Page 63 - Cyber Defense eMagazine for September 2020
P. 63
business because in most instances, it is information that has been sold to competitors, or used to expose
explicit information for political purposes or gain.
A couple of examples of insider theft include the Sony hack where an employee in Human Resources
had salary information on 30,000 Deloitte employees and publicized it; and the Morgan Stanley employee
who stole account information from 350,000 of its wealth management clients and posted some of the
information on the internet. GlaxoSmithKline had IP, trade secrets and presentation data compromised
in two ways; documents emailed from inside GSK to private email accounts, using USB and other storage
devices and copied onto personal devices. This particular incident also led to mounting legal fees and a
$500m fine to the victim in all of this, GSK. These examples are just a blip on the map, but should serve
as reminders that businesses must know that sensitive information in files exists, is protected
appropriately, and that only the right people can access them. Not to mention the responsibility of the
business to protect the information if it is subject to industry or privacy regulatory mandates. Put simply,
unauthorized access or loss of sensitive data can compromise competitive advantages, damage the
brand, and expose the organization to significant regulatory penalties and even litigation.
As most businesses are focusing on securing structured databases and identity and access
management, they must also include unstructured data in their data security initiatives. But before even
thinking about moving forward, you need to assess your own situation and then you can move forward
with a plan to first understand what sensitive unstructured data you have. It’s not as hard as you may
think.
Where Do You Start? Know the Data. Control the Data.
Your current governance, risk and compliance (GRC) policies may be a little outdated. Now is the time
to take them out, dust them off, and update them to include sensitive unstructured data. With privacy
regulations rapidly changing, it is important to not learn privacy through impact and avoid being the victim
of a violation. It is difficult under the best of circumstances to respond to a DSR or incident from a
structured database, but even more challenging with information that is unstructured. Knowing where
your sensitive unstructured data is and what it is will be a critical part of your GRC policy. Getting there
is not as daunting as you might think and in just a few steps, you will be on your way to high visibility,
control, protection and improved response time to incidents and DSRs. Business unit by business unit,
talk to the person in charge and ask:
1. What documents do you create or work with that contain sensitive information?
2. Where do these documents reside?
3. What applications do you use that contain sensitive data that you may download into reports or
other documents?
4. Do you upload documents into applications, file shares, content management systems or any
other external application or information system?
5. Is this data shared internally, and if so, how and with whom?
Cyber Defense eMagazine – September 2020 Edition 63
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.