In today’s marketplace, a large part of any IT leader’s job is to ensure that their company’s data is secure. Companies have spent a significant amount of time, money and resources to lock down production data held within company databases using encryption and other technologies. Even so, breaches are commonplace. According to the Ponemon Institute’s 2021 Data BreachReport, there were a record 1,862 breaches last year, up 68% from the year prior, and exceeded 2017's previous record of 1,506.
One of the biggest reasons? Access to data in non-production test environments. Test data is necessary to support application development, training, quality assurance, and other mission-critical activities. If this data is not secured internally as well as with external testing and development partners, it poses a huge security and compliance risk…not to mention a significant cost. The global average cost of a data breach increased by a worrying 10% in 2021, reaching $4.24 million, up from $3.86 million in 2020.
So how can you ensure that, if and when a security breach happens, all of your sensitive data is secure? Follow these five essential steps:
1. Identify, classify and secure both structured and unstructured data.
According to the Ponemon Institute's report "The State of Data Centric Security,” only 17 percent ofIT practitioners know where their structured data is located, and only 7percent know where their unstructured data resides. This gap in knowledge is a major concern for IT leaders. In fact, 57 percent of respondents in the Ponemon study say it’s what keeps them up at night.
If companies don’t know where their data is, how can they protect it? With data scattered across different systems and residing in different formats, IT practitioners need to have a test data management (TDM) system in place that effectively identifies and classifies both structured and unstructured data. Additionally, an inventory of who is accessing this data – both internally and externally – is essential. The first step is to take an inventory of your external partners (support, analytics, testing, outsourcing, etc.), to determine how they are accessing the data, and document which systems they access. Once you have done this assessment, you are now ready to start de-identifying your sensitive data.
2. Mask your structured test data
If your applications process any personally identifiable information(PII), personal health information (PHI), personal credit information (PCI),national identifiers or any company confidential information, then it will need to be protected not only for security purposes, but also to comply with government and industry regulations. Because of this, copying or cloning production data for testing without making the information anonymous is not a viable option.
De-identifying data using masking techniques is key. Look for a solution that ensures the test data retains context and gives an accurate representation of production data. This will reduce the likelihood of introducing issues when porting the application into production.
3. Mask your unstructured test data
Unstructured data includes many sources of business information that, until recently, were not a focus of data privacy providers. On average, about 90 percent of a company’s data resides in an unstructured format. These data types include MS Office documents, social media data, PDFs, scanned images (insurance and healthcare claims, W2tax documents, etc.) web logs, text messages, and more. You may have masked John Doe’s name, address, and social security number in your database, but have you masked a PDF of his W2 in your HR system? If not, you have left the door wide open for a security breach. To complete the compliance circle, IT practitioners need to implement data security solutions that mask both structured and unstructured information.
4. Maintain the relational integrity of your masked data for accurate testing
When masking test data, maintaining the relational integrity of the information is paramount for advanced testing and QA. IT practitioners need to evaluate solutions that replace sensitive data with contextually and accurate fictitious data across multiple related systems. To ensure accurate testing, existing data relationships need to remain intact, and masking policies applied to structured data must also be applied consistently to unstructured data. This will ensure that test data has a ‘production like’ quality, reducing risk of failure in the final rollout to production.
5. Make sure your data masking efforts can’t be reverse engineered
When sharing test data externally (or internally between departments), some IT organizations use in-house methods to protect data, like running a script to scramble values or using simplified masking routines. These techniques can easily be reverse engineered, which means they are not fully secure. To completely protect non-production data, IT practitioners should look for a solution that irreversibly masks both structured and unstructured information. The ideal solution should mask data consistently within the application and across all related upstream and downstream applications and processes. For example, the new value of a masked credit card or social security number should be consistent across all systems to maintain referential integrity and accuracy when testing.
Complete Your Compliance Circle
With the risks, costs and probability of a data breach increasing every day, protecting your data across the enterprise and within your partner ecosystem is critical. By taking these five essential steps, you can dramatically reduce your risk, complete your compliance circle, and get more sleep at night knowing that your data is secure. Remember, it’s not if a breach will happen but when.