Sensitive Data Survey
Recently, HP Security Voltage conducted an industry survey about the protection of sensitive data at the Gartner Security & Risk Management Summit held this June in Washington, DC. Attendees came to the conference to learn the latest on new cyber security trends, technologies, and solutions, and how to achieve effective security more efficiently. Over 200 attendees were surveyed, across industries including financial institutions, merchants, health care providers, and service providers. All share common concerns when it comes to data protection and privacy. We shared the results of the survey surrounding Big Data insights in a separate blog post, and would now like to analyze the results on sensitive data.
The first question surrounded three main areas of sensitive data. The first type of sensitive data mentioned revolves around the Payment Card Industry (PCI), or any businesses associated with debit, credit, and other payment cards. The second type of sensitive data queried about is personally identifiable information (PII), or any data that could potentially identify a specific individual. The third type refers to protected health information (PHI), which can be defined as any information about health status, type of health care, or payment for health care that can be linked to a specific individual. It is no wonder that 74% of the attendees surveyed answered “yes” to the question, “does your business currently use sensitive data such as PCI, PII, PHI”? Protecting sensitive data is a deep concern to the CISOs and other security and risk management professionals who attended the Summit, who strive to align security and risk strategies with their enterprise business and operational objectives.
When asked how they are gathering that sensitive data, 59% of the people surveyed said they are using a web browser, 29% are using credit card swipes and 27% are using mobile. Some responders used multiple ways to collect information.
When it comes to protecting that sensitive data, 38% surveyed indicated they are using both encryption and tokenization, proven data-centric approaches to data protection. The survey further revealed that 43% said they are protecting that sensitive data using only encryption and 6% are protecting their sensitive data with only tokenization. A full 14% of those surveyed answered they were not currently taking any steps to protect sensitive/regulated data.
According to the survey, cloud security is a major concern. When attendees were asked if they were concerned about sensitive information being compromised in cloud-based applications, 61% of those surveyed responded they were very concerned, while only 22% were somewhat concerned. Lastly, 16% responded that they were not at all concerned.
What this means for certain Industry Sectors
In the healthcare industry, HIPAA and HITECH require and enforce the encryption of all Personally Identifiable Information (PII) and Personal Health Information (PHI). With the threat of public notifications and heavy financial penalties for security breaches healthcare organizations cannot afford to expose sensitive, personal information.
In today’s Payment Card environment of heightened regulatory requirements and increasing risk of cardholder data breach, it is critical for merchants, payment processors, and acquirers to protect payment data anywhere it moves, anywhere it resides, and however it is used.
With the loss of the enterprise perimeter, data in constant use, and with rising threats to sensitive data from both inside and outside the business, companies need to be able to protect data end-to-end, from the moment of capture across the information lifecycle.
More information can be found at https://www.voltage.com/breach