<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Vendor Risk Management

5 Examples Of Sensitive Data In Your Network (& How To Protect It)

Dan Dahlberg | April 28, 2017

As a security professional, it’s critical to understand the many ways data could be inadvertently exposed. But first, let’s define what sensitive data actually is, as people often have different ideas. 

Sensitive data is critical, safeguarded information. You can think of it as anything your organization, your employees, your customers, or your third parties would expect to be private and protected.

Below, we’ve outlined five examples of sensitive data your organization likely handles—and a few key things to remember when handling that data.

5 Examples Of Sensitive Data Flowing Through Your Network

1. Customer Information 

Customer information is what many people think of first when they consider sensitive data. This could include customer names, home addresses, payment card information, social security numbers, emails, application attributes, and more.

2. Employee Data

Employee data is, in many ways, similar to customer information. You have your employee’s names, addresses, and social security numbers, and you may also have their banking information (for payment purposes), usernames and/or passwords, or data associated with a credentialing process.

3. Intellectual Property & Trade Secrets

Nearly every company has—or has access to—proprietary information of some sort stored in their network, with a third party, or in some kind of document management system. For example, if you develop software, this could be code; if you’re a hardware developer, this could be schematics. It could also extend to product specifications, competitive research, or anything that would fall under a non-disclosure agreement with a vendor. For example, let’s say company A is developing a phone and company B is helping with a design component. If company B is breached, company A is vulnerable to having sensitive information exposed—which could be catastrophic.

4. Operational & Inventory Information

This would encompass any generalized business operations or inventory. For example, if you sell physical products, you likely don’t want your sales figures disclosed—making them sensitive information as well.

5. Industry-Specific Data

Depending on your industry, there may be specific sensitive information you need to protect. Those in retail have to focus on protecting customers’ payment data, whereas those in the healthcare sector have to focus on health-specific data.

It’s important to note that customers aren’t always aware they’ve provided you information—or where that information is living. For example, patients in a hospital provide information to their health care providers, but if that information is housed through a third-party, the patient may not know that their personal data is susceptible to risk.

Protecting Sensitive Data: 4 Things To Keep In Mind

Once you’ve identified the data you need to protect, it’s time to act. Keep the following four things in mind during this process:

1. Have the right organizational structure in place. To successfully manage sensitive information you need to have the right people in place. This should include a cross-organizational team comprised of people from different functions and positions who work together to identify cyber risks and are proactive about fixing them.

2. Make sure the right internal data controls are in place. Every employee in your organization should understand the criticality of cybersecurity for the sake of data protection. Thus, they should be trained on the data safety protocols your organization deems appropriate (per your acceptable use standards). Additionally, you’ll want to take inventory of who has access to your sensitive data and whether that access is warranted.

3. Implement a comprehensive third-party risk management (TPRM) plan. TPRM encompasses the measures your organization takes to prevent issues caused as the result of third-party or vendor relationships. While every company tries to assess those risks at the outset, you should have an ongoing plan to manage it that includes the following steps:

a. A current list of tiered third parties. Knowing every single vendor connected to your organization is important—but tiering those vendors based on how much sensitive data they have access to (or how much access to your organization they have) is even more critical. For proof, just look at Target’s 2013 breach that compromised the sensitive information of over 70 million customers. It was caused by a breach to the store’s HVAC vendor, allowing the hackers to gain access to Target data. It doesn’t matter whether the vendor is small or seemingly insignificant. What matters is how much access they have—because that access could cause major damage in the event that the vendor is compromised.

b. A current cybersecurity assessment of top-tier vendors. You then need to know how your vendors are performing as far as cybersecurity is concerned. Send over a vendor questionnaire, perform an on-site assessment, review their documentation, and possibly perform a penetration test. Keep in mind this information is only valid for the exact time you gathered it.

c. A review of current vendor contracts. Once you’ve gotten a better idea of how your top-tier vendors perform in the cybersecurity space, you need to be sure you’re contractually protected. When you go back through your current contracts (and evaluate how future contracts should be put together), consider what level of security each vendor needs to meet, what standards they should go by, and what you should hold them accountable for. If this information isn’t in writing, it’s useless.

4. Implement the right technology to protect your data. The technologies you have in place should be set up to eliminate (or at least reduce) sensitive information being leaked or compromised. Specifically, it’s important to have software in place to continuously monitor the cybersecurity posture of your critical vendors. BitSight provides historical information about your vendors in the form of a security rating — similar to a consumer credit score. Because cybersecurity is a critical topic in boardrooms today, having access to vendor Security Ratings could help you understand whether or not your sensitive data may be at risk.

Begin protecting your sensitive data today.

Do you know how secure your third party vendors are? Get a customized assessment of your third-party cyber risk and learn how to grow your third-party risk management program with BitSight Security Ratings.

 

Suggested Posts

Worthwhile TPRM Certifications for Security & Risk Professionals

As the importance of third-party risk management (TPRM) continues to grow, organizations are hiring for related roles more seriously than ever before. To compensate, security and risk professionals are seeking out certification programs in...

READ MORE »

Which Third-Party Risk Management Tools Do You Really Need?

With high-profile breaches being traced back to supply chain vulnerabilities and a regulatory environment that’s waking up to the realities of vendor risk, many organizations are investing heavily in third-party risk management (TPRM)...

READ MORE »

New Study: Organizations Struggle to Manage Cyber Risk in Their Supply Chains

A new report from McKinsey & Company sheds light on something we’ve known for many years – organizations are struggling to make significant progress in managing cybersecurity risk in their supply chains.

READ MORE »

Subscribe to get security news and updates in your inbox.