What are the information “crown jewels” of your organization? If it were leaked, what would the extent of damage be to your brand, your employees and your customers? Companies can no longer ignore their responsibility to protect and contain sensitive information. The FTC has begun to issue substantial financial penalties if companies are deemed to have been negligent. Key information categories in your company subject to FTC purview are:
- Intellectual Property (R&D, M&A, Patent Development)
- Customer Data (PCI)
- Patient Data (HIPAA and PHI)
- Product Data
- Financial (SEC, SOX)
- Sales & Marketing Data
- Employee Information (PII)
You may consider locking down access only from the desktop in the office. Workers have been known to email confidential information to their personal email, send it to direct competitors, blind copy confidential emails with attachments, and copy files to removable media and then pass it along. We have all seen instances of this and the pain associated with less than restrictive access to confidential data.
There are many examples of attempts to hack into sensitive information by sources outside a company, but what attention do you provide to the wide range of purposeful or unintended risks posed by temps, volunteers, suppliers or customers? Insider threats both malicious and unintended disclosure accounted for more than 35% of publicly declared breaches in 2014 (PrivacyRights.org). The Ponemon Institute claimed that 63% of breaches (not necessarily publicly disclosed breaches) were conducted by insiders.
So what are you to do?
The essential activity today is to monitor behavior: Trust But Verify! Conduct executive level discussions with HR, Legal, Finance, Operations, Sales & Marketing, and Research & Development to seek their input regarding the crown jewels. Beware of the person who you may believe has the right to access that data but suddenly is downloading files to their laptop or worse, emailing it to personal email. There is no need for people to send confidential data to other email addresses that have the capability to transmit information anywhere without the corporation’s ability to monitor behavior. Many times we have witnessed employees and temps copying or sending data to themselves and weeks later will give notice to go to a direct competitor.
It is essential that corporations have a Data Governance Program that establishes who has the appropriate access to confidential and sensitive information. Typically, this is established by using Role-Based Access Controls (RBAC). For example, an individual in human resources could have permissions to access employee data to perform their job, but not necessarily have access to product data or sales and marketing information.
There is a wealth of enabling technology that vastly improves your active and passive resources to monitor access patterns and trends, mask and obfuscate sensitive data, and escalate and resolve threats. I’ll be addressing data loss prevention, data security, and data masking technologies in my next blog to help you understand key categories of functionality that may help you identify and address risks, or better yet, mitigate them proactively.
Understand that this is a constant journey and never completed with a one and done event. Contact me if you’d like to discuss how to quantify your risk and plan concrete steps to safeguard your company’s crown jewels.
Randy Johnson
