Privacy regulations have put more emphasis on data security. When we talk about data security and privacy, it’s often discussed as though the protection covers everything equally. But all data isn’t equal; it needs to be treated differently in each stage of the life cycle—creation, storage, usage, sharing, archiving and disposal.
According to a new study from Netwrix, most companies have excellent cybersecurity systems for some of the stages but falter at other stages. This uneven approach has made all data vulnerable, and this could have serious consequences for data privacy compliance.
“Without deep visibility into internal processes and user activity, [organizations] struggle to answer the four foundational questions of security: Who? What? When? Where? Until they gain a deeper understanding into how data lives during all stages of its lifecycle, it will keep slipping through their fingers,” the report stated.
The Data Storage Weak Spot
Where every stage has its weaknesses—for example, 61% of companies say they collect more consumer data than permitted by GDPR and 46% said they had an unauthorized data sharing incident—the study found the most vulnerable stage is in data storage. That’s because while companies say they are confident about the security of their data storage, the reality is much different.
“About 90% of organizations believe they have a firm grasp on where sensitive data is located, but we don’t know how many of these organizations have controls and processes in place to back this confidence,” said Ilia Sotnikov, vice president of product management at Netwrix, in an email comment. “Those with the right controls substantially limit the threat of a breach and the negative publicity and fines that come with that. In addition, by controlling their sensitive data, there is much less risk of an audit finding as privacy regulations proliferate.”
However, he added, about a quarter of those same organizations said that although their data is supposedly secure, it isn’t. And this is only the percent that’s willing to admit this publicly. It’s not unreasonable to assume that a larger percentage isn’t really securing their confidential data, either.
Those who do admit that their data isn’t quite as secure as they thought are discovering data stored outside of the secure location, and nearly two-thirds found that data was exposed for days and weeks. IT departments aren’t helping with security, either, by granting access to sensitive data whenever requested rather than by checking authorization credentials.
“This creates all sorts of risks for an organization, including breaches, lack of customer confidence, fines and even the dismissal of the executive team, which was the case in the Equifax breach a few years back,” said Sotnikov.
Limiting the Risk
With more data privacy laws expected to come online, all of them with unique requirements, limiting the risk of a data breach is more necessary now than ever. Having a better understanding of each stage of your data life cycle to meet GDPR and CCPA compliances today will give you a head start on preparation for New York’s law and other laws in the works.
To limit this risk, Sotnikov advised, organizations need to secure their data. But the reality is, you can’t really secure it all. Organizations need to first find and classify their sensitive data—that which contains private consumer, student, patient, citizen and customer information.
“Once this sensitive data is found, organizations can prioritize how to secure the information, potentially limiting where it can be stored and establishing the right permissions and controls for these locations,” he added. “But the most critical priority is not to fall prey to false sense of security once this is done.”
Sotnikov recommended organizations establish ongoing processes to ensure this sensitive data does not sprawl outside of secure locations. Also, organizations need to audit how well data access and usage policies are working and adapt the controls and policies over time as needed.
The better you understand your data’s lifecycle stages, especially data storage controls that often rely on third parties, the more effective your security will be. Equally important is not putting so much trust into your storage systems because they likely aren’t as secure as you believe.
— Sue Poremba