Data breaches are at an all-time high in 2017. Many organizations cover data under one big security blanket. But what if you’re missing some of the biggest contributing factors to securely protecting your data?
Not all data is (created) equal. It’s a simple concept that often gets lost in the driving need to keep intruders out of protected information. To combat this, first, start with data identification. Determine what data is the most sensitive, as well as what has the most value to hackers. It may not necessarily be the same thing e.g. social security numbers are both valuable and sensitive. By classifying data by sensitivity, you can focus your efforts on protecting the most valuable data. This reduces the inconvenience and cost of trying to protect all data.
Know what data should be accessible to employees. Determine who really needs access to data and how much access they require for their role or job function. Does billing really need the same access as the medical technician? Should HelpDesk truly have the same access protocols as the CISO? It’s important to understand who is accessing data, when, where and why (that’s where audit logs come in).
Educate your workforce. Remind them that having access to data doesn’t mean they have the authority to share that information. Much like sharing a secret means it’s no longer a secret, sharing personal data with a work colleague can be a privacy breach. Lastly, just because an employee CAN have access to data, doesn’t mean that they SHOULD access it.
There are many components involved when you’re managing and protecting sensitive data. From the potential for internal bad actors to malware in phishing emails, to unlocked or lost mobile devices or a missed security update, there are lots of moving pieces to track in disparate systems. The tricky part is that each use places data in another situation that may incur additional risk. So, if you’ve put in place encryption and strict access controls, that’s great but expensive tools don’t address the issue of someone publishing sensitive data online.
Technological advances need to be layered with human readiness. No matter what your current cybersecurity program does, if it isn’t set up to help you manage all the separate pieces in one system, it’s time to re-evaluate. Using MyVCM can not only help your employees understand where the data lives, it also helps you promote understanding of when they should access it, how it should be used, and how it's being protected. Contact us today to learn more about how MyVCM can help your organization protect data.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Avoiding the Hidden Pitfalls of Security Audits
In this webinar, see the 5 most common pitfalls of security audits and learn how you can avoid them with the power of MyVCM CrossWalk Assessments.