When Data Becomes a Problem
Last week, Bruce Schneier penned an excellent article that posed a straightforward question: Is Data a Toxic Asset? As Schneier is one of the world’s leading experts (if not THE leading expert) on all things information and “cyber” security, I recommend that every IT professional read it.
In his view, personal data, which companies routinely collect, harvest, process and disseminate, poses an enormous security risk if it’s not properly secured. In an age of the “big data” explosion, saving personal data is cheap, which in part explains why organizations are in ‘save everything’ mode. Yet personal data carries enormous risk as he writes:
“All of this makes data a toxic asset, and it continues to be toxic as long as it sits in a company's computers and networks. The data is vulnerable, and the company is vulnerable. It's vulnerable to hackers and governments. It's vulnerable to employee error. And when there's a toxic data spill, millions of people can be affected. The 2015 Anthem Health data breach affected 80 million people. The 2013 Target Corp. breach affected 110 million.
This toxic data can sit in organizational databases for a long time. Some of the stolen Office of Personnel Management data was decades old. Do you have any idea which companies still have your earliest e-mails, or your earliest posts on that now-defunct social network?”
He is spot on. The real challenge is that most companies simply can’t keep up with the data explosion. There’s a huge market for business intelligence and analytics solutions that, broadly speaking, try to make sense of organizational data by providing “insight” into customer behavior. These types of solutions are very attractive to high-level decision makers in organizations, but they often fail to grasp the inherent risk of personal data that inevitably remains exposed inside their environments.
Securing personal data inside a company’s network is often the job of a Chief Information Security Officer, or an IT security team, but studies indicate that these teams remain focused on safeguarding the network perimeter from would-be attackers. As a result, sensitive data often remains exposed at the application level. The distinction between protecting the network vs. protecting the application is important. The vast majority of data breaches occur as a result of compromised credentials, so cyber thieves can penetrate the network by simply posing as an authorized user with a stolen user name and password.
C-Suite executives in companies that use SharePoint need to grasp this dynamic threat landscape. Data breaches needn’t be perpetrated by organized criminal syndicates in far-off countries. Often the biggest threats are internal. Disgruntled employees are quick to find and exploit a weak link in an organization’s security chain, and well-intentioned employees are prone to human error, which can result in serious data exposure as well.
So, what’s the solution?It begins with proper SharePoint governance. Organizations are increasingly storing personally identifiable information (PII) inside SharePoint sites and libraries. Whether it’s employee personnel records, health insurance information, or financial documents -- that data exists in most SharePoint environments and is an attractive target for cyber thieves. When permissions have been broken on a Human Resources site, or when this type of data has been accidentally uploaded to a public site, it’s exposed. And this is exactly why Bruce considers it a toxic asset.
Turning potentially toxic assets into actionable business not only takes knowledge, it takes perseverance and the commitment to making sure that your company’s data doesn’t end up in the wrong hands.