Allow me to state the obvious: Data is everywhere.
While it may sound basic to the point of insulting, it’s something even the best Compliance Officers can overlook. Without the proper controls, data can create major gaps — in privacy, security, even operational — that could put company assets at risk.
Only once your organization understands what data is stored where, who can access it and who has accessed it in the past, can you make educated decisions about where it should live.
But a broadly accepted rule in this area causes a lot of problems: that data contained in a highly secure system may need less controls than data located in a cloud environment or a broadly available corporate intranet. This belief creates an illusion of security, or what I like to call “security by obscurity.”
The Riskiest Data Is Right Under Your Nose
Many systems with database back-ends such as CRM systems, financial management or accounting systems, have excellent access controls and security trimming. Administrators can easily track and limit system accessibility and build in appropriate levels of permissions for employees’ role-based access.
However, one of the overlooked risks of these systems is a stunning lack of transparency into the data employees are actually putting in those systems. This lack of insight may create just as much risk, or even more, than the unstructured data (or dark data) that often sits on file shares, SharePoint sites or your corporate intranet.
Don't Believe Me? Common Business Scenarios
Consider these scenarios involving customers and an employee with access to a PCI-compliant system.
A customer says: “I am tired of having to give you the security code of my credit card for each transaction so please save it in the system.” Your employee then saves the security code. After all, this small detail helps maintain company-client relationship, and allows the end user to be more productive — good for the customer and good for the company, right?
What about sensitive personally identifiable information, or sensitive PII, as defined under the EU General Data Protection Regulation (GDPR)? Imagine an account executive saves information in the system within the “notes field” associated with their client. This could be anything they learn through various conversations over time, such as political affiliation or specific family-related information.
Sensitive PII data (be it personal or financial information) about customers and employees may be lurking in the databases, tables, rows and columns — all without IT admins’ knowledge. While the data itself may not necessarily create a problem, it’s the assumption of the absence of that data that may put organizations at great risk.
Since these database-driven systems contain their own access controls, we often neglect them when evaluating risks or the potentially risky data that is lurking in financial, health, International Traffic in Arms (ITAR) or GDPR-regulated data.
Or even worse, we don’t consider what happens when a rank-and-file employee simply runs a report from these systems, which becomes an Excel spreadsheet or a Microsoft Word document, and then is saved on a laptop, network drive, SharePoint or emailed around to several other people within the organization.
Visibility Is Key to Safeguarding Your Data
While we’re helping information workers access data quickly to perform tasks, they’re often not armed with the right information, technology or training to do so safely. This is a tremendous task for IT administrators and organizations at large, but also a tremendous opportunity for security and privacy professionals to help the organization collaborate, contribute and innovate in ways that are secure.
Essentially, ensuring information is available to those who should have access to it, but protected from those who shouldn’t, is key to maintaining a healthy dataset, even in controlled environments. And ensuring this boils down to making sure you have visibility.
Organizations must consider data across all information systems and gateways, whether unstructured or structured. Don’t focus only on “building walls” around the perimeter to keep people out and keep information in. The challenge with this approach is that as you build a 10-foot wall, your opponent brings an 11-foot ladder. By the time disaster strikes, you may not be able to adequately assess or understand your corporate risk.
Don’t fall into the illusion of security by obscurity. Instead, have a solid understanding of all the data you hold. At rest or in motion, data sits in complex database-driven system, flows through file shares, websites, web applications, SharePoint sites, communication systems and social systems.
By thinking holistically about managing compliance and maintaining data visibility, the walls become less and less penetrable.