About the Utility
This Utility is one of the largest public power providers in the U.S. and a corporation of the federal government. It provides electricity for more than nine million people in a service area that spans 80,000 square miles. They sell electricity to power distributor customers, and directly serve industries and federal facilities.
When an eye-opening data security audit showed the organization needed to quickly strengthen its sensitive data management, they turned to Spirion for step one of Data Security Posture Management (DSPM) – understanding what sensitive data you have.
Challenge
As a government entity, this large electric utility in the United States was subject to audits by the Office of Inspector General (OIG). When a comprehensive audit revealed a shocking gap in its sensitive data management, senior leadership knew changes needed to be made, and quickly. The Utility maintains internal documentation on all employees and customers containing sensitive PII, which, if compromised, could lead to a severe data breach.
The main challenge the Utility faced was locating this sensitive data and lowering the potential data security risk, all while avoiding a disruption in business continuity. Like most government agencies, the utility must be compliant under several regulations, such as the Privacy Act, PIA, and FISMA. An initial discovery showed thousands of files that dated back almost two decades. Leadership began a search for a solution that:
- Performs scans on file servers, shared storage, and PCs.
- Identifies sensitive information specific to the utility.
- Lives on one central platform, enabling all data collection and reporting to be used for compliance auditing, and internal management.
Failure to find a DSPM solution that aligned with their organizational needs and structure could result in decreased service quality and loss of revenue.
Solution
The Utility chose Spirion because of the solution’s easy setup and support. Spirion provided the Utility with key usability and management benefits, including:
- Discovery of PII in all forms; text and scanned documents, zip files, archives.
- Central reporting on data inventory across the enterprise.
- Monthly scheduling of scans and reporting.
- Automated scans of all networked drives, servers, and PCs to discover and classify PII data, and report on potential threats.
- Identification of PHI data from scanned documents.
- Minimization of locations for PII data storage.
Spirion was initially used to search their respective networks for PII, such as social security numbers. Once the sensitive data was discovered, they took the appropriate remediation steps to lower the respective risk levels.
Results
Since implementing the solution, Spirion helped the Utility pass the OIG’s audit of their data environment. It also greatly reduced its exposure which could lead to a catastrophic data breach— impacting employees, customers, and the energy grid.
This use case demonstrates the effectiveness and necessity of DSPM within the energy industry. Information on distribution networks, procedures, and payment data are handled by multiple people, and may be leaked through several transport channels – files, email, web traffic, instant messaging, removable media, etc. Therefore, utilities must proactively protect their critical information.
Thanks to Spirion, this large electric utility was able to understand and act on information that could:
- Place it at risk of PCI-DSS noncompliance.
- Preclude it from effectively competing in energy production or distribution.
- Disrupt business continuity with partners, suppliers, and employees.
- Put its clients at risk.