Everyone knows they need to track the personally identifiable information (PII) they hold and, in light of the impending GDPR, organisations want to know how to protect it. But, what exactly is PII?
This could include names, addresses, date of birth and IP address; any information that can be used on its own or in conjunction with other information to identify a person makes up PII. Many organisations don’t fully understand the scope of the data they gather, including what kind of information it is, its sensitivity and whether they really need to be holding on to it.
The PII struggle
The biggest issue in trying to identify where PII is stored is that it always ends up in places an organisation doesn’t expect. For example, many don’t realise how or why PII is found in unexpected files or apps and have traditionally assumed that these files don’t need to be regulated. In reality, there could be a myriad of reasons and explanations as to how the data ended up where it did.
PII in itself is not hard to identify. But even if you’re looking for a specific type of PII, you still need to know where it lives in the system. In the past, there hasn’t been an easy way of finding out where all PII data exists on a system outside of the typical, structured locations such as HR and finance databases. It is often assumed that sensitive data is kept in the equivalent of a locked filing cabinet whereas, more often that not, it ends up in the IT equivalent of a garage or junk drawer.
However, over the last couple of years, it’s become more critical for organisations to know exactly where their data is stored. If they have never looked for it before, they’ve never had to make decisions about how to protect it, and this is why breaches continue to happen over and over again.
Identify and protect
We are slowly, but surely, seeing a focused push towards GDPR compliance. More and more organisations are actively investigating and interrogating every file on the system, identifying those with names, emails, address and anything else that is considered PII. Whilst this can be time-consuming, it’s not the hard part; that comes with ensuring the data is properly protected.
One relatable anecdote is that of a CEO who thought he had one big problem because he didn’t know where all his company’s sensitive data was. Following data discovery, he finds himself with hundreds of thousands of problems because he now needs to protect all that data.
Protecting data is about asking a series of questions: where is the data? Who has access to it? Do the right people have access to it? Who does it belong to? Should we be deleting this data? Is it stored in the right place? Do I know who is using it? How can I make sure the data is secure and kept private? Many organisations use the terms ‘privacy’ and ‘security’ interchangeably.
However, it’s worth noting that in cyber and data security, companies must bear both in mind. Data security focuses on protecting the data from theft and breaches whereas privacy governs how the data is being collected, shared and used.
It’s always a good idea to guard all the data within your organisation, but not all data needs the same fortification. The challenge is, how do you protect this data and apply relevant access permissions, if you don’t know where it is? Similarly, one of the most significant aspects of the upcoming GDPR focuses on data notification, where organisations must notify the ICO of the breach within 72 hours of its identification. An organisation needs to be able to report what happened, how it happened and what was affected.
Knowing when something goes wrong
Once an organisation knows where all its data is and is reasonably sure it is well protected, the next thing they must consider is how they will identify when/if something goes wrong and what they will do to correct this. Banks and credit cards are a good example to follow in such a situation. The majority of people who use a credit card have, at some point, been notified of unusual activity on the account. This is because banks typically know a lot about the person the card belongs to. For example, if a bank knows where and what time you would typically fuel up your car, it would then notice if the card was used to buy a different type of fuel in an atypical location at an unusual time and could reasonably deduce that your card is being used fraudulently.
When it comes to data, many companies don’t have this kind of visibility; they have all the data but know nothing about how people are actually using it. Organisations such as banks are able to identify this fraud because they look at where every pound or dollar is going, allowing them to spot fraudulent transactions as they occur.
The companies that are best able to protect PII are those who look at every single data transaction. They know when a file is created, accessed, changed, moved or deleted.
A new normal
The world is changing and the upcoming GDPR is a great barometer which states that organisations must protect the data they hold, in much the same way as a bank does. This important and valuable information can’t just be left in the proverbial junk drawer. It will be exposed.
All data within a company should be protected by taking the time to identify PII and apply permissions so it’s only accessed by the necessary people (known as a model of ‘least privilege’). Organisations can then be assured with the knowledge they are taking the best steps to ensuring they don’t fall foul of the GDPR.
Sourced by Matt Lock, director of Sales Engineers, Varonis