Blog / Sensitive Data Storage is a Serious Security Subject
Knowing where your business stores sensitive data is a must for any organization that’s serious about its cyber security. Unfortunately, more often than not, that’s just not the case.
Alas, what most organization seem to share is that they don’t actually know where the files are or what’s on them. Storage libraries are setup and sharing permissions handed out for access, but from then on no one pays it any attention.
That’s obviously not good from a security standpoint, but it’s not great from a legal perspective either. Any organization that collects personal information (municipalities, healthcare, banks, etc.) are subject to certain legislative rules to protect it, like PIPEDA, which can impose substantial financial penalties when personal or sensitive data is breached, stolen, lost, or otherwise mishandled. Clearly this means extra care should be taken to protect it. Of course, to protect personal information, you need to know where you keep it. Assuming you do, does anyone take the additional care needed to handle sensitive data, or is it treated just like all the other bits and bytes? Chances are the answer is the latter. I’ve done many security audits over the years and I’ve rarely seen organizations take the appropriate precautions when storing or sharing sensitive data.
There are a lot of details that go into properly securing sensitive data, to say nothing about the differing standards and confusion they can bring about. After all, it’s one thing to meet the federal government’s standards, but then you also have to meet provincial/state requirements as well. Who knows if your business’s professional association has its own set of standards as well. And then there are the changes and updates to the legislation as well, making proper sensitive data storage and sharing a moving target. For example, PIPEDA (a Canadian federal legislation) was updated in 2018 and 2019 (less than ten years after it was put in place). PIPA (an Alberta legislation introduced in 2004) has been updated four times since then.
There are other regulations that can impact you as well, like PCI-DSS, an online payment processor standard. That’s why it’s important to keep an eye on any and all regulations you’re subject to. Sometimes their changes can have major implications for your business and processes.
Twelfth Night supplies this newsletter’s Shakespeare quote: “I say there is no darkness but ignorance.”
If you’d like help with updating your sensitive data storage standards and bring them into compliance, contact one of our cyber security experts today for some stress-free it.
Courtesy your friendly neighbourhood cyber-man.