How Data Discovery Tools Can Help Zero-in on Data Non-Compliance

In many organizations, traditional methods of data storage have been ad-hoc with data security procedures not being given due consideration. For instance, let’s take the example of banks and the payment card industry. During the process of enrollment, customers are often asked to fill out their data in a physical form. The information in these forms is then manually entered into the system often in an unencrypted format. In many cases, the forms are scanned physically and stored in the system. There are no specific guidelines on how scanned data is to be stored in the system or emailed within the organization, such that it is not vulnerable.

A large majority of data breaches occur due to inadvertent storage of sensitive data. Generally speaking, the term sensitive data relates to any information whose unintended disclosure, modification, or loss could result in significant financial, legal, or reputational impacts to an organization or an individual.  This includes data such as Social Security Numbers (SSNs), credit/debit card numbers, Personally Identifiable information (PII), Passwords, Biometric Data, Medical Records (PHI), State identification card numbers, Trade secrets and digital signature, etc.

Keeping sensitive information secure from theft and vulnerability in today’s digital world is not as easy as putting a lock on the file cabinet – especially with the widespread adoption of cloud computing. Even if you take every precaution with your online accounts and identifying information, there are many ways that information can land in another individual or company’s data management systems, where it can then somehow be made vulnerable to data theft or data leakage.

At SISA we have scanned thousands of computers/servers/storage devices/emails/databases etc. and identified sensitive data in audio files, images, screenshots, scanned copies, log files, temp files, recycle bin, excel sheets, notepad, xml files, webpages, compressed/ zipped files and many other files.

Let’s say your company has designed an application such that it does not capture sensitive data. But someone may accidentally run the application in debug mode, so it captures sensitive data. There could be even more simple instances like an employee emailing sensitive information to a colleague innocently during the course of work. As per Shred-it’s 2018 State of the Industry Report, 84% of C-suite executives and 51% of Small Business Owners in the US who participated in the survey said that employee negligence is one of their biggest information security risks. Also, this threat is further magnified when employees work remotely.

During the process of scanning voice data for organizations such as BPOs, banks and insurance companies, we’ve often found a lot of sensitive data imbibed in the recorded voice conversations. Similarly, on several instances, we have found sensitive data in image format such as .jpg .gif .png .bmp and many other extensions. Companies can easily avoid such data breaches by actively observing their practices and incorporating data discovery programs.

When an organization tries to become compliant, however, there are very strict guidelines that require that there should be no redundant or unauthorized data stored in the system. Uncovering this non-compliant data is very tough. Often, this is hidden away in obscure systems or buried under layers of folders.

Companies sometimes try to use manual searches to track down this data. However, given the huge volumes of data that every organization possesses, it is physically impossible to dig through all the data in an effort to find non-compliant data. Therefore, manual testing can only be done on a sample basis, which severely impacts its effectiveness and accuracy. Therefore, in most cases, manual methods to ensure compliance are simply not sufficient.

The other approach that organizations take in order to save costs is to use free open source tools for payment data discovery. While these perform the task better than manual methods, there are inherent risks associated with using software downloaded from the Internet. It can bring in malware etc. which can severely compromise company data.

For companies involved in issuing or processing payment data, non-compliance can have dire consequences. Not only are they liable for heavy penalties, any data breach can severely impact organizational reputation. For public companies, a data breach can drastically bring down share prices and consequently hurt revenue and profits.

Therefore, the best approach is to use a trusted data discovery tool to ensure compliance.

Here are some features to look for in a card and PII data discovery tool:

• The ability to scan all types of data storage locations: Card data can be stored in a variety of locations, including file systems, databases, and email servers. A good card data discovery tool should be able to scan all of these locations to find cardholder data.
• The ability to identify different types of cardholder data: Cardholder data comes in many different forms, including credit card numbers, expiration dates, and CVV codes. A good card data discovery tool should be able to identify all of these different types of cardholder data.
• The ability to generate reports: A good card data discovery tool should be able to generate reports that show where cardholder data is located and who has access to it. These reports can be used to help businesses to comply with PCI DSS and to identify potential security risks.

Taking Action

The tool should not only be able to identify non-compliant data, but it should also be able to mask, truncate or delete unencrypted payment card data stored in network systems, hard drives, databases, emails. Besides, the capability to generate reports to meet PCI DSS compliance is important.

1. Know Your Files

When you are dealing with a file, it is important to know if it contains sensitive data. Some tips to help with this include:

• Keep a track of the type of sensitive data is stored in your environment
• Identify servers or storage devices that usually contain these types of files.

2. Evaluate Your Retention Needs

When you have finished using/reviewing a file that contains sensitive data, it is important to consider if the file needs to be retained.

• Is there a business need served by retaining the file?
• Are there contractual or legal or compliance requirement for retaining the information?

3. ERASE sensitive Data That Is No Longer Needed

If you have files that contain sensitive data and do not have to be retained, then it is best to delete them.  When it comes to sensitive data, always remember that less is more! Especially get rid of all unencrypted data in your organization.

4. PROTECT sensitive Data That Must Be Preserved

If sensitive data needs to be retained, then it should be protected.  Some simple steps that you can take to help improve the security of sensitive data include:

• Encrypt all the data that needs to be stored.
• Give access based on only need to know basis.
• Do not store sensitive data on removable media.
• Perform a quarterly or monthly scan for sensitive data.

Quick feature list of SISA Radar for data governance:

• SISA Radar allows you to scan any type of sensitive data in a single interface, making it a one-stop solution for all your data discovery and classification needs.
• State-of-the-art features such as AI/ML, Named Entity Recognizer, and OCR capabilities to help streamline the process of data classification.
• Allows scheduling scans at regular intervals which is important to ensure compliance at all times.
• One interface to detect, mask, truncate and delete any unencrypted data from your network.
• For a large organization with lots of IPs, SISA Radar allows you to install agents and run multiple scans simultaneously to save time without comprising on the quality of the scan.
• If you are a small or medium sized company, you can scan without any agents or even perform a remote scan for sensitive data.
• By implementing AI & ML features and a customized algorithm, SISA Radar helps minimize the frequency of false positives with improved accuracy for discovery and classification of sensitive data.

Data discovery is not a one-time activity. Having a data discovery program and observing few basic habits goes a long way toward preventing accidental data exposure and data breaches.

If you’d like to see how SISA Radar helps ensure superior data governance to ensure compliance, sign up for a data discovery tool free trial.