(This is the second of two articles on personally identifiable information (PII).)
Data privacy is not only a personal data issue.
Not only is PII at risk from cybercriminals, black hat hackers, cyberterrorists, nation state hackers, malicious insiders or other malevolent forces, SMBs and organizations have also been susceptible to cyber attacks that jeopardize their intellectual property (IP).
If your SMB or organization and its employees fail in information security, both your company secrets and customer data could be exposed, stolen or deleted.
Your level of data privacy determines the kind of exposure your organization wants and needs.
Privacy is also needed for legal and compliance reasons, such as legislation, rules, regulations, standards and contracts, like the aforementioned GDPR.
U.S. examples are Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act 2002, Graham-Leach-Bliley Act and Payment Card Industry Data Security Standard (PCI DSS).
Compliance audits can be costly if you are not prepared.
For example, regulations on data retention stipulate how long is data to be kept, how it needs to be secured and how it must be deleted when no longer needed.
What is Data Labeling and Handling?
Categorizing your SMB or organization’s data can be a first step to protecting it.
Certain standard data categories exist, such as PII, protected health information (PHI to be kept secure as mandated by HIPAA), and IP.
This data can then be classified according to your organization’s sensitivity needs and thereby ensured it is properly handled. The classifications available tend to agree somewhat across a range of businesses and organizations, so I have used a common set of classes: public, confidential, proprietary and private/personal.
Public refers to data that may be freely released to the public, e.g. data on a public website or public records.
Confidential refers to data with a high level of sensitivity.
Proprietary refers to marketing, brand and sensitive company intellectual property and secrets.
Private or personal data refers to a medium level of confidentiality for employee personal data points or other data shared privately.
Classifying your data can help you and your organization interact properly with that data.
SMBs and organizations should be concerned about their data’s “CIA,” cybersecurity objectives attained through the physical and software mechanisms below (warning: techie stuff coming up):
Confidentiality – example mechanisms include encryption, steganography and access controls.
Integrity – example mechanisms include hashing, digital signatures, certificates and nonrepudiation tools.
Availability – example mechanisms include redundancy, fault tolerance and updating/patching.
(Some organizations address safety as a fourth cybersecurity objective, including fencing and lighting, locks, CCTV, escape routes, and safety drills.)
What is Data Loss Prevention?
One way to attain CIA for your organization’s data is through a data loss prevention (DLP) program. Categorized data can be protected from intentional or accidental loss, misuse or exposure, any of which could put your organization at risk.
Data protections need to be concerned with data at any time.
DLP software “detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use (on endpoint devices), in motion (on network traffic), and at rest (data stored).” (Wikipedia)
DLP software can run on endpoints (laptops, desktops or servers) or on your organization’s network:
Endpoint DLP software acts through an installed software “agent” that oversees when data is created, updated, pasted, printed., copied, or even burned to CD/DVD.
Part of the strength of endpoint software is that it can even function outside the corporate network, e.g. in a coffee shop or during travel.
Network DLP software protects against data leaving company computers (in motion), i.e. blocking, quarantining, auditing, forwarding, notifying, encrypting, or moving data between computers and networks.
Network DLP can also monitor data in social media, but not off the company network or off the company virtual private networks (VPNs) used outside the office.
But endpoint DLP software can be processor intensive and having agents running could place a burden on computers.
Conclusion: Set Up Your Data Monitoring Correctly
Organizations should also consider how much data monitoring should be done technologically and effectively when considered against the effort and time invested. Some actions taken by DLP may include: alerting, encrypting, filtering and monitoring for Cybersecurity incidents and response.
DLP also addresses compliance and intellectual property, including the protection of company health and brand.
Mordor Intelligence notes that the COVID-era growth in the number of people now using mobile devices as their primary work device has created “more endpoints for the organization to secure from the rising cyber threats.”
Data is your responsibility.
Tech Kahunas is a San Diego Managed IT Services provider which provides IT support and services like 24/7 monitoring, data backup and restore, and malware protection.
Tech Kahunas will help you Defend Your Island. Set up a free 30-minute Strategy Session with us now.