Hackers and malicious insiders are trying to break through security defenses to get their hands on sensitive data, but what data are they actually looking for? Which data needs to be better protected?
There are federal laws that require physical, technical and administrative controls to be put in place to keep data secure. Fail to protect certain data types and there could be serious trouble, regardless of whether a hacker actually manages to compromise your network.
Some data types are obvious, others less so. Credit card numbers, bank account information, Social Security numbers and healthcare data all require robust security measures to keep the information secure. Have you made sure that each of the following 9 data types have appropriate controls in place to prevent unauthorized individuals from gaining access.
Financial Data
The goal of many hackers and cyber criminals is to gain access to bank account information, and the logins and passwords used to access online accounts. Once they have this information they can use it to make transfers and empty accounts. Credit/debit card numbers are also sought in order to make online purchases and create fake cards. PIN numbers, if stored, along with answers to security questions must similarly be protected with robust controls.
Medical Data
The Health Insurance Portability and Accountability Act (HIPAA) requires all covered entities to put physical, technical and administrative controls in place to keep medical data secure. In the wrong hands, medical data can be used to discriminate and defame. It is also used in spear phishing campaigns, and used with other data to commit fraud. Failure to secure these data is a violation of HIPAA Rules, and financial penalties are sure to follow. Criminal charges can even be filed against individuals for failing to secure highly sensitive data.
Driver’s License Numbers
A valid driver’s license number can be used to create fake driving licenses. These are not only useful for people who are not legally allowed to drive, they can be used to obtain other forms of identification and commit identity theft and fraud.
Student Data
Student data is increasingly being sought by criminals in order to commit fraud and identity theft. Universities and schools are required to protect data under the Federal Educational Rights and Privacy Act (FERPA), which restricts the individuals who are allowed to access student records. Personal data, education information and test results must all be protected. Student Social Security numbers and dates of birth are highly sought after and often targeted by hackers.
Social Security Numbers
Social Security numbers (together with a limited amount of personal information) can be used to commit medical fraud, file false tax returns and steal identities. They are highly sought after by cyber criminals and often sold on darknet websites for big money. The SSNs of minors are particularly valuable, as they can be used for longer before fraud is identified. Social Security numbers are also covered by HIPAA rules and numerous other state and federal laws.
Health Insurance ID numbers
With health insurance information criminals are able to file claims for medical services that are not provided, and allow criminals to make fraudulent insurance claims. This data are highly sensitive and must be kept secure.
Intellectual Property Data
Your company’s secrets, product development information, computer codes, bespoke software, new product designs and blueprints are highly valuable to competitors. If your company has an edge, or is developing a new product or service, a competitor could use these data to develop similar products, and even bring a product to market first.
Human Resources Data
Human resources databases contain detailed information on employees such as salary information, bonuses, and confidential personal data. Criminals seek personal information of individuals in order to conduct convincing spear phishing campaigns. These data can also be used to blackmail individuals and discriminate.
Communications Data
Emails can contain highly sensitive information. When hackers gain access to an email account, they can obtain personal information, company secrets, and even many of the above data types. If an email account is compromised, it can be used to spread viruses and malware. Telephone records and text messages are also valuable.
Data must be secured at rest and in motion
Controls must be put in place to secure all forms of these data, whether they are in Word documents, PDFs, JPEGS, spreadsheets, EHRs or other databases. Just as paper files must be shredded when they are no longer required, the same applies to electronic data. Records must be securely and permanently erased when no longer required. It must not be possible to reconstruct any of these data once deleted.
It is essential to protect stored data, especially if it is housed on portable devices such as zip drives, laptop computers, portable hard drives and Smartphones. These devices are all too easily misplaced, lost or stolen. Data encryption should be considered to protect all stored sensitive data. Data must similarly be protected when in transit. Emails should be encrypted, as should SMS messages. A number of companies provide SMS and email encryption services to allow communications to be sent securely, with authentication controls to ensure only the desired recipient can view the messages.