Sensitive data is any data or information, which when exposed, creates a risk or liability for the organisation. Company data such as employee records, trade secrets, financial information, patents, etc. are considered sensitive for all companies. In addition to that, industry or sector regulated data such as PII (Personally Identifiable Information), PCI Payment Card Industry), etc. also fall within the purview of sensitive data and as such should be protected against threats. Threats to sensitive data can come from both external and internal environments. External threats include hackers, spyware, social engineering, competitors etc. Trusted insiders involved in corporate espionage, or unauthorised personnel accessing sensitive data knowingly or unknowingly are instances of internal threats. Attackers use a variety of ways to access sensitive information, even if to view only. For example, spear phishing, malware, hacking, cyber-espionage, or even a simple internet search for old and forgotten sensitive data are some of the ways adversaries can easily get access to unprotected sensitive data. The liability that you will incur from a sensitive data breach will vary depending on the type of data that has been compromised. For e.g., regulated data breach or mishandling may result in fines. Client data breach may result in lawsuits and loss of goodwill. Leakage of financial or proprietary data may result in financial loss. The nature of sensitive data is subject to change with company growth, release of new technologies and regulations, among other factors. Hence it is essential to keep an eye on classification criteria and labels, and update them as and when necessary, especially when new types of data are being created in the organisation. Usually, you can tag data as sensitive if it is valuable and will adversely impact the enterprise if compromised.
Types Of Sensitive Data
There are three types of sensitive data:
- Personal information: It is information that can be linked to an individual and if leaked could cause damage to the person. Biometric data, medical information, financial information and unique identification numbers such as passport or Aadhaar numbers. Leakage of this data could lead to identity or financial theft.
- Business information: Any sensitive business information that can put a company at risk if discovered by a rival or public. Financial data, acquisition plans, trade secrets, and supplier and customer information is sensitive business information. Companies are increasingly investing in data security solutions to manage the copious amounts of data that they create every day. Solutions such as metadata supervision and tagging the document as per data sensitivity can help with reducing data leakage.
- Classified information: Usually pertaining to government bodies, classified information is regulated by the level of sensitivity; it could be: restricted, confidential, secret and top secret. Data is generally classified to ensure security, and the information may be declassified once the threat has passed.