The Information Age has brought us unprecedented use of multiple data streams, which has increased connectivity. But this has come at the price of increased malicious attacks and breaches that leak sensitive data into the public domain.
Not even tech giants like Yahoo, Facebook and Google are safe. First, it was Yahoo; then it was Marriott International, and then finally, it was Facebook's turn to understand the importance of protecting sensitive data. But to fully appreciate the need to protect sensitive data from falling into the wrong hands, you need to know what counts as sensitive data. So let's start with the basics.
How to Identify Sensitive Data?
According to the General Data Protection Directive, the definition of sensitive data is a bit wide and has a few conflicting points. Section 1(1) Data Protection Act defines personal data as ''any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity''.
As straight-forward as this definition is, it raises some logical questions. For example, do we need to consider you consider IPs and cookies as personal data? (The Commission does.) As a general rule - if you doubt whether the data is personal or not, treat it as if it were.
Securing Sensitive Data
There are many ways in which sensitive data gets leaked. Most often, hackers exploit vulnerabilities and infiltrate databases to steal personal information like user account details.
Thankfully, cybersecurity has advanced tremendously in recent years, but hacking also becomes more sophisticated. Although, typically, hackers rely more and more on human error to break in these days. Weak or repetitive passwords, opening suspicious emails or clicking on unknown links can give crooks the opening they need.
Personal details get exposed through scams and incompetence every day. And that is outside of the scope of the sensitive data that people share willingly and freely on their social media accounts, such as photos, addresses, plans, itineraries, job or school information, phone numbers and more.
Dealing with Sensitive Data from an Information Security Perspective
Most organisations today find themselves collecting and processing at least some amount of personal data. To process sensitive data securely, you are required to comply with the essential data processing principles, as outlined in Article 5 of the GDPR. This article specifies the following requirements:
- Businesses must process data lawfully, fairly and transparently.
- Companies must collect personal data for a specific purpose.
- Processing must be as limited as possible and use as little data as possible.
- Data must be as accurate as possible.
- Personal data should be pseudonymised or/and encrypted.
- Businesses must take adequate data protection measures.
Not only that, but you must also demonstrate that there are sufficient reasons (conditions) for processing. In other words, you must obtain consent for the processing of personal data from all users before collecting it. You should perform privacy impact assessments before processing sensitive data, and make sure you are using all data protection methods and proper organisational measures.
The process starts by obtaining quality consent from users, clients or customers. Implied consent does not work for personal data or sensitive data. The GDPR has more stringent consent requirements, so make sure you update your consent mechanisms.
Explicitly inform your users of any risks and potential benefits of you processing their data. Do not hide the fact that specific categories are sensitive. Consent must be explicit and informed to be valid. Be particularly mindful of underage persons, who should not be able to give consent on their own, requiring parental consent instead.
How to Protect Sensitive Data?
The business sector is transforming to meet clients' evolving needs, presenting organisations with new challenges and increased risk in safeguarding sensitive data. It's essential to mobilise their people and technology to maximise speed, choice and convenience for customers.
Several areas are prone to persistent and dangerous email-borne threats daily. If you address them, you stand a better chance at protecting the sensitive data you own or manage.
Cyber-criminals use social engineering and impersonation tactics to trick victims into revealing their account details and sensitive data. These scams can access a companies' direct deposit payroll system or steal valuable information, which can be filed for fraudulent tax returns or sold on the dark web.
Usually delivered as a malicious attachment in a phishing email, this destructive type of malware encrypts computer files and demands payment for access to a digital key needed to decrypt the data. A ransomware attack can result in significant downtime, financial loss and severe reputation damage for companies.
Business Email Compromise (BEC)
In this sophisticated exploit, a threat actor obtains access to a corporate email account and sends fraudulent emails under the account owner's identity to steal sensitive information and money from victims. This highly effective scam is widespread in the financial services industry and has generated losses of $26 billion worldwide. High-speed trading firm Virtu Financial just recently.
These are just a few of the more popular way that hackers target sensitive data. You can protect your business from malware attacks by equipping all computer devices, including mobiles, with the necessary security protection. Next-Generation secure web gateways offered by companies such as Netskope are perfect for this purpose.
If you'd like to find out more about protecting your sensitive data with our security partner Netskope, please fill in the form below and one of our security specialists will be in touch.