Digital Guardian, October, 8, 2014

“The #1 biggest mistake companies make when it comes to securing sensitive data”

Keeping sensitive information secure from theft and vulnerability in today’s digital world isn’t as easy as putting a lock on the file cabinet – especially with the widespread adoption of cloud computing. And even if you take every precaution with your online accounts and identifying information, there are many ways that information can land in another individual or company’s data management systems, where it can then somehow be made vulnerable.

At Digital Guardian we specialize in helping businesses manage and secure various types of company data. Our top priority is helping our customers keep their sensitive data where it belongs and as secure as possible. To get a better picture of the current state of enterprise data protection we interviewed data security experts on what matters most when securing sensitive data.

To do this, we asked 34 data security experts to answer this question including Jonathan Gossels. Click here to read the full article.

Jonathan Gossels

The biggest mistake companies make when it comes to securing sensitive data is…

The lack of understanding where their sensitive data resides because they have not set policies to systematically and consistently categorize their data, and consequently, they don’t have controls in place to ensure that all categories of data are handled appropriately.

For example, if a company has a policy that says any data set that contains personally identifying information is considered to be “sensitive” and has to be encrypted both in transit across a network and at rest, and the company has implemented technical controls to enforce that policy, it is very likely that the data set is safe.

There is also a user education dimension to this problem – users need to understand the sensitivity of the data they work with and their role in keeping it safe. In many cases, this involves educating users about what not to do.

For example, access to payroll data is usually restricted to those employees that process the payroll and those that review it. This is usually done within a payroll application that has built-in security and access controls. Payroll data and similar data sets should NEVER be downloaded onto an unsecure laptop, thereby undermining all the required controls. As in a very public data breach that occurred a few years ago, when this laptop was lost, millions found themselves risk for identity theft.

The best way to secure sensitive data is to do the basics well (like blocking and tackling in football). Understand what is sensitive in your data, set rules for handling it, implement technical controls to ensure it is actually handled properly, and educate your users about their role in keeping it safe.

Jonathan Gossels is the President of SystemExperts, a network security consulting firm specializing in IT security and compliance.