The Point | Cybersecurity Blog for Defendify

It’s Ok To Be Sensitive, Our Data Sure Is

Written by Defendify | November 03, 2017

It’s true, we all have a sensitive side. Especially when we’re talking about data. Believe us when we say, every organization has sensitive data. Whether you operate a manufacturing business, law firm, dental practice, or hair salon, you have confidential information hackers would love to get their hands on.

What exactly is “sensitive” data?

Wikipedia defines the word “sensitive” as “quick to detect or respond to slight changes, signals, or influences.” That might be a great way to describe your life partner or coworker, but probably isn’t exactly what comes to mind when you think about your data. Thankfully it also defines it as “kept secret or with restrictions on disclosure to avoid endangering security.”

Credit card and social security numbers are obvious examples. And every business has some mix of the following:

  • Customer information
  • Employee records
  • Legal documents
  • Login credentials
  • Financial data

There’s of course a lot more than that. For some, it is obvious, like a healthcare provider facing HIPAA compliance maintaining medical records and storing personally identifiable information (PII). For others, it may not be so clear. Data can come in all forms, like system designs, business processes, or other intellectual property.

So how do you determine if your data is sensitive?

Simple, try this data-sensitivity spot test: Ask yourself and your team this question, “Is this information something we'd like posted on a website that everyone can look at?” If the answer is No, then it’s safe to consider sensitive and should be protected. Yes, it can be that easy! Let’s give it a try, a couple of basic examples:

  • Your sales team has brochures outlining your products and services. They are handed out at trade shows and to prospects every day. Would you care if these were posted online somewhere for the whole world to see? Of course not, in fact they might be posted on your website already. No additional security controls required…NOT SENSITIVE!
  • You have a spreadsheet detailing customer names, decision makers, and purchases. Would you care if it was posted online somewhere for the whole world to see? Of course, for legal purposes and you surely wouldn’t want it in the hands of your competitors. Better make sure that spreadsheet is stored very safely and with proper access levels…DEFINITELY SENSITIVE!

Some other examples that you may not have considered:

  • Engineering drawings (e.g. facilities, network designs, device schematics)
  • HR records (e.g. employee reviews)
  • Company presentations and projections
  • Annual strategic plans
  • Purchase and sale agreements
  • Proprietary manufacturing processes
  • Building management device layouts (e.g. security systems, IT systems)
  • Recipes (e.g. food manufacturing, restaurants)
  • Price lists and pricing calculators

These are just a few to think about, the list varies with every business depending on industry, size, location, customer types, etc.

Defining what is sensitive in your business and how it is protected is vitally important.

Data is everywhere. It can help to try thinking about it through the key layers of cybersecurity:

  • Framework: Develop policies and incident response plans that protect the data. Conduct testing (e.g. ethical hacking) to ensure that the data is properly protected from an attack.
  • Culture: Educate and train your team on what data is sensitive and how to protect it from exposure to fraudsters and cybercriminals.
  • Technology: Deploy technologies that protect the data in transit (e.g. secure email), at rest/when stored (e.g. encryption), and from accidental loss or malicious leakage (data loss prevention or DLP).

When it comes to sensitive data, it’s good to have thick skin—we recommend multiple layers.

Stay Safe,
Your Friends @ Defendify

Subscribe to the Defendify Blog: Cybersecurity in 60 Seconds
View full post