5 Steps to Securing Your Organization’s ‘Crown Jewels’ of Data

Back in March, hackers with the Lapsus$ extortion group launched a series of attacks on telecom giant T-Mobile. After buying stolen credentials and sweet-talking their way into employee accounts, the Lapsus$ gang gained access to T-Mobile’s internal tools, such as its customer management system. From there, hackers stole some of the organization’s most sensitive data—more than 30,000 source code repositories. They were also able to hijack customers’ cellphone numbers and intercept multifactor authentication codes.

T-Mobile wasn’t the only major organization to face a serious security incident, however. In the month that followed, additional hacks threatened releases of massive amounts of highly sensitive and proprietary data at organizations including Coca-Cola, Nestlé, Epic Games, and Scripps Health.

The overall amount of data that hackers can now access is staggering: About 8 billion files are exposed across cloud storage folders, according to Grayhat Warfare’s search tool, and at least 7.2 million databases are exposed online, according to a scan performed for ProPublica.

More data, more problems for CISOs

Less voluminous, but vastly more important, is an organization’s most sensitive, valuable data—its “crown jewels.” These files may include source code for a company’s key products, encryption keys, or sensitive security strategies, for example.

“Companies need to know what their most important data is, where it is, and how it’s protected,” says Paul Perry, security, risk, and controls practice leader at accounting firm Warren Averett and a member of the ISACA emerging trends working group.
“If this data is hacked, the consequences could be disastrous.”

Protecting the crown jewels is critical, experts say, but putting the right protections in place isn’t always simple. Following are five strategies organizations should adopt when safeguarding their most valuable data.

1. Locate your organization’s most critical data

Determining where your most critical data lives is a necessary first step in protecting it—and perhaps the most difficult one, says Jenu Jose, technical solutions engineer at Tanium.

Companies need to know what their most important data is, where it is, and how it’s protected.

The most critical data is rarely well defined within organizations, he says. Some companies may have created a data protection policy or classification system with different categories for sensitive and confidential data. “But a lot of companies haven’t gone through an exercise to determine what is what because it’s too cumbersome,” Jose says. “This isn’t an easy project to take on.”

Even the task of finding highly valuable data can be complex: “You can’t just do a quick search and gather all that data,” he says. “Cloud computing makes it very difficult to find because it could be in someone’s OneDrive, or in Azure, or elsewhere on the cloud.” You have to search multiple platforms to get a true idea of where sensitive data is located and which resources require the highest levels of protection.

2. Assess the impact of a potential data leak

After locating its crown jewels, organizations should next weigh the criticality of each asset, Jose says. They should ask: If a particular asset or endpoint is compromised, what is the possible impact?

“Asset criticality is about understanding your applications, your servers, and your endpoints and giving them a different weight in terms of potential risk for a data leak,” he says. That weighting can factor into a company’s overall cyber risk scoring system.

Once organizations have determined the criticality of their assets, they should conduct a risk assessment to determine vulnerabilities and evaluate the existing controls in place to protect them, says Perry of Warren Averett. Potential weak spots should be discussed with everyone in the organization, he says. The accounting department may know about risks that the IT department is not aware of.

Read also: Cyber risk scores should be more than just a number

“You need to sit down and understand your risks and what you’re doing about them—but, more important, discuss what you’re not doing about them and the controls you don’t have in place,” says Perry. “Risk assessments should be ongoing because, over time, your risks change, your environment changes, and your people change.”

3. Increase your security protections

Added defenses can take a variety of forms, Jose says. They include encrypting certain documents, deleting data from vulnerable locations, locking down devices so personal USB drives can’t be used to copy data, and restricting access to particular information.

Identifying who has access to certain data can be very hard.

“Identifying who has access to certain data can be very hard,” Jose says. “You might have a classification that says anything with credit card information needs to be kept internal. But then you have a use case where someone will need to share that data externally, so how do you protect it?”

Mature organizations may maintain a list of people who can access certain files, while other companies might enable employees to email a document only to business partners or vendors. Sending to other recipients would be automatically blocked. As they lock down assets, organizations must think strategically about how to make tradeoffs between the cost of protection and leaders’ comfort with a particular level of risk.

4. Continually monitor sensitive data

Once the crown jewels have been identified, assessed, and protected, organizations should monitor them. “Monitoring tools are the eyes and ears of the activity happening in your organization from a data perspective—who’s accessing what, how often they’re accessing it, and whether they can access it at all,” Perry says.

If you have a username and password and are accessing something, you’re now performing an IT function.

Data monitoring provides a deeper view into how files are being accessed and used, which can be especially important when complying with government regulations. “You need to be able to log every single change that happens for a specific file or set of files to meet compliance,” says Jose of Tanium. Or it can be helpful with HR matters. In an open HR case with an employee, for example, the company may want to monitor access to sensitive data on that employee’s devices.

When selecting a monitoring tool, organizations should evaluate its flexibility in creating custom definitions for an organization’s sensitive data—including particular keywords or project names for example. Tools should also deploy the latest AI-powered machine learning (ML) capabilities to get better and better at minimizing the number of false-positive security alerts that can overwhelm IT staff.

5. Make security key to your culture

An organization’s security culture determines how well it protects its most valuable data. But at some companies, adopting effective security measures falls second to convenience.

“A lot of organizations don’t have in place the controls they need because employees will say that something like two-factor authentication is extremely inconvenient for them or their customers,” Perry says. “Organizations have also become numb to cybersecurity. When you have very finite resources—human or capital—and you need to determine how to best protect data, companies can get overwhelmed.”

Building a solid cybersecurity culture starts at the top, Jose adds. In order for an organization to successfully protect its most important data, executives must fully support the company’s approach to cybersecurity. “Protection doesn’t work unless you have buy-in from executives and the business,” he says.

Read also: How CISOs can talk cyber risk so that CEOs actually listen

Having protections and policies in place—and adhering to them—is also a companywide “holistic responsibility,” with everyone on the hook. “I always try to communicate that everybody at a company is now part of IT,” Perry says. “If you have a username and password and are accessing something, you’re now performing an IT function to some degree.”

After all, IT staff members have one hand tied behind their backs if employees routinely bypass multifactor authentication or set insecure passwords.

Ultimately, leaders must implement a robust strategy for identifying, assessing, monitoring, and protecting their most valuable data, all within a culture of security. Without an ability to fight the onslaught of laser-beam attacks on highly sensitive data, companies risk the potentially devastating loss of their reputation, customers, and crown jewels.