Protecting Sensitive Data: 4 Things To Keep In Mind

Brian Thomas | July 9, 2020

Given the recent security breaches and reported hacking attempts, it is increasingly important for companies to have a handle on their most sensitive data. Sensitive data can include employees’ personal information, customer information, trade secrets, and other types of data that would cause internal breaches to company information if obtained by a hacker. To identify your organizations’ sensitive data points, refer to our recent article highlighting 5 examples of sensitive data.

Once you’ve identified the data points you need to protect, it’s time to act. Keep the following things in mind when creating a process for protecting internal data, as well as data stored with third parties:

How Businesses Protect Sensitive Data

  1. Have the right organizational structure in place. To successfully manage sensitive information you need to have the right cross-organizational team composed of people from different functions and positions. The team works together to identify cyber risks and are proactive about fixing them.
  2. Make sure the right internal data controls are in place. Every employee in your organization should understand the criticality of cybersecurity for the sake of data protection. They should be trained on the data safety protocols your organization deems appropriate. You’ll also want to take inventory of who has access to your sensitive data and whether that access is warranted.
  3. Implement a comprehensive third-party risk management (TPRM) plan. TPRM plans highlight the measures your organization takes to prevent issues caused as the result of third-party or vendor relationships. While every company tries to assess those risks at the outset, you should have an ongoing plan to manage it that includes the following steps:
    1. Up-to-date list of tiered third parties. Knowing the full cyber footprint of each vendor connected to your organization is important—but tiering those vendors based on how much sensitive data they have access to is even more critical.

      For proof, just look at Target’s 2013 breach that compromised the sensitive information of over 70 million customers. It was caused by a breach to the store’s HVAC vendor, allowing the hackers to gain access to Target data. It doesn’t matter whether the vendor is small or seemingly insignificant. What matters is how much access they have—because that access could cause major damage in the event that the vendor is compromised.
    2. A current cybersecurity assessment of top-tier vendors to ensure you know how your vendors are performing in terms of industry standards at a given moment in time. You can collect vendor assessment data through:
      • Vendor questionnaires
      • Performing an on-site assessment
      • Reviewing documentation
      • Performing a penetration test
    3. A review of current vendor contracts. Once you’ve gotten a better idea of how your top-tier vendors perform in the cybersecurity space, you need to be sure you’re protected with written contracts. When you revisit current contractual agreements and begin writing new ones, consider what level of security each vendor needs to meet and what standards to hold them to.
  1. Implement the right technology to protect your data. Technology should be used to reduce or eliminate leaks of sensitive information. Monitoring critical vendors continuously is key. BitSight provides historical information about your vendors in the form of a security rating — similar to a consumer credit score. Cybersecurity is becoming a critical topic in boardrooms today, and it’s more important than ever to have a hold on your security posture and procedures in place for monitoring your data security.

Begin Protecting Your Sensitive Data Today

Do you know how secure your third party vendors are? Are you meeting all of the global regulatory requirements surrounding the storage of consumer data? BitSight provides regulatory navigation through today’s complex world to help protect both your sensitive data points as well as your company reputation among peers.

New call-to-action

The content in this piece was originally published by BitSight in April of 2017, and has been updated as of July 2020. This updated version includes current information about BitSight, our security rating and third-party monitoring software, and the cybersecurity space.

Suggested Posts

Market-Changing Research Reveals Link Between Strong Cybersecurity and Stock Price

One of the biggest questions in cybersecurity now has an answer… and the implications are significant for investors, policymakers, corporate executives, and cybersecurity professionals alike. 


5 Ways to Transform Your Security Program

Between difficulty communicating with boards and executives, decreasing budgets, and difficulty measuring how exactly risk was being reduced, security leaders are under pressure to change the way they do things. The situation for security...


What Companies Using Cloud Services Need To Know About Their Risk Responsibilities

Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But...


Subscribe to get security news and updates in your inbox.