What Is Sensitive Data & Why You Need To Protect It

As a security professional navigating the new challenges 2020 is bringing to cybersecurity, it’s critical to understand the ways your organization’s data could be exposed. Sensitive data is critical, safeguarded information. Different information can be considered sensitive depending on the industry, but in general it can be anything your organization, your employees, your customers, or your third parties would expect to be private and protected.

Below, we’ve outlined five examples of sensitive data your organization likely handles—and a few key ways to protect it from evolving cyber threats.

5 Examples Of Sensitive Data Flowing Through Your Network

1. Customer Information

Customer information is what many people think of first when they consider sensitive data. This could include customer names, home addresses, payment card information, social security numbers, emails, application attributes, and more.

2. Employee Data

Employee data is, in many ways, similar to customer information. You have your employee’s names, addresses, and social security numbers, and you may also have their banking information (for payment purposes), usernames and/or passwords used for company logins, or data associated with a credentialing process. This is sensitive information, making it critical for organizations to store it safely.

A prime example of sensitive data’s real-world vulnerability is the recent unemployment fraud that occurred across the US when thousands of fraudulent unemployment claims were filed by hacksters with access to citizens’ private information. This caused disruption not only in individuals’ lives but also internally for companies who were penetrated by hackers seeking employee information they had left unprotected, leaving them vulnerable to financial and operational losses while they worked to help their employees.

3. Intellectual Property & Trade Secrets

Nearly every company has proprietary information stored in their network, with a third party, or in some kind of document management system. If you develop software, this could be code. If you’re a hardware developer, this could be schematics.

This example of sensitive data could also extend to product specifications, competitive research, or anything that would fall under a non-disclosure agreement with a vendor. Specifically, let’s say company A is developing a phone and company B is helping with a design component. If company B is breached, company A is vulnerable to having sensitive information exposed—which could be catastrophic.

4. Operational & Inventory Information

This example of sensitive data includes any generalized business operations or inventory figures. For businesses that sell physical products, it’s likely they don’t want sales figures disclosed publicly or accessed by their competitors. Sensitive data is not always personal or individual data, but company-wide information that could impact business decisions, reputation, and operations if exposed.

5. Industry-Specific Data

Depending on your industry, there may be specific examples of sensitive information you need to protect. Those in retail have to focus on protecting customers’ payment data, whereas those in the healthcare sector have to focus more on protecting digitally-stored medical records, medical research data, to name a few.

It’s important to note that customers aren’t always aware they’ve provided you information—or where that information is living. For example, patients in a hospital provide information to their health care providers, but if that information is housed through a third-party, the patient may not know that their personal data is susceptible to risk.

This piece was originally published by BitSight in April of 2017, and has been updated as of July of 2020. This updated version includes current information about BitSight, our security rating and third-party monitoring software, and the cybersecurity space.

For more information on how to how to protect your organization's sensitive data, check out our guide to improving your security program effectiveness.