Posted by Geraldine Hunt on Thu, May 14th, 2015
Many IT professionals worry about the potential of a hacking attack but the really savvy IT people know that by securing their internal data they are also protecting against a hacking attack and ensuring the hackers won’t get their hands on sensitive data. It may seem a simple question—does your database contain sensitive data? We all know that social security numbers, for instance, are definitely sensitive data.
Cyber thieves can use social security numbers to get control of existing credit card accounts or open new ones. They’re the most important piece of information that identity thieves can possess. There are other types of data, such as credit card numbers, that we all recognize as being sensitive data. However, data that needs protection includes much more than just social security and credit card numbers. Some data in databases even has legal requirements regarding how it is stored. Here’s a brief rundown of the types of data that is sometimes forgotten about but needs protection - what you don't know CAN hurt you! :
1) Social security numbers and more.
We all know that social security numbers need to be protected, but state and federal governments issue other ID numbers that could be used fraudulently. Driver’s license numbers and tax identification numbers are particularly appealing to cyber criminals. A person who can’t legally get a driver’s license, for instance, can use your driver’s license number to get a fake license. This type of fake license can also be used as a backup license—if the criminal receives a traffic violation, he can simply use the fake license.
2) Biometric data
Biometric data—fingerprints, retinal scans, DNA samples—is still more commonly used in science fiction than in real life, but it’s becoming more important all the time. In law enforcement, for instance, DNA information is now critical, but also contentious. For instance, there are databases that contain DNA samples from people who have been arrested, but, controversially, not necessarily convicted. As a result, the legal regulations governing these records are complicated, subject to change, and vary by locality.
3) Financial data
Financial data includes data regarding an individual’s or business’ financial status. This can include the information necessary to access financial accounts, such as PINs, account numbers, and personal data.
4) Human resources data
HR departments potentially contain items such as personal information, as well as salary information, performance reviews, worker’s compensation claims, and benefit information. HR information is not only of interest in itself; it can be used in spear phishing attacks or can be otherwise employed to exploit vulnerabilities in a company’s security.
5) Medical data
Medical data needs to comply with stringent Health Insurance Portability and Accountability Act (HIPAA) requirements. HIPAA regulations are complex and subject to change, but there are serious financial and legal consequences for failure to comply. As of 2010, health care providers must sometimes even notify the media if there has been a breach of HIPAA rules.
6) Student data
Universities have been especially hard hit by cyber criminals, The Federal Educational Rights and Privacy Act (FERPA) codifies who may have access to a student’s personal, educational, and testing information. However, the useful information schools have—students’ names, addresses, social security numbers—paired with often relatively weak security measures, have made schools a favourite target of hackers.
7) Communication data
E-mail, telephone records, and text messages all potentially contain data that hackers can use, and all are also favourite vehicles for spreading malware. All communication data needs to be considered highly sensitive.
8) Intellectual Property data
This often forgotten category is becoming more critical all the time. Intellectual property includes product ideas, works of art, computer code, inventions, and designs. International theft of product designs is becoming more and more common, and intellectual property protection has never been more important.
Databases need stringent security measures, especially for sensitive data. Databases are constant targets for phishing and social engineering attacks, and they need strong security. Data in transit also needs protection. Then there’s data in printed form, when control becomes really problematic. A forgotten briefcase or a lost laptop today can be a major security disaster, and measures need to be in place to protect against mishaps like these.
Data requires constant protection, whether in a database or on a spreadsheet. Sensitive data should be safeguarded from the moment it’s created to the moment it meets its end in a high-security shredder. The security measures taken to protect data don’t just protect customers and consumers; ultimately they protect the companies holding the data.
If you enjoyed this blog post you might also be interested this reading this guide to 'How cybercriminals steal money' - The guige provides some useful insights into what motivates cybercriminals and how to make life difficult for them.