GUEST ESSAY: ‘Tis the season — to take proactive measures to improve data governance

The holiday season is upon us and the bright lights and greenery aren’t the only indicators that we’ve reached December.

Sadly, data breaches often occur at this time of year. Recently we’ve seen major news stories about breaches at Starwood Hotels and Quora.

Related podcast: The need to lock down unstructured data

Last year, at this time, it was announced that there was a significant privacy leak at eBay affecting many customers. And, it was just before the holidays in 2013 that Target announced the infamous breach impacting more than a hundred million people.

The list goes on, and with each incident everyone is always asking the same question — Could this have been prevented and how? Every large brand is acutely aware that securing its data is of foremost importance in today’s world, and that by protecting data you are protecting the brand’s equity.  That should be obvious after what we see in the news, however, it’s not always so straightforward.

According to the Poneman analyst report, The Importance of DLP in Cybersecutiy Defense, many organizations still believe, “it’s probably not going to happen to me.” The first step toward fortifying one of the company’s most valuable assets — customer or employee data — is to get to know the data better.


While breaches may be inevitable, data leaks are avoidable and steps can be taken to prepare and strengthen a brand’s crucial security efforts. To “know your data,” means to have a good understanding of where sensitive data is located through data classification. Without this important foundation, organizations cannot know what to protect, where it is, who can access it, when it was created and so on.

Assessing sensitivity

What exactly makes data sensitive? Here’s a simple definition: if accessed by an adversary, would create a liability.

Information of any type can become sensitive data, it’s not just social security numbers and financial information. It’s safe to say that any sizeable company today has considerable sensitive data — and much more than they realize. However, it is unlikely they understand exactly where that data lives throughout their infrastructure and the many ways it could be accessed or compromised.

All of this seems pretty important, however data and privacy concerns often must get in line behind other pressing priorities for brands such as sales, marketing, expansion and product expenses. If top leaders have the mindset that “it’s probably not going to happen to us,” then they are likely to shuffle data classification lower in the stack than it should be.

Simply put, most organizations are not spending nearly enough time or money protecting their sensitive data.

By taking the first steps, discovery and classification, big brands can create a solid action plan to monitor sensitive data and minimize risks for the future. Once this foundation is in place, you can reduce your sensitive data footprint, give proper access, monitor how data moves and use automated workflows and notifications as best practices to keep your security program strong.

Preventing breaches

So, to answer the looming question — can breaches be prevented and how? The answer is … yes. As I said, breaches cannot be 100 percent preventable, but there are a lot of ways to be proactive.

Don’t wait for regulations or a data breach to expose your sensitive data before taking action. Practicing good data governance is easier than you think. By knowing your risk exposure, you are half way there.

While it may be the season for data breaches, unfortunately and more importantly, ‘tis the season’ to be proactive. May these recent disheartening examples in the news spur brands to act today and take action to protect sensitive data and avoid the far-reaching negative impacts of high-profile data breaches.

About the essayist: Todd Feinman is president and CEO of Identity Finder, co-founding the company in 2001. He is an expert in sensitive data management and an internationally published author.

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: