Defining Sensitive Data

What Do We Mean When We Say Sensitive Data?

At Nucleus Cyber we spend a lot of our time talking about sensitive data. This shouldn’t be a huge surprise given that we are in the business of providing data-centric solutions to protect your sensitive data. But just what information are we referring to when we use the term sensitive data? And what about your origination’s definition? Are you including everything that you should or are you defining it too narrowly and putting important data at risk?

The “Standard”  Sensitive Data Types

There is some information that is undoubtedly sensitive data. Data that is classed as Personally Identifiable Information (PII) such as social security numbers or passport numbers, protected healthcare information (PHI), or financial data like credit card and bank account numbers are obvious examples. Domestic and international data regulations like HIPAA, GDPR, GLBA and the pending California Consumer Privacy Act (CCPA) define regulated data types for us. For the purposes of compliance, it is clear under these regulations what organizations have a responsibility to protect. That doesn’t necessarily mean that it is easy to protect these sensitive data types but at least we know what we are aiming for.

Understandably the introduction of more stringent data regulations over the last few years has certainly shaped the requirements, business drivers and dialog when considering solutions for protecting sensitive data. However, has the focus on standard sensitive data types caused other key data to be missed?

The Full Definition of Sensitive Data

Rather than limit our definition to regulated data types its important to realize the full range of what can constitute sensitive data. TechTarget has a comprehensive definition that breaks down sensitive data or information as they call it into 3 categories:

  1. Personal Data
  2. Business Data
  3. Classified Data

The first category is a more complete description than the one I gave earlier for PII, the third deals with Government classification of documents as secret, top secret, etc. I’d like to focus for a moment on the second category, sensitive business data.

TechTarget defines it as:

“Sensitive business information includes anything that poses a risk to the company in question if discovered by a competitor or the general public. Such information includes trade secrets, acquisition plans, financial data and supplier and customer information, among other possibilities. With the ever-increasing amount of data generated by businesses, methods of protecting corporate information from unauthorized access are becoming integral to corporate security.“

While PII data breaches make the headlines because of their wide impact, it’s important that organizations recognize the serious risks associated with their sensitive business information. The loss of intellectual property or disclosure of a project proposal could be financially crippling – in some cases even more damaging than a PII breach.

It’s why I always ask customers what they consider to be sensitive information and encourage them to think about the broader definition if the response only covers the “standard” data types.

Categorizing Your Organization’s Sensitive Data

For any organization its critically important to define what sensitive information is for you. Customer, HR or financial data are the obvious candidates but what about board documents or research and development data or new product information?

When Sony Pictures was hacked some of the most damaging data was not the publication of upcoming movie scripts or financial data but the internal memos and emails discussing various Hollywood figures. The full extent of the damage to Sony Pictures is still unknown. A financial figure relating to class actions for the loss of PII will eventually be calculated but what about the lasting impact on their client and partner relationships? Will Sony Pictures be a no-go studio for some writers, actors or directors in future?

Rules and regulations are often the driver for a project to protect sensitive data. However, it should not start and stop with solely the “standard” data types. This is particularly important in a time when it is easier than ever before to collaborate and share information thanks to cloud-based file storage like Dropbox and OneDrive, and social collaboration tools such as Teams or Slack.

Insider Threats and Your Data

Defining what sensitive data is for your organization will subsequently lead to another important question. What are the exposure risks for that data? If we look to the news headlines it is typically external hackers that get the column inches. However, recent studies show that insider threats pose a great danger to organizations. Accidental leaks alone account for 40% of breaches, and 83% of cybersecurity pros believe employees are inadvertently putting sensitive information at risk.

When we consider how collaboration has changed within the workplace it’s no surprise that accidental breaches are not only commonplace, but are on the rise. Cloud storage and social collaboration tools make it incredibly easy to rapidly and widely share information. IT departments have long struggled to identify where all their sensitive data is located, and modern collaboration tools have spread it beyond IT’s reach. Traditional IT security methods of a “lock and key” on the data location is not compatible with the modern approach to storing and working with sensitive data.

Perhaps this is another reason why “standard” sensitive data types are the first to be tackled. Data Loss Prevention (DLP) technologies typically used to protect sensitive data have previously been cumbersome to deploy and use, making them ineffective. By limiting the scope of the sensitive data to be protected the perception is that there is a greater chance of success. The gamble that you are taking is that although you may be mitigating the risk of a regulatory penalty, your core competitive differentiator – your intellectual property – is often left exposed.

Data-Centric Security to the Rescue

Thankfully, just as the collaboration tools have moved on so have the tools to protect sensitive data. To be effective in the modern collaboration workplace your identification and protection solution should leverage a data-centric approach. A more complete account of data-centric solutions can be found in one of my previous blog posts but in essence the tools apply the protection to the data itself as opposed to the application or container in which it currently resides.

A data-centric solution is a much better fit for sensitive data that is in an almost constant state of motion across multiple collaboration scenarios. These security tools adapt to the changing risk profile associated with sensitive data as users access and collaborate across multiple locations, organizational boundaries and devices.

Thanks to their ease of use and overall effectiveness compared to legacy DLP solutions its possible to implement a strategy that goes beyond just addressing protection of regulated standard sensitive data types.

Protect All Your Sensitive Data

Learn how NC Protect defends against breaches, sensitive data misuse and unauthorized file access enabling enterprises to fully take advantage of the modern collaboration based on their unique definition of sensitive data.

Learn more