The life cycle of a sensitive file
What if a large financial institution accidentally leaked confidential data about thousands of its wealthiest clients because an employee inadvertently shared a spreadsheet containing highly confidential information including names, Social Security numbers, and financial details about investment portfolios?
As incredulous—or as dangerous—as that story sounds, it’s a simple mistake to make. We’ve all accidentally attached the wrong document to an email, or added a recipient to a confidential discussion simply by typing the wrong name in the ‘To’ field. And today, with people bringing personal devices like phones and tablets to work, and with the pervasive use of cloud applications, sensitive data can be even more at risk—and not just from malicious hackers, but from well-intentioned, seasoned employees.
So how can organizations keep sensitive data from getting into the wrong hands? To answer that question, let’s follow the life cycle of a sensitive file to see how organizations can implement security at every stage to protect sensitive data.
Data is created. An employee enters sensitive customer data into an Excel spreadsheet on his laptop. At this stage, IT can be prepared for this situation by setting encryption policies for both the file and the laptop to protect the information.
Sensitive information is detected by scanning data as it moves across devices, apps, and services. The employee saves his spreadsheet to the cloud to share with members of his team. When he uploads the file, a scan detects data that might be sensitive, like Social Security numbers, based on policies created by an IT or security team.
Data is classified and labeled to reflect the level of sensitivity. Different actions may need to be applied to data based on sensitivity. For example, if our employee’s Excel file contained employee ID numbers, it may be labeled as Confidential. However, this file contains Social Security Numbers, so it is labeled as Highly Confidential.
When the data is labeled, security policies created by IT or a security team can be automatically applied to the file. These policies define what protective actions should be applied to the file: encryption, restricted access rights, visual marks or watermarks, retention or deletion policies, or data leakage protection actions like blocking the user from sharing the file.
The employee needs to share the file with contacts at the client so they can review the information. To do this, he sends the file across email. Because IT has labeled and set a security policy, when the data travels, the file’s protection is persistent. In this case, restricted access rights have been set for the file, so only specific people can open it.
In addition, IT can monitor data access and sharing, receiving alerts or email if they detect abuse or threats. If the employee ignores the DLP warning and intentionally emails the spreadsheet to someone who doesn’t have access rights, IT receives an immediate alert so they can act quickly.
Finally, as the spreadsheet ages it’s subject to expiration, retention, or deletion. This data governance is an important aspect of overall information protection, because if sensitive data persists in the environment longer than necessary, it creates unnecessary risk of being discovered and compromised.
Microsoft offers end-to-end information protection solutions to help organizations protect sensitive data throughout the information life cycle—both inside and outside the organization. Learn more about how Microsoft can provide persistent information security for your sensitive data no matter where it lives—in the cloud, on-premises, or on mobile devices.
The Growth Center does not constitute professional tax or financial advice. You should contact your own tax or financial professional to discuss your situation.