Key elements of a secure, sensitive information sharing strategy

sensitive information sharing strategyIt’s been said, data is like the new oil. What does this mean exactly? Like oil, data is a commodity. But unlike oil, the value of data isn’t susceptible to supply and demand. Data is always in demand. Why? Data provides understanding. And the conclusions that are drawn from understanding can be optimized or, even better, monetized.

Take for example an online retailer of baby products. If a customer buys infant pajamas, the retailer can deduce they might also need a baby monitor or a night light. The retailer will suggest these items upon check out and in doing so increase the likelihood of additional purchases. They can also deduce that, in 12 months’ time, the customer might need walking shoes for the baby. And 24 months after that, a tricycle. After that, the retailer may partner and share its data with complementary businesses like pre-schools, pediatric ophthalmologists and zoos.

In addition to buying history, there is also the more banal data – yet, in many ways more valuable data to hackers – like names, credit card numbers, expiration dates, mailing addresses, billing addresses, and more. Medical information, especially patient records, is a specific class of sensitive data, protected by regulations like HIPAA. All together it’s not difficult to see data is more than a valuable commodity, it is a digital asset.

Like other assets, sensitive data needs to be protected. Data security is not only good business practice but in many highly-regulated industries like healthcare and financial services, it’s required. Data breaches involving hackers identifying vulnerabilities in an IT network, employees being duped into opening an attachment containing malware or ransomware, or departing employees taking customer or product information to a competitor are just some examples of ways organizations can lose valuable data. Coincidentally, these are also ways organizations can lose customers and brand equity and increase the risk of fines from regulators.

So, what can organizations do to ensure their sensitive information stays secure, not just when it’s stored but also when it’s shared externally with trusted partners such as management consultants, lawyers, co-marketing partners or third party data analysts?

Here are a few key steps that will not only enable organizations to reduce the risk of a breach of private information, but also demonstrate to regulators or auditors that they have the appropriate governance controls in place to protect that information.

Know where your data is stored

As organizations grow, they accumulate more data and require more places to store that data, both on-premises and in the cloud. Microsoft SharePoint and OneDrive for Business, OpenText, Box, Dropbox, Google Drive, home drives, and Windows File Shares are just some of the many content repositories where users might store their data. It’s imperative for organizations to know – and be able to demonstrate – where sensitive information is stored across this increasingly expansive landscape.

Certain regulations, for example GDPR, require that data stays in a specific country or region. Customer data, contracts, personnel files, sales forecasts, patent applications, financials – if organizations know where these files are stored, they can control who has access to them and monitor what’s happening with them. If they don’t know, then it’s anyone’s guess. This explains why some data breaches go undetected for months or even years. Ultimately, you can’t protect something if you can’t find it.

Know who has access to your data

Not every employee should have access to every file in the organization, and as files are shared beyond enterprise borders it becomes even more crucial to control access. If access to the systems holding your sensitive information can’t be managed, you have a significant governance issue. It should be noted that permissions to sensitive information can (and should) vary. Some employees or business partners may require full access to content (edit, download, share, etc.) whereas others should have view only access and be prevented from downloading or sharing.

It should also be noted that permissions are only the first step to protecting sensitive information. Security features like multi-factor authentication ensure the individual requesting access is not misrepresenting their identity, and Data Loss Prevention (DLP) technology can be integrated with file sharing to define policies to control when and how sensitive data is sent outside the organization, further mitigating the risk of unauthorized access.

Know exactly what’s happening with your data

A critical extension of knowing where your data is stored and who has access to it is knowing what is being done with it. The ability for organizations to have full visibility into all file activity, as well as the ability to share this activity with auditors, regulators, law enforcement agencies and legal teams is critical for identifying data leaks and demonstrating compliance with industry regulations.

Suppose prior to resigning, an employee started opening, downloading, forwarding and printing lots of files he hadn’t accessed previously. While he may have been authorized to access that content at the time, should some of this data later be found to have been leaked, the logs of this former employee’s activity will be valuable in identifying the source.

In cases of a compliance audit, whether to confirm internal policies are being followed, or to satisfy specific regulatory requirements, knowing the details of who signed in, from what device, and precisely what he or she viewed, edited or downloaded is crucial to proving controls are in place.

Having the knowledge of where your organization’s sensitive information resides, which employees and business partners have access to it and what they are doing with it enables organizations to mitigate the risk of a data leak and demonstrate compliance with regulators. It also gives organizations a sense of control over their data, which is increasingly harder to do when the amount of data is increasing exponentially.