Today more than any other time in work life, we are dealing with tremendous amounts of data, but too often we aren’t really keeping tabs on all of it.

Yes, we might be aware—or rather not surprised—that sensitive data is not always in secure on our networks, but most of the time (virtually every assessment I’ve conducted), sensitive data is in plain sight for a hacker to steal in the event they’ve gained access to a machine on your network.

Today, we’re confronted with a huge dilemma.

If data is leaked, damages might not be easy to clean up or compensate. And even when we can throw a price tag on a breach, you might be held responsible for paying out of pocket for those damages (small print on your cyber policy might leave you and your business as the responsible party).

We’ve found of potentially risky sensitive information (here I refer to personally identifiable information—PII) all over networks. I don’t just mean Social Security Numbers, credit card information, client contact information, but any potentially damaging information about you, your clients, or your team if put in the wrong hands.

The repositories of this data—unstructured, in PDFs, tables, text files, you name it— might be available in OneDrive accounts, SharePoint libraries, databases, in the cloud or on a local machine. It doesn’t matter where specifically it is, if I can find it through a simple scan, so too can a hacker.

Imagine if you were starting a new job.

Let’s say you were in accounting at a 100-employee manufacturing company. You get sent emails with invoice information. You have dozens of banking accounts you routinely visit to reconcile transaction information. You periodically have to download reports to send to state and federal departments of revenue. There are a lot of moving pieces with your workflows.

Let’s say once a month you download bank account and credit card reports—say from your 10-person sales team—to keep tabs on spending amounts and to make sure that receipts match what’s in your system. Every time you check reports you download a copy of the credit card statement and put it in the appropriate file in your Accounting SharePoint library.

You also make sure QuickBooks is updated with invoices and documented appropriately with necessary receipts, invoices and billing information.

As a new employee, you have little to worry about off the bat. Your folders are clean. No clutter. No build up of work or ‘get around to’ tasks. Nothing in the wrong place and everything sensitive secure.

But over time, imagine as you have to rake through payroll documents, credit cards statements, employee records, taxes, and all of the other tasks large and small related to your job.

What if occasionally you download something to the wrong place on your computer? Or what if you didn’t realize a folder in SharePoint wasn’t really that secure (no password or encryption to protect it)? What if you download a handful of sensitive files unknowingly to your Downloads folder?

If your machine was hacked (and it doesn’t have to be you falling for a phishing scam), what would a hacker be able to get their sticky fingers on?

In our experience working with businesses, we see employees across the spectrum of roles having issues with managing documents containing sensitive information. They might be personal documents—such as employment-related enrollment forms. Or they might be for other people within the organization, or even information on clients or patients.

One big problem we find is that employees—even technically-minded team members (!)—don’t get what the implications of having PII on their machines might mean. That is, until they experience it first-hand.

Whatever the flavor, we consistently find documents containing large amounts of PII on local computers or in cloud locations wide open to a hacker if they were able to access your machine as a regular user.

My question to you: how easily are files within your network containing PII identified, indexed and retrieved?

Do you have repositories to identify files?

Do you know where these files are?

Are they always encrypted?

How much drift of sensitive information is within your organization?

The overall process of monitoring and cleaning house to ensure PII is secure can be complex. What I’d recommend is focusing on big pieces of the puzzle. Locate important PII that hackers are or have exploited. Then once you found it, come up with a plan on what to do about it (note: this is likely going to be an on-going cat and mouse process of continuous hunting for PII drift across your network).

You might:

Delete the data?—if you have no additional need for it. One important thing here is maintaining an audit trail of what you did so that in the event something was discovered to be compromised later on, you’ll know exactly what was where on your network.

Secure the data?—if you do need to keep it, make sure it’s secured. I advise my clients to use Veracrypt to maintain personal files. If you have large volumes of PII, consider using some form of secured data vault or records management tool (if you have questions on what are some options that we’ve seen implemented successfully, reach out and I’d be happy to help).

Redact the sensitive information?—while you or someone on your team might be required to keep information or records, you may be able to get away with redacting the parts of the document that are sensitive. Once removed of PII, be sure to remove or secure the original copy.

Whatever You Do, Take Action!

Whatever path you take, making sure your network is clean of information hackers could use against you is critical today. Would you rather take a chance on someone exploiting you or someone on your team because you left sensitive files laying around the file system?

The best way to take action is to make sure you have visibility on the problem and a process to correct and issues. One easy first step is to identify where your PII is located using a scanning tool that alerts you to your cyber hygiene.