Not all data is created equal - it's a question of classification

Information security is not just a legal requirement. It is necessary to maintain an organisation’s reputation, trust and profitability.

Evolving technology results in more ways for data to be created, shared and stored. And while it may be easier (and cheaper) to collect and store large amounts of data, the risk to information is increasing.

One mistake in the way sensitive data is handled can damage a business, its reputation and the confidence customers have in them.

Cybercriminals will always find new ways to breach defences, but these aren’t always through technology.

Why classify?

Data classification is the cornerstone of information risk management.

It allows you to organise data into tiered categories based on its sensitivity and the level of protection it needs to mitigate information security risks.

Clearly labelling data with the correct classification shows its value, helps everyone instantly understand its level of sensitivity and ensures it is handled securely.

Assessing data

To adequately safeguard sensitive data, you must first know and understand what data you have and what risks it faces.

Ask yourself:

• What sensitive data does our organisation have?
• Where is sensitive data located?
• Who can access our organisation’s sensitive data?
• How would our organisation be affected if this data was leaked, destroyed or accessed by unauthorised persons?

Use these questions to help you assess your data and the threat landscape. This will form the basis of your classification levels and handling procedures.

Implementing classifications

Because not all data is created equal.

By creating a process for where data is held and who handles it, you can also implement security controls based on its organisational value and associated risks.

But it’s important not to overload employees with too much information. A straightforward policy, with three or four classifications, is more manageable and more likely to help employees understand company requirements.

And when they understand, they will adhere.

Employees and classifications

Employees also need to understand that they are the first line of defence against data breaches – even those who think they don’t handle confidential information.

Everyone plays a key role in ensuring data is classified and handled securely. Empower employees to be your robust front-line defence against information security risks.

Educating employees about current threats to your organisation’s data and their role in keeping it safe is essential. Those who understand why they need to classify data are more likely to care and engage with information security.

Create unity by encouraging everyone to take responsibility for keeping information secure and promote your data classification policy as a tool to help them achieve this. If developed well, it will even make their lives easier.

Insider threats

Insider threats, both malicious and accidental, can be difficult to prevent as they develop from weaknesses in your frontline defence.

Automated classification

Data classification has traditionally been a user-driver process, but many organisations are now opting for automated classification.

Automated classification can help ensure data is protected when it is created, modified, stored or shared.

It is efficient and can remove human error to ensure information is correctly classified. It can also organise information and reduce the risk of data loss.

However, automated tools can lead to less control over data. In cases where data may be difficult to classify, an automatic tool cannot interpret the context of information as a person can.

You may wish to consider combining an automated solution with a user-centric strategy.

Senior management support

But training employees only goes so far – you also need support from management and the board for data classification to be successful.

When top executives lead by example, it shows that the rules also apply to them and gives employees a clear incentive to follow policies.

By also ensuring that your middle management teams understand the importance of data classification, you can encourage them to champion it.

Conclusion

1. Use classifications to improve information security by focusing on business-critical data.
2. Implement straightforward policies, promote best security practices and educate employees to reinforce your classifications.
3. Get support from senior management.
4. Monitor, maintain and update your data classification policy to ensure you continue to meet the changing needs of your organisation.
5. Adapt your data classification and wider cybersecurity strategy as threats to your data evolve.

Above all...Keep it clear. Keep it simple. Keep it secure.