Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Get Control of the Mayhem: A Day in the Life of a Piece of Unstructured Sensitive Data
Sensitive and relevant data, such as personally identifiable information (PII) or intellectual property, may be running rampant in your organization. It can be received or created and often duplicated. Additionally, you can receive sensitive and relevant data from partners or associates via email or FTP. Within your organization people and machines are also creating or generating sensitive and relevant data to support the business.
Technology and business processes are geared to protect the data when it’s stored in applications and databases. Programs like identity and access management (IAM), and technologies like database activity monitoring, are meant to provide privacy and protection of the data in its structured format.
The machine or human generated data, or the data that is exported from applications or databases, is often referred to as ‘unstructured’ data. This type of data presents a real challenge to your organization because it’s everywhere, constantly changing, disjointed and often neglected. With new regulations such as the General Data Protection Regulation (GDPR) and expanded data protection requirements expected in the near future, the stakes are high to get this data under control.
Once the data leaves the application, the location of where it resides is no longer visible. It can be saved on desktops, laptops, tablets or mobile devices. It may also be moved to the cloud or other file share locations or even end up on collaboration sites, such as SharePoint. Some organizations might have an idea, but no valid proof of where that data is located.
This data can transform and even duplicate within the organization. Here is a simple example. An employee exports the data and saves it to an Excel file. From there the employee may add other elements of data they need and create a pivot table. The table is then embedded into a PowerPoint presentation. The data and PowerPoint file are updated frequently creating multiple versions. Once the presentation has been finalized, it’s transformed into a PDF file.
When the data is exported or downloaded the policies, processes, and technologies that provided privacy and protection are left behind. Those controls no longer apply to this original piece of data. Since the location of the data is unknown, the privacy or protection controls are also unknown. To further confuse things, different storage locations use different authentication methods and data access policies.
The data is now missing any controls or process to fully protect it. Processes don’t exist to manage its lifecycle. Access to the data is given based on similar employee accounts, while never really understanding from the business who can, is and should be accessing it and for how long.
While most organizations make significant investments in firewalls, IAM, intrusion protection systems, data loss prevention (DLP), and security information event management (SIEM), none of these technologies can identify or prevent over-provisioned access, therefore over exposing the data to risk of misuse.
Over exposed resources are often due to the accumulation of employee access over time. Employees might change roles or perhaps get promoted and their access to applications and data remain unchanged. In most cases the employee doesn’t even realize they have access to the data. In a 2016 Ponemeon Institute survey conducted for Varonis, it was discovered that “Seventy-one percent of end users say that they have access to company data they should not be able to see.”
It's no surprise that IT alone is unable to make decisions on who has access to what information. Aligning IT with the business, for example HR and functional groups, is critical to reducing the risk of unauthorized user access or over exposure to sensitive data. Together they can lay the foundation for change by establishing an awareness program that will inspire the desired behavior and gain control of the mayhem.
To get started, focus on the departments with the highest risk, typically finance, HR or legal, and execute on the following steps.
Most organizations focus on protecting people, applications and devices, but the biggest risk today, and in the future, is the data that has escaped the confines of traditionally protected applications. A comprehensive and inclusive data access governance program is not just a requirement for the upcoming GDPR mandate, but it’s also the right thing to do to protect your organization. How are you controlling the mayhem?
Let us know what you need, and we will have an Optiv professional contact you shortly.