With strict new cybersecurity laws like GDPR in Europe and established standards such as PCI DSS and the Australian data privacy legislation, organisations are being held to account for the steps they take to keep people’s data safe. While these standards are certainly positive steps forward for data security worldwide, they can pose several difficult and expensive challenges for businesses. But data security is nothing new, so there are several methods available to organisations to help them to keep their data secure. Sensitive data masking is one such method and it is an extremely effective way of ensuring that sensitive data is kept safe by rendering it impossible to interpret.
First of all, we need to establish exactly what sensitive data means. Sensitive data is any information that is required to be protected because it holds value only when it is kept secret. For example, credit card data is sensitive data because it can be stolen and used by someone who does not own it, with negative consequences to the cards actual owner. The stolen card data can be used by someone who does not own it to purchase goods and services.
Other forms of sensitive data include names, addresses, phone numbers, gender, religion and employee information. This type of data is extremely valuable to cybercriminals because it can be sold on the dark web in order for criminals to successfully assume fake identities. In many countries around the world, identity theft is a serious crime.
Organisations that store this sensitive data have a duty of care to keep this sensitive information secure because it has been entrusted to them by their customers. The aforementioned data privacy laws (GDPR, PCI DSS) set out a list of requirements to help organisations understand what they need to do in order to minimise the risk of sensitive data being lost.
These legislations help to point organisations in the right direction by providing guidelines, but there is also the incentive to avoid the costly fines that can ensue if organisations are found by regulators to not be adhering to compliance policies.
GDPR, for example, threatens extremely heavy financial penalties to companies that do not adhere to the regulation’s strict compliance requirements. The fines can total as much as 4% of the organisations global annual turnover or twenty million euro, whichever amount is larger. This scale of fines ensures that even extremely large multinational organisations take heed of the legislation. This can seem like an extremely daunting challenge to many organisations but with the correct processes in place, compliance can become a business-as-usual process.
Ground Labs’ Enterprise Recon software can be used to scan for sensitive data in locations where the user would not expect to find it. The user can then remediate this information by performing sensitive data masking if it is a data type that supports masking such as a credit card number for example.
Enterprise Recon gives the user the power to take control of their data and take positive remediation action over the data they have stored in their network.
For example, credit card data is often stored by organisations in order to process transactions. This data is kept in a predetermined format such as the card number (16 digits), name, CSV and expiration date. When masking this data by hashing out the middle six and last four numbers of each credit card, the data is secured by being rendered unreadable by unauthorised personnel. Masking is a destructive data remediation technique so it is important that you are aware that any masked data may be impossible to retrieve once it has been redacted.
Masking sensitive data can be an important part of many compliance requirements for standards such as GDPR, PCI DSS and HIPAA.
Sensitive data masking is an important step in achieving PCI compliance specifically. Data masking for credit card information is useful because it retains the format of the credit card information without revealing any usable sensitive data to hackers.