Knowing where your sensitive data resides
How confident are you that you know where all your customers’ credit card details and other sensitive personal data are held within your business?
Are you confident that you are using personal information in a fair way that is not detrimental, unexpected, or misleading?
Are you sure that personal information is promptly deleted or securely destroyed once the purpose for which it was collected no longer applies?
If you answered yes to all three questions, you probably have a data security, data discovery and data masking policy in place. However, many organisations need help to better manage and protect their sensitive data and implement a process to simplify sensitive data security and management across the organisation’s data stores.Organisations need to protect their sensitive data better and put in place a process to simplify sensitive data security and management across the organisation's data stores. Click To Tweet
The average cost of a data breach
Data breaches worldwide expose millions of people’s data annually, causing organisations to lose millions in revenue or regulatory fines. The most recent IBM Cost of a Data Breach Report 2022 is a sombre read, with average data breach costs increasing 2.6% from USD 4.24 million in 2021 to USD 4.35 million in 2022. Comparing further back in time, the average cost of a breach has climbed 12.7% from USD 3.86 million in the 2020 report.
Personally Identifiable Information (PII) is the costliest type of data among all the compromised data types. Consequently, data protection has become the top priority for many organisations.
At the same time, some of the biggest GDPR fines in the last six months show that penalties are escalating in 2022 with a raft of organisations affected, indicating that many of the companies involved in these fines appear to have either forgotten about or chosen to ignore, GDPR.
Avoiding fines and reputational damage from data breaches
So how do you go about securing against data breaches, avoiding getting fined and the associated reputational issues, and managing data usage and efficiencies? This is the conundrum that many DPOs, Compliance Managers and those in security face as they struggle to get visibility and control over real private data in their organisation’s databases. It is intensified as data continues to grow exponentially and the cyber threat landscape is also rapidly evolving.
In the vast majority of cases, organisations are somewhat disorganised when it comes to managing data. Those responsible need better visibility into the private data held by the organisation to understand where weaknesses occur. Often DPOs are surprised when security breaches expose PII that they didn’t even know existed.
Likewise, thanks in part to Covid, a company’s ecosystem of partners has grown exponentially, and organisations are using a wide variety of external services, mobile apps, and systems. Again, they need to be confident that they can do this securely and have the compliance processes in place to manage and secure data.
Data masking is an essential technique to protect sensitive data
That is why data masking has become an essential technique many businesses use to protect their sensitive data. Data masking can help organisations to work faster, more efficiently and more creatively while at the same time adhering to regulations around data security, compliance, and privacy.
Today data masking or pseudonymisation of data is no longer confined to specialised use-cases like financial data but can be used for all sensitive data that needs to be protected including:
- PII: Personally identifiable information
- PHI: Protected health information
- PCI-DSS: Payment card information
- ITAR: Intellectual property
Data masking generally applies to non-production environments, such as software development and testing, user training, etc. These areas do not need actual live data, but applications need to be thoroughly tested using data that mirrors the final production environment as closely as possible. This means organisations need constant access to high-quality dummy data representing customers, accounts, addresses, phone numbers, etc.
The obvious way to achieve this is to obfuscate real data sources, which is often a major (and time-consuming) challenge for organisations. This is where data masking provides a consistent, repeatable approach that opens opportunities to utilise data and manage efficiencies while ensuring the organisation remains compliant.
Using compliance as a basis for better security practices
Compliance is all about protecting regulated data; therefore, from a data protection perspective, the key security measure to have in place is to avoid processing or storing regulated data that isn’t needed. However, herein lies the problem mentioned earlier because organisations are often unaware of their data. That said, compliance can be used to build better security practices.
But periodic or point-in-time audits don’t necessarily mean you are compliant; therefore, an ongoing compliance framework provides a basis for thinking about better security programs. Then, more than just a driver for reducing risk, compliance can also be used to measure improvements in security and risk posture and keep ahead of changing risks in the business.
However, a word of warning. If all the organisation cares about is compliance and ticking the boxes, it will probably not be secure. A more holistic approach is required, starting with a simple, secure and automated data discovery and data masking systems.
This will enable those in charge of sensitive data in databases to sleep better at night, knowing they have privacy and compliance policies and tools to meet ever-growing regulations.
The challenge of securing sensitive data in databases webinar
Are you interested in finding out more? Register for our webinar on the 13th September 2022 from 16.30 to 17.30.
We will be talking about the challenges that organisations face around data discovery, and masking systems and how one central management console helps customers to protect all the sensitive data in their databases, regardless of database and deployment type.