The average total cost per data breach for a U.S. company is $4 million, not to mention reputational damage to the brand and possible litigation1 . No entity is immune from ransomware gangs, careless employees exposing records and hackers. This makes securing sensitive information, such as personally identifiable information (PII) — account numbers, social security numbers, telephone numbers and the like–more critical now than ever.
There’s an opportunity for companies to create a better process for identifying and securing PII to preempt risk. It’s no easy task, but data analytics can help.
Securing rogue data with big data
Given the seriousness of a data breach in compromising the privacy of individuals, companies typically act quickly to remediate the situation. This often includes locating PII in different areas across the organization’s network environment and other data stores, and doubling down on implementing policies and processes to ensure that PII related content is controlled.
While these are good first steps, they’re reactive. To mitigate future risk, savvy organizations are going a step further to proactively reclaim and secure all PII related content within the organization using an analytics-based strategy.
Here’s how one company addressed this problem after discovering data in a place where it shouldn’t have been:
First, the company needed to confirm that internally sensitive information, in addition to PII, was accessed only by individuals who were authorized to do so. All documents accessible by employees with standard system rights (e.g., network and SharePoint) were analyzed. Software searched for data patterns using keyword and regular expression to search hundreds of file formats, developing an index of “hits” (documents containing sensitive information) and “non-hits” (content without sensitive information). The “hits” were ingested into an analysis and review platform (in this case, Viewpoint), which the company had installed as a temporary mobile platform in its data center.
At the next level, Viewpoint ran analytical models to provide a deeper and more intelligent level of analysis to isolate sensitive data. Limited data sets of text and metadata were then transferred for analysis to a big data analytics platform that identified data trends that were then applied on subsequent scans, enabling a higher level of accuracy with each iterative scan. Subject matter experts then reviewed data flagged as containing potentially sensitive information; this intelligence was used to further enrich the analytics model.
The analytics then assessed documents containing PII and other sensitive information—regardless of user permissions—across the entire organization’s data stores, providing a holistic assessment of where sensitive data resided that might not be within the expectations of proper control of the company. This analytics approach gave corporate stakeholders assurance that the company had taken proactive steps to protect the assets of the company and its sensitive information.
Managing PII risk is risky business, but it’s not just personal
As this scenario illustrates, data breaches could involve far more than PII; virtually any type of sensitive information that is exposed could harm the company, such as pricing information, IP, product plans, sales and marketing data, accounting records, and more.
In light of the significant costs associated with data breaches, companies can ill afford to wait until they experience the next one to implement protective measures to understand where their sensitive data resides, how to reclaim it, and how to secure it.
1 Ponemon Institute’s 2016 Cost of Data Breach Study;