What is Sensitive Data Exposure? And how do you prevent it?
By Franklin Aguilar and Chris David
Sensitive Data Exposure happens because information is not properly protected. Maybe a hacker found a security vulnerability in your website? Or maybe an IT staff member forgot to secure the data? If your user and business information is not properly secured, hackers and other unauthorized parties can gain access. And publication of this data represents significant risk for companies and individuals.
Sensitive data can be anything from trade secrets, usernames, passwords, credit card numbers, bank accounts, medical records or social security numbers. This data also may include any other type of information that could hurt a company if used with malicious intent, or if such data is put to use by a competing enterprise.
Financial liability for Sensitive Data Exposure can be extremely costly, to the point that small companies and start-ups may not be able to recover. According to AVG, the cost of a data breach to small business could reach nearly 70,000 USD per incident.
Now that we know what Sensitive Data Exposure means, how do we mitigate against the possibility and effects? To start, you need to have a clear view of what data is sensitive and what would be of value to a hacker. And understanding how a hacker might attack your site will help you take steps to prevent a disastrous data breach on your website.
Encrypt any data sent over the internet… NEVER use clear text
Assume that any data you send over the internet can be intercepted by a third party. Third parties include the network operator, the internet service provider (ISP), corporations, governments and anyone listening on the local WiFi connection. But if you make sure that all connections to your web site are encrypted, then any intercepted communications will be unusable jibberish.
Install and renew your SSL certificates
Get an SSL certificate for your site, and make sure you renew it (every year, or every other year for two-year certs). If your certificate expires, then hackers can attempt to compromise your customers’ data with man-in-the-middle attacks.
Do not store sensitive data unnecessarily
For example, if you have a need to process credit card numbers on your site, process them immediately and then discard them. Don’t save data to a database if you don’t need it. You are only opening yourself and your company to liability. Make use of the sensitive data as you need, and then remove it from your server.
Encrypt sensitive data at-rest
Data “at rest” means information that has been stored in a non-volatile medium, ready to be recalled and accessed by an application/user. At-rest data could be data saved in a database, or a spreadsheet on your computer hard drive. Make sure that any sensitive at-rest data is encrypted and secured!
Enforce STRONG password policies
Don’t allow your users, administrators or editors to enter dictionary words or simple strings as their passwords. These are easily compromised. Complex and long passwords (at least 12 characters, with a combination of numbers, letters and symbols) will ensure that you are not a victim of brute force attacks.
Use a firewall for your office network
Without a firewall, anyone from around the world can gain easy access to poke around your network, find vulnerabilities in your servers and computers, install malware and steal credentials. A well-configured firewall will ensure that the traffic entering your network goes only to the servers where it belongs, to the application it’s meant for.
Update your web applications and servers with the latest security patches
Hackers are searching for and finding new vulnerabilities in web site software, servers and databases all the time! Make sure you keep up to date on the latest security news. Install application and operating system updates when they become available.
Hire a cybersecurity expert to configure and test your systems
Ask an expert to look over your systems and perform an audit of threats & vulnerabilities. A cybersecurity company will also help you test your security and suggest mitigation techniques tailored to your business. They will work with you to develop a disaster recovery plan.