- Security TWENTY
- Women in Security
Before organisations can calculate the risks around sensitive data, and put in place appropriate protection, they must first have visibility of where that information resides -and where copies might exist across the company. James Paton, pictured, CEO of SynApps Solutions, says that, even post-GDPR, many businesses lack that visibility.
It’s almost two years since the EU’s updated General Data Protection Regulation (GDPR) came into force. And, while GDPR preparations temporarily shone a spotlight on organisations’ restricted visibility of where potentially sensitive data exists across their operations, many businesses remain in the dark about their persistent points of vulnerability. As a result, they may be underestimating their ongoing exposure to risk.
Security assessments and tightening of controls, and even initiatives to move data to the cloud as part of digital transformation programmes, are among the ongoing drivers for organisations to get a better handle on where all of their sensitive data resides. As long as intellectual property is dispersed across people’s laptops, desktops and different departmental servers, for instance, locking this down so that it doesn’t get into the wrong hands becomes very difficult.
Beyond GDPR, there are other significant regulatory drivers for organisations to seek deeper insight into where sensitive data resides and how it is handled. In retail, compliance with the Payment Card Industry (PCI) data security standard presents a major challenge, for example, affecting any merchandiser handling branded credit cards from the major card schemes. Listed companies, meanwhile, must keep track of market-sensitive information and be able to report on where it is under market abuse regulations. And public sector and health organisations must be vigilant about sensitive citizen/patient data. The list goes on.
It is in response to many of these challenges that there has been new innovation in the form of ‘sensitive data discovery’ on demand: that is, managed services that any organisation can tap into if they need to trace and report on where particular types of data exist. Run securely in the cloud, or in company’s own data centres, and fully resourced with highly qualified engineers, such hosted services remove a great burden from IT/compliance departments. Rather, it becomes possible for them to scan for instances of sensitive data across whole IT estates, and dynamically generate board-level reports, without having to allocate dedicated internal resources.
For organisations that want to go further, there are value-added services that can analyse the findings at a more detailed level, and suggest ways to bring sensitive data under more effective control. By overcoming previously poor visibility to provide comprehensive sensitive data discovery, this kind of service can even empower businesses to progress their bigger projects, such as digital transformation and cloud migration, fulfilling the CxO strategic agenda.
Influencing best behaviour
The potential of sensitive-data discovery service becomes even more significant where end users are involved in the remediation process, if sensitive data is found to exist where it shouldn’t – for example, unprotected on someone’s laptop. Alerts to individual users can prompt them to take appropriate remedial action in line with company policy.
Where all such activity is recorded and monitored, this alleviates the pressure on internal compliance teams to interpret and react to all of the findings from a data scan – which could run into thousands of information policy contraventions that need to be addressed. This also has the added benefit that, if an audit is launched, the organisation is fully covered by a comprehensive record of all steps that have been taken.
Beyond board-level HERO reports and information for internal governance purposes, data discovery services can also report on organisations’ exposure to risk, with associated values and ROI metrics – so companies can see issues that are still outstanding, what it would take to remediate them, and what intrinsic value that would have.
One of the most persuasive arguments in favour of using such services is the speed of deployment, and of getting actionable results – this could be within just a few hours, for instance. Which means IT teams could very efficiently and sustainably scan their organisations’ entire digital estate – across multiple systems and operating environments – on a quarterly or annual basis. Certainly, as data estates grow and become richer and deeper, data discovery as-a-service propositions – and the ‘sensitive data’ variety in particular – represent a potential game-changer for organisations seeking to regain control of their diverse information assets.