Customer Data Security - Why it's Important for MSPs to Track Their Data
Imagine losing your child in a grocery store, amusement park, or some other place crowded with people. This child is your world, your entire existence, and now they are nowhere to be found. Panic takes hold, and you begin shouting their name. Fortunately, they quickly appear from around a corner, wondering why you are shouting their name so loud. Ah, the joys of parenthood.
Now, place yourself in the shoes of your customers for the next few minutes as you continue to read the following scenario. You, or your team, are getting ready to upgrade a server currently used by a customer—nothing extreme or out of the ordinary, just routine OS patching, firmware, or BIOS updates. Customer data exists on this system that is very sensitive to their business operations. During the patching process, something goes horribly wrong, and the data on that server is gone, lost… forever… Upon realizing the failure, your mind begins to race and gives way to panic: What happened? That should not have happened. I do not know what happened. We have done this a million times before, and nothing like this has ever happened. Are there any backups? Now what? How do you ensure customer data security?
Granted, this is an extreme example of a potential worst-case scenario and one that I hope never happens to you. However, an incident like this DID happen. In the UK, a “coding” error deleted 150,000 records from the Police National Computer, according to a BBC article in January 2021. The deleted data included fingerprints, DNA, and arrest histories. Imagine if it was financial records, patient records, or intellectual property documents for your own business or a customer’s business that you manage. The loss of such data could be devastating and potentially career-ending for your own business as well as your client’s.
Information and data security have always been modeled after the CIA triad: Confidentiality, Integrity, and Availability. Do you know where your data is within your environment? Are you taking the approach that every system and every device has data that is subject to CIA? Is that realistic? What about the security controls your organization has in place today? Are those controls focused where they are most needed, protecting your most sensitive information and data critical to business operations?
To answer these questions, you will need to understand three things related to your data:
- Where is the data stored?
- Where is the data processed?
- Which devices are transmitting data?
Within your organization, do you know where sensitive data is stored and processed? Some of you might be wondering why understanding and why identifying where the storage, processing, or transmission of data is essential. Five or ten years ago, I would say it might not have been as important to know all three answers. However, today most everything we do personally and for our business is electronic, digital, and connected. Sensitive information is all around us and is being shared with and without our permission. Governments are attempting to place controls and fines on sharing personal data without consent; however, that does not stop the bad actors, curb inadvertent mistakes, or prevent catastrophic information loss. Individuals and businesses alike need to protect information under their trust to the best of their ability. To achieve success, they must know the types of information processed, stored, and transmitted. This starts with performing an inventory of your entire organization: servers, network devices, end-user devices, storage area networks, backup arrays, file shares, etc. Once that information has been collected, the organization must then determine the type of information present in each of those devices.
Initially, gathering this information will likely be a challenge for most organizations, especially if the organization’s size is a bit larger and has a lot of data spread across multiple servers and platforms. Using your favorite internet search platform, a simple search of “data discovery tools” will turn up a good list of tools for you to evaluate against your business needs. Most MSPs understand a reason for keeping and maintaining a current systems inventory. In a similar fashion, a data inventory is vitally important to ensure the proper security controls and processes are in place to protect information. Keeping a data inventory up to date should become a priority for the organization. Additionally, the organization will want to ensure sensitive data does not leak from the known containers used for storage and processing or take a different path for transmitting either internally or externally. Any identified abnormalities or deviations should be considered potential events for alerting and investigation.
Once you know where all of your data is located, organize the results into various categories. Keep it simple as these may include “general,” “internal,” “confidential,” or “sensitive”—use categories that make sense to the business. You will likely want to consider involving your legal team to ensure that they agree with the applied categories. Also, there may be a need for “PII,” “PHI,” or “PCI” to further define data to address and meet regulatory compliance. Furthermore, the business may also need to consider the new Cybersecurity Maturity Model Certification (CMMC) from the Department of Defense as part of this data inventory.
While on the topic of CMMC, the U.S. Federal government established “For Official Use Only (FOUO)” and other crafty names for sensitive but unclassified information created by the private sector in support of the public sector a very long time ago. President Obama signed an Executive Order (E.O. 13556) in 2015 establishing a common name structure called “Controlled Unclassified Information” or CUI. The mandate in that order gave the control of ownership to the National Archives and Records Administration (NARA) to implement the order. In direct response to the order, the Department of Defense created CMMC to provide the private sector a better path to protect this information. If you would like to read more about CUI, please visit www.archives.gov/cui. If you are interested in learning more about CMMC, please visit www.acq.osd.mil/cmmc.
Since these thoughts originated from the news of an incident where a UK police agency server loses very important, highly sensitive information on criminals, it is essential to remember that such incidents do not need to happen and are preventable. Identifying where sensitive data is stored, processed, and transmitted in your business or your customer’s business is vitally important. Ensuring all the proper security controls and procedures are in place to protect and safeguard that information remains paramount. Inventory your data just like you would your hardware. I would contend that the data is more valuable to you and your customers than anything else you might be protecting today, except your children.