The definition of sensitive data is one that varies depending on who is asked. However it is generally understood to be information that, if lost or accessed by unauthorized people, could adversely affect the owner, company, government or other parties. The data might be considered sensitive for any number of reasons.
A familiar example would be credit card numbers and associated PIN. Should the wrong person learn that information, the legitimate owner might soon become the victim of fraud. Credit card numbers and PINs are considered sensitive information that that reason. Similarly, medical records are something that people trust their doctor to keep secure. They contain personal information that few people would want others knowing and is therefore considered sensitive for a different reason.
A need for security
Regardless of what the data might be, there exists a need for it to be stored securely and in a manner that ensures only the correctly authorized people may access it. Although methods for doing so will vary hugely, certain concepts and ground rules can be followed to ensure the chances of compromise or data loss remain extremely low. This article outlines those concepts and paints a picture of the mindset required to implement effective security measures for the handling of sensitive data.
It is important to initially establish that no data can be one hundred per cent secure, although many commercial entities will claim otherwise in order to sell their products. The best that can be done is to ensure that the likelihood of an unauthorized person gaining access to the data is hugely reduced to the point of it being extremely unlikely.
An effective policy
From a business perspective, the first crucial step is to develop adequate security policies and controls. The purpose of these is to establish an effective and secure standard for the handling of sensitive data. The policies should at the very least address the following:
- Where the data is to be stored
- Details of the access controls in place
- Whether permission is required for access and whom should be contacted to gain it
- Procedures for handing removable media such as USB drives and portable hard drives
- Encryption standards
- Passwords – their minimum required length, complexity and any time restrictions
- Incident response procedures – what should happen in the event of a breach
These policies should be kept in a location that is easily accessible for the employees that may require access to the data and should, of course, be kept up to date. Any questions an employee might have regarding sensitive data should be adequately answered in the policies. It is recommended to include the name and contact details of a person that can provide further information if it is required. Depending on the structure of the company, who this person is will naturally differ, although in all cases it will likely be somebody with sufficiently high authority.
In recent years, numerous commercial encryption solutions have brought high-quality encryption to businesses and homes across the world, significantly improving the security of sensitive data. Many companies make it a policy for all their laptop hard drives and USB drives to be fully encrypted, ensuring that should they be lost or stolen, the likelihood of anybody being able to access the information they contain is extremely low to non-existent.
Similarly, server hard drives are increasingly being encrypted to prevent the data being accessed in the event of a physical theft. These are things that should be at the heart of any policies regarding security of data. The worst case scenario should always be planned for so that if it happens, the impact to the business is kept at a minimum.
The role of employees
Although encryption is a useful tool for ensuring sensitive data is kept secure, time and money should be spent on developing solid security practices and making sure all employees are aware of them. An encrypted laptop suddenly becomes a whole lot less secure if the owner keeps the passphrase on a post-it note in their desk drawer. Human beings are often said to be the weak link in any security mechanism and this is absolutely true.
Human error causes laptops to be left on trains and on park benches. It also causes people to leave their workstation unattended while they’re logged into a secure system, creating unnecessary and potentially serious security risks. In short, no matter how sophisticated a company’s security, if the employees are not made aware of the importance of upholding standards, of adhering to security policies down to the letter, there’s a good chance that at some point an accident will occur that could mean significant loss of reputation and money. Adequate training should be given to all staff who need to handle sensitive data and the importance of policy compliance should be regularly emphasized.
As an aside point, it is not just current sensitive data that should be protected. Many companies overlook the importance of encrypting their backups, also. The information contained within them may not be current, but to a person looking to compromise the business it could be a veritable goldmine – names, addresses, credit card numbers, bank details, medical details or more.
If the backup procedure is performed locally, all backups should be encrypted as they are taken and certainly before transport to a remote storage location. If a third party handles backups, they need to be made aware of company policy and to provide evidence that they’re complying with company requirements.
This article cannot hope to discuss all the possible instances of sensitive data handling, only provide some idea of the mindset required to address these issues head on. Planning for sensitive data handling should be a methodical process and one that is primarily governed by common sense. Time and money should be spent developing those procedures, testing them and training employees to follow them.
Additionally, the environment storing that sensitive data should be scrutinized, as should the people who will be accessing it. Each business will of course be different and it is down to those responsible for data security to adequately assess the situation and develop policies accordingly. As previously mentioned, the worst case scenario should always be planned for – it could mean the difference between a business that flourishes and one that faces bankruptcy.