Data is the lifeblood of any business and in today’s data driven world, information is all-pervasive and, for many organisations, is in danger of reaching saturation point. Therefore, understanding what data you have, who is using it, how it is being stored, classified and shared, and whether it is company-sensitive, is not as easy as you might think. That’s because data gets saved in unusual places, employees move on and take data with them, or it simply gets forgotten or lost. The bottom line is that data sits on file servers and in departments in document stores and is not protected and often not recoverable because no one knows that it even exists.
But with the implementation of GDPR, CCPA and numerous other stringent data protection regulations enacted worldwide, the need to protect data has never been greater.
That said, organisations have limited resources to invest in safeguarding their data, there is not a bottomless fund to throw at the problem. This means that knowing exactly what data needs protecting will help the business to set priorities and develop a sound plan in order to allocate budget and other resources wisely, while minimising security and compliance costs.
But where do you start?
A good jumping off point is to start by classifying your data. Data classification is the process of organising data into categories for its most effective and efficient use. Using data classification helps the organisation to regain control over its data. Likewise, by involving your users in data classification they will automatically become more data-aware, with a greater understanding of the policies and value of the organisation’s data.
So, here are my five key steps to more effective data protection:
- Put the foundations in place
First you need to build a strong foundation around your data, to understand exactly what you hold and the potential risks to its security. This process begins by identifying the types of data that are of greatest importance to the business so you can pinpoint where you need to focus protection and controls. IBM estimates that between 0.5 and 2 per cent of an organisation’s data is ‘critical’, in other words it has a significant financial value to the company. More often than not critical data is likely to be heavily protected, it is all the other data that people don’t think about as being valuable - such as customer lists, contracts and time-sensitive documents - that must be identified and protected. If you are not sure, think about the ramifications if a document was leaked or lost – would it harm the business?
- A journey of discovery
Having identified data that needs safeguarding, you then need to undertake a discovery exercise to find out exactly what you have, where it is and who has access to it. The best thought through security policy is ineffective if the organisation doesn’t know what it holds, and therefore, what controls should be in place to protect that data. A discovery exercise will give you visibility of your data and how it is being accessed and used. This enables the protection, strategy and solutions to be built around the types of data found. It also provides an opportunity to cut retention costs. According to the Veritas Databerg report a mid-sized organisation spends £435K per year on storing and managing obsolete data. Additionally, there are a wealth of data discovery tools that provide an efficient and accurate way to find assets and classify them.
- Classify your data
Once you have defined data within your business you will be able to classify it. Data classification is the categorisation of data according to its level of sensitivity or value, using labels. These are attached as visual markings and embedded into the metadata file. When classification is applied in association with downstream security solutions, the metadata ensures that the data can only be accessed or used in accordance with the rules that correspond with its label. Clearly you need to define your classification policy first and decide who should have access to each type of data, and once you have done this you will need to select an appropriate classification tool. The right technology will help your users to consistently apply the classification scheme and will also ensure you add the right metadata. The most effective tools make classification a seamless part of business-as-usual.
- Securing your data
Data, once classified, now needs a higher grade of controls around it. By classifying the data, you already have the magic ingredient that makes any type of enterprise security and information management solution more effective. The type of solution that you might want to combine with data classification could include data loss prevention solutions, security incident and event management (SIEM) tools, search and retrieval tools, access control tools, data governance and data retention tools. The effect of integrating data classification with other security technologies and toolsets is that you are adding layers of security around your data, strengthening your protection.
- Remaining fit for purpose
But it doesn’t stop there, you must keep checking and maintaining your data to keep it intact. Legislation and threats to the business (both external and internal) are constantly evolving and, in the same way, you will need to ensure ongoing measurement of the effectiveness of your security policy and the controls you have put in place. This improves your chances of detecting a breach quickly and, if there is a breach, the detailed audit information that data classification provides will enable the organisation to demonstrate that it has taken the appropriate steps to protect data. Most importantly, real-time monitoring of how people use classification tools will allow any behaviour that deviates from ‘normal activity’ to be identified and addressed.
Ultimately, using data classification software removes the need for manual workarounds, helps organisations enforce a classification policy and ensures employees are following the same guidelines in a consistent manner. Measuring effectiveness provides the intelligence needed to evolve the strategy in line with threats and business changes, all of which means that you can be sure that the right data is being protected, rather than have that uneasy feeling of not really knowing. If you are interested in reading more about the best way to approach data classification, why not download our whitepaper: “The Five Steps to Effective Data Protection.”
Martin Sugden, CEO, Boldon James