Blog Post
Why Your Critical Data is (Probably) Not Fully Secure
Every organization has data without which they can’t operate. It’s crucial that organizations are able to identify and protect this critical data to secure their ability to function as a business.
In this post, we’ll explain why this matters, as well as some of the ways that this essential data may be at risk and how to protect it.
Understanding Your Critical Data
Critical data is essential to daily business operations and is unique to each organization, depending on its industry sector, purpose and goals. Without this data, businesses can’t function.
It may be data that is essential to core business processes, underpins their primary business purpose and/or is required for legal compliance. It may include regulatory data and mandatory record-keeping, such as company accounts and legal documents, as well as protected personal information and other sensitive and proprietary data.
Some businesses will choose to define protected data types such as personally identifiable information (PII), sensitive personal information and protected health information (PHI) as critical data, due to their legal and regulatory obligations to manage and protect this information.
It’s important that organizations understand the data that is critical to their operations and take steps to ensure its security and resilience.
Why Your Critical Data is (Probably) Not Fully Secure
When securing their data, organizations typically focus on databases and known file storage locations. These are where data will be held based on the design of their business processes and supporting network architecture.
However, data has a habit of making its way to unintended places as a result of onerous process design, system failures or constraints and ambitious performance targets that mean employees create workarounds to achieve them.
Data can enter the business through channels excluded from designed data flows, for example through email systems and instant messaging platforms. Collaboration tools, such as Microsoft Teams, increasingly used by organizations alongside email and traditional file storage, are often used to share this data.
Without adequate security controls in place, these unstructured and unintentional data stores can present a significant risk to critical data. In many cases, organizations don’t know this data exists in many of these locations, some of which may be held on vulnerable systems or exposed on public-facing infrastructure.
Protecting Your Critical Data
There are three key steps to protecting critical data:
- Identify — Organizations who have defined their critical data can deploy evidence-based discovery tools to identify all the places it is stored across their on-premise and cloud-based environments. With the right tool, organizations can identify this data in both structured and unstructured formats, crucial for identifying unauthorized and unexpected stores of critical data.
- Verify — Where unexpected data stores are identified, they need to be verified. Working with data owners and those that use the identified data, this step considers whether the data is, in fact, critical data, evaluates its criticality and determines how it should be treated. It also investigates why the data ended up in an unauthorized or unexpected location, so that process- or system-related issues can be resolved.
- Protect — Unexpected stores of critical data are remediated according to their criticality and based on the treatment decisions of the previous step. This may mean deleting, masking, encrypting or quarantining this data. This step ensures that the data is protected wherever it is stored and removes unauthorized data stores while ensuring that business operations are not affected. It is also an opportunity to remediate the process- or system-related issues highlighted in the previous step and prevent recurrence of them in the future.
To find out how data discovery can help improve your business resilience, download your free copy of our white paper, Data: The Cornerstone of Organizational Resilience
