Data security is an integral part of an organization’s cybersecurity program. Understanding what confidential data an organization is storing and where the confidential data is located within the organizational IT infrastructure (stored in-house or in the cloud) is key to properly assessing the risks to the data and the organization, as well as developing and maintaining the necessary cybersecurity controls around the data to protect it.
Understanding an organization’s data security needs becomes even more important during times like these where many non-for profits and smaller organizations have been forced to shift from their traditional physical work environments to virtual and remote settings. Often there are no policies and procedures in place that prescribe safe methods of accessing data remotely when not within the organization’s internal network. Is the data that is required to run business operations even remotely accessible? If it is, can it be accessed securely without increasing the risk of exposing confidential data to the wrong hands?
Key to data security is having a knowledge of what data is being stored. Often organizations store confidential data even if it is not necessarily required for day to day business. For example, if a non-for-profit organization collects names and email addresses for an email newsletter, is it necessary to collect and store mailing addresses as well? This increases the overall threat surface of the organization creating unnecessary risk of exposure of confidential data. Many privacy legislations give guidance around storing privacy related data. The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, for example, mentions several principles that should be taken into consideration by organizations when storing confidential personal information[1]:
- Transparency – Document and make available policies and practices as they relate to the management of personal information
- Lawful basis for processing – Obtain consent to collect, use and disclose personal information
- Purpose limitation – Identify the purpose for which personal information is collected
- Data minimization – Limit the collection of personal data to what is necessary to fulfill the purposes identified
- Proportionality – Only collect as much data as you need
- Retention – Only retain data for only as long as necessary to fulfill the purposes for which it was collected
Additional principles outlined by PIPEDA include:
- Accountability – The organization needs to protect personal information under its control, this includes personal data that is being transferred to third parties (i.e. Cloud service providers) for processing and/or storage
- Safeguarding – An organization should implement technical, physical and administrative measures to reasonably protect personal information
- Accuracy – Personal confidential data should be complete (within the limits of the data that is being collected) and kept up to date
It is important to note that depending on the jurisdiction you are in, different regulatory privacy legislation may have to be taken into consideration, for example Alberta, British Columbia, California and others. Please consult with a legal privacy subject matter expert in your area to determine applicability and impact to your organization.
Taking these principles into consideration should allow an organization to minimize the personal confidential data that is being collected from individuals, as well as reduce the overall volume of data an organization retains and has under its control and is required to protect. For non-for-profits and small organizations that do not currently have a data protection policy, the International Association of Privacy Professionals (IAPP) has made available a template prepared by IT Donut.
Another key consideration for data protection is where the data is stored in the organization’s infrastructure. Many smaller and non-for-profit organizations store their data locally on in-house systems. The way data is stored often organically grew as the organization evolved. Storing data within the organization has its advantages in having seemingly direct control over the data. However, all too often, due to limited resources and cybersecurity knowledge, in smaller organizations no data protection policy has ever been put in place to protect confidential data. For example, confidential individual or organizational data should never be stored on employees’ computers or devices. To do so increases the risk of confidential data leaking out of the organization through unintentional loss or theft of a device or devices.
Furthermore, data that resides in an organization can create accessibility issues as the organization grows or when forced to work remotely, similar to what we are experiencing in this current social distancing situation. Accessing data remotely when stored in-house, can be challenging and pose increased risk of exposure of the data without the proper security controls in place that are regularly tested and reviewed. When data resides on an internal network and is not properly protected, the impact of a breach can also be more significant since an attacker or ransomware can easily find their way around the internal network and locate or encrypt confidential data before anyone is aware of the intrusion.
Alternatively, if an organization chooses to utilize a cloud service provider to store its data, it may be able to offload some of the data protection responsibilities, provided the organization does its due diligence in understanding the security controls of the service provider. While removed from direct control of the organization’s data, reputable cloud service providers utilize latest security technologies to protect client’s confidential data and often have superior security controls to that of a typical small organization or non-for-profit with limited resources and budgets. It must however be remembered, that the organization is still the owner and responsible for the safeguarding its data and must do its due diligence.
This is a unique time where many organizations are experiencing what aspects of their business may be conducted virtually. For those that are seeing advantages or benefits and have confidential data stored internally, may wish to explore cloud based options for their organizations as they can offer small businesses and non-for-profit organizations possible benefits such as increased security controls as well as possible cost savings.
In summary, as part of a cybersecurity program, organization’s need to have an understanding what personal confidential data they are storing and why. The less being stored, the lower the risk of exposure. Also, understanding where the personal confidential data is stored will allow for better alignment of security controls to reduce the risk of exposure. This information will also be important in the case of a breach to the organization, helping to be able to determine if a breach of personal confidential data has occurred and if the privacy commissioner and impacted individuals need to be notified and to what extent.
If you would like to share or comment on this topics please visit the article published on LinkedIn.
Disclaimers:
- All views expressed in this article are my own and do not represent the opinions of any entity with which I have been, am now, or will be affiliated.
- The information provided in this article is for educational purposes only and provided “as is”. By no means is the information provided intended to prevent breaches from occurring. As with all matters please seek professional guidance to address the unique cybersecurity risks and needs of your organization.
- External links are not an endorsement, they are simply mentioned to give organizations an example or starting place for developing their own policies specific to their organization’s needs.
[1] With input and references from https://www.osler.com/osler/media/Osler/reports/privacy-data/Data-Protection-Laws-in-Canada-2018.pdf