOs or CISOs are typically charged with data security, identifying where it resides and ensuring that it meets industry/financial compliance and government regulatory requirements.

Then there’s the risk of old but still valid data being left on servers, and of teams creating ad hoc data files for their projects out of sight of IT and the business leadership. All of this creates a high-risk scenario that can be exposed through an inadvertent leak, a malicious hack or one user taking files with them when they leave the business. 

The danger of unidentified sensitive data

With ever-growing stores and volumes of data, the risk increases that the business will lose track of it. And with data migrating to the cloud, busy employees run the risk of not informing IT or assigning someone to take responsibility for protecting it.

All of this can leave data unprotected and easily compromised by hackers, criminals or insiders. Take for example the many buckets of Amazon AWS data left exposed over the years, with terabytes of business files just waiting to be uncovered.

Before the cloud-data goldrush triggered by COVID-19, Gartner reported in 2019 that 90% of organizations that fail to control public cloud use will inappropriately share sensitive data. During the pandemic, hackers had a field day as companies set up ad hoc cloud services to enable remote working and to respond to the many operational challenges they faced.

Just what is sensitive data?

All data is sensitive in some way, but in the eyes of the law, sensitive data includes financial information that identifies people by their race, union or military status or any biometric or medical information. Data that’s required for business or government use, including accounts, contracts, business plans, military contract details and so on are all highly sensitive.

Those working in finance and health should already be highly aware of the data safety and governance requirements such as the Health Insurance Portability and Accountability Act (HIPAA) and the US Department of Defense Cybersecurity Maturity Model Certification (CMMC) standards. These create a baseline for data governance and security, but those in other markets should look for similar best practices to follow.

Enabling data governance

To identify your business data, an audit is required of every department, team and service (with automated systems creating much of today’s data). The audit must have a top-level sponsor responsible for ensuring access across all systems, delivering the results within a reasonable time frame and ensuring the project is implemented successfully.

Fortunately, as with most modern business applications, there is a service for that. Data governance solutions can identify data in use, scan databases for key metadata and create a list of operational data sources for the business to secure, ensure that files are backed up and protect them from unauthorized access and use.

This doesn’t just help businesses comply with data legislation solutions; applications like Quest’s Sensitive Data Governance solution help the business identify data silos that could impact efficiency, identify users who should or shouldn’t have access to files and ensure that suitable backups and protections are in place to protect the data.

Data intelligence and literacy help the business get to grips with what data it has, define what is sensitive and use metadata to tag files creating an accurate model of the businesses’ data usage.

With a clear view of what data is in use, the business can protect that data, apply governance procedures to it and ensure it’s used for the greatest business benefit. Governance leaders should drive efforts to assess and discover security risks, implement appropriate data protection measures and automate the process of discovering and reporting sensitive data.

For absolute clarity, governance refers to a management process – one that ensures that data is secure, available and usable through data standards and policies. Everyone in the business should understand these rules and why they’re in place, and when new data stores are created, those rules are followed to protect the business and those responsible for managing data.

With the increasing risk of accidental leaks as more users and partners work with data, your business data will be exposed at some point. Being in compliance with whatever regulations apply to your organization is vital and can limit the financial impact of a breach.

Beyond understanding your own business, data governance leaders need to keep an eye on the changing trends in data management, as it becomes a global tool for business and as rules change and new legislation is applied across a changing and increasingly complex landscape.