First, there is the reputational damage that comes from leaked data. Then there is the cost of cleanup, which typically runs between $3.86 million and $8.64 million. Finally, there are regulatory repercussions from violation of the patchwork of rules that govern financial data, including the Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley (SOX), California Consumer Protection Act (CCPA), and others.
Sensitive data that is insecure is the stuff that keeps security and compliance professionals up at night. And the scary part is that it happens all the time. Roughly 73 percent of businesses admit that they have encountered sensitive data leaks in the past year, according to Microsoft research.
Due to the high cost and stringent regulations around customer financial data, mitigating the risk of financial data exposure is a critical task for businesses that interact with such data.
Broadly, there are five key steps for ensuring that businesses are doing all they can to protect this sensitive data in an age where shadow IT is proliferating, employees are increasingly working from home on personal devices, and new technologies are opening up additional threats for data exposure.
Step 1: Define the Scope of Data to Protect
Customer financial data encompasses many possible pieces of data that can exist on many different systems and in many different formats.
Before customer financial data can be secured, it is important that security professionals define all the types of financial data that must be secured, including account details, financial records, recorded financial histories, personally identifying information (PII), etc. The formats and locations where this data might exist also must be defined, including the universe of possible databases, spreadsheets, reports and call recordings where customer financial data might live.
Undefined data cannot be protected.
Step 2: Categorize the Data
The security systems and procedures for customer financial data will vary depending on the category of data. The way that financial transaction information is handled and secured likely will be slightly different than the way a company handles data that gives access to a financial account, for instance.
So once the scope of customer financial data is established, categories should be defined for the various ways this data might need to be handled—and each type of data should be mapped to the appropriate categories. This categorization should factor in the various regulations that apply to the organization so data that is regulated by a given law is appropriately tagged and processed according to its regulatory requirements.
Step 3: Discover Where the Data Lives
The intended location of customer financial data is not where it always lives in practice. Even if there are strict protocols for handling customer financial data, it often is the case that some data has leaked out into other systems or migrated unintentionally to employee devices in the normal course of business. There might even be data stores that have gone unnoticed and contain customer financial data, such as a backup server that unintentionally houses customer reports.
Perform a scan of all corporate resources so the true location of all corporate data is known. This scan must be comprehensive so all data can be discovered and protected. Solutions such as Qohash Qostodian can discover and inventory data in more than 1,000 different file formats across both company-owned and employee-owned devices and cloud services.
Step 4: Tag Data by Category
Automating security and compliance processes is essential for securing data appropriately. For automation to apply the right security and processes, however, each piece of data must be classified so automation processes know when and how to act.
So once the full universe of corporate data has been uncovered by data discovery, the next step is labeling each piece of data with the appropriate classifications as defined earlier in the categorization step.
Most businesses will want to leverage data discovery and classification platforms such as Qostodian to automate the classification process, combined with a manual review of the classification to make sure all data is labeled correctly. If a modern classification solution is used for the tagging, this manual review mostly will entail double-checking that data has been classified appropriately.
Step 5: Secure Data According to Classification
Then there is the actual securing of customer financial data, the critical step that only can come after scope and categorization have been defined, as well as discovery and data tagging.
While the methods that a business uses to secure customer financial data will vary, they likely will include strict access controls, data encryption both in transit and at rest, firewalls and real-time threat scanning, and automatic logging of all data access, among other methods.
Security methods and processes likely will vary depending on the classifications that have been established earlier.
Whatever security methods are employed, the key takeaway is that securing customer financial data—or any sensitive corporate data resource, for that matter—hinges on discovery and classification. More than 90 percent of data breaches occur because of human error, and a failure to have the right preventative measures in place enables these errors. When sensitive data is known and classified, appropriate safeguards such as access controls and monitoring can be put in place.
For more on Qohash Qostodian and how it can simplify data discover and classification, schedule a demo.