Do you REALLY know where your sensitive data is right now?
Poor visibility of where certain types of data is kept and used across an organisation can leave companies vulnerable to information breaches, with a risk of penalties or worse if sensitive data gets into the wrong hands. It can also undermine strategic attempts to consolidate and unlock meaningful business intelligence from diverse information sources. So what's needed to restore a balance between essential data protection and value-added data exploitation? James Paton, CEO of SynApps Solutions, offers an analysis.
Before excessive media commentary and scare-mongering around the EU's updated General Data Protection Regulation (GDPR) began to numb business leaders to the wider implications of data treatment, the main thrust of business-related data initiatives was around how to use information more intelligently – by combining it and analysing it in new and smarter ways.
But if the run-up to GDPR drew attention to one thing above all, it was organisations' lack of insight into where certain types of data – particularly potentially sensitive data - exists across their operations, and the extent to which this exposes them to risk and/or prevents them from harnessing its intrinsic insights to their full capacity.
This has much broader implications than compliance-related headaches. If intellectual property is dispersed across people's laptops, desktops and different departmental servers, for instance, locking this down so that it doesn't get into the wrong hands becomes very difficult. This is because no one really has visibility of where points of vulnerability might exist; they don't know what data is stored and copied where.
Poor data visibility can also compromise consolidation initiatives, where information managers want to bring all related data together in a central repository. Security assessments and tightening of controls, and even initiatives to move data to the cloud as part of digital transformation programmes, are further drivers for organisations to get a better handle on where all of their sensitive data currently resides.
And, beyond GDPR, there are numerous other regulatory drivers for organisations to have deeper insight into where sensitive data resides and how it is handled. In retail, compliance with the Payment Card Industry (PCI) data security standard is a major challenge, for example, affecting any merchandiser handling branded credit cards from the major card schemes. Listed companies, meanwhile, must keep track of market-sensitive information and be able to report on where it is under market abuse regulations. And public sector and health organisations must be vigilant about sensitive citizen/patient data. The list goes on.
Sensitive data - discovered as a service
All of these requirements and shortcomings, in turn, have given rise to new innovation in ‘sensitive data discovery' – managed services that any organisation can tap into if they need to trace and report on where particular types of data exist.
Run securely in the cloud, or in company's own data centres, and fully resourced with highly qualified engineers, such hosted services remove a great burden from IT/compliance departments. Rather, it becomes possible for them to scan for instances of sensitive data across whole IT estates, and dynamically generate board-level reports, without having to allocate dedicated internal resources.
For organisations that want to go further, there are value-added services that can analyse the findings at a more detailed level, and suggest ways to bring sensitive data under more effective control.
By overcoming previously poor visibility to provide comprehensive sensitive data discovery, this kind of service can empower businesses to progress their bigger projects, such as digital transformation and cloud migration, fulfilling the CxO strategic agenda.
Driver better user behaviour
Using a sensitive-data discovery service becomes even more powerful where end users are engaged and involved in the remediation process, if sensitive data is found to exist where it shouldn't – for example, unprotected on someone's laptop. Alerts to individual users can prompt them to take appropriate remedial action in line with company policy.
Where all such activity is recorded and monitored, this alleviates the pressure on internal compliance teams to interpret and react to all of the findings from a data scan – which could run into thousands of information policy contraventions that need to be addressed. This also has the added benefit that, if an audit is launched, the organisation is fully covered by a comprehensive record of all steps that have been taken.
Beyond board-level HERO reports and information for internal governance purposes, data discovery services can also report on organisations' exposure to risk, with associated values and ROI metrics – so companies can see issues that are still outstanding, what it would take to remediate them, and what intrinsic value that would have.
One of the most persuasive arguments in favour of using such services is the speed of deployment, and of getting actionable results – within just a few hours, or half a day. Which means IT teams could very efficiently and sustainably scan their organisations' entire digital estate - across multiple systems and operating environments - on a quarterly or annual basis.
Data discovery as-a-service, and the ‘sensitive data' variety in particular, are a potential game-changer for organisations seeking to regain control of their diverse information assets - in the public or private sector and whether the priority is compliance alone, or a combination of this and the drive to drive greater business value from the company's combined intelligence.