As COVID-19 moves business operations to employees’ home offices and kitchen tables, companies are contending with heightened security risks for customer data. In a time of significant disruption to normal operations, a well-planned security strategy is critical to keeping customers’ personally identifiable information (PII) safe and meeting compliance legislation. 

With remote access adding a new vector of vulnerability to your company and customer data, data masking is an effective solution to maintaining security and compliance.

Remote work can compromise security

Work-at-home arrangements are inherently more susceptible to data breaches for a few different reasons:

• Employees can create technical vulnerabilities when they use open wifi networks or insecure home routers and devices.
• Physical separation from colleagues and managers can weaken the social safety net that normally protects employees from manipulation by hackers.
• Working in the comfort of a familiar home environment may make employees more lax when it comes to handling risks like phishing emails, unsafe attachments or suspicious links.

Giving remote teams security knowledge and training can go a long way to ensuring data stays safe. Companies should be supporting their people in identifying threats, ensuring home networks and devices are secure, and using a VPN service to encrypt data.

However, even with these protocols and compensating controls in place, companies risk exposing sensitive customer data to malicious actors. 

Eliminating threats starts inside

Whether through malicious intent or carelessness, the threat to customer data is often from individuals inside the organization who have legitimate data access privileges.

Since 2018, the number of insider-caused cybersecurity incidents increased by 47%, costing organizations an average of $11.45 million annually. 

Put simply, in many cases, the problem comes down to TMI – too much information. 

While production data is usually subject to strict security protocols, employees, contractors, third-party partners and outsourcers often have access to copies of that same data for use in less secure operations (e.g., software development, testing, training, customer care, etc.). For the most part, however, they need never see actual PII, like payment card information, social security numbers or email addresses, to carry out their job functions. 

Having unnecessary access to all that data opens up a whole host of vulnerabilities. And when business processes are outsourced, it can present a particularly dicey situation since companies relinquish control of the environment in which customer data is stored. From a customer service agent clicking on a sketchy email link to coders working in an insecure development environment, insiders can easily leak sensitive data to malicious actors or create weak spots in the company’s perimeter.

Data masking keeps PII on a need-to-know basis

Data masking circumvents this problem by guaranteeing that sensitive data is available only to the employees who require it to do their jobs, and only in the moments when they need it.

The main principle behind data masking is that data remains usable, but the actual values themselves are obscured. By retaining the format of the data while altering the values, data masking creates a structurally similar but artificial version of production data that can be used for development, testing, training and more. Teams have access to functional data they can use to do their jobs, without ever having to see customers’ personal information.

How data masking works

Companies can use data masking selectively to protect a variety of data, including customers’ banking, contact, health and other personal information, as well as employee data and intellectual property. Protection can be applied to a specific type of data (e.g. payment card information) or to specific data objects or subjects (e.g. home addresses of employees).

There are a few different ways values can be changed in data masking but, in all cases, the alterations must be undetectable and impossible to reverse engineer. Methods like encryption and redaction ensure users cannot see data unless they have the required privileges. Character scrambling, substitution and shuffling use existing data, but alter it so that the values themselves are jumbled or swapped with different values that still look authentic.

What to consider when implementing data masking

Ultimately, the strategy a company uses to implement data masking depends on the size, location, complexity and usage of its data. Generally speaking, there are two different types of data masking: static and dynamic.

1. Static data masking – This approach applies a series of transformations to the original production data to create a golden masked copy that is extracted then replicated for different environments. Sensitive information is completely obfuscated in the copied data, meaning there is no threat if a hacker gets access. On the downside, this approach can be time-consuming because it is batch processed rather than being performed in real-time. In addition, the copy database cannot be used as a back-up for production data since it has been permanently altered.
2. Dynamic data masking – A newer method that can be done a number of different ways, dynamic data masking is based on the premise of applying role-based security to data and applications in real time. Data stays inside the production database and is masked in real time, making it less vulnerable to hackers. A database proxy ensures that only authorized users have access to sensitive information. Dynamic masking works best in read-only contexts, such as analytics or customer service; otherwise masked data could be written back to the database, corrupting the data. While it may be faster than static data masking in the sense that it doesn’t require upfront batch processing, the process of inspecting all traffic to the database slows performance slightly and could pose productivity issues, particularly in a remote work setting. This approach also requires that IT personnel maintain a complex matrix to configure masking rules and access. 

Regardless of the type used, data masking keeps internal processes secure, while protecting organizational data when it needs to be used by external individuals and parties, including outsourcers.

By understanding the flow of enterprise data, mapping where PII exists and identifying who needs access to it, data masking controls and monitors all data interactions without locking down data. In this way, it protects employees from seeing too much while giving them the tools they need to perform. Moving forward, data masking ensures businesses can continue adapting to novel work arrangements safely while keeping security, operations and innovation paramount.