Not all data is created equal – it’s a question of classification04 April 2019
Information security is not just a legal requirement. It is necessary to maintain an organisation’s reputation, trust and profitability.
Evolving technology results in more ways for data to be created, shared and stored. And while it may be easier (and cheaper) to collect and store large amounts of data, the risk to information is increasing.
One mistake in the way sensitive data is handled can damage a business, its reputation and the confidence customers have in them.
Cybercriminals will always find new ways to breach defences, but these aren’t always through technology.
Data classification is the cornerstone of information risk management.
It allows you to organise data into tiered categories based on its sensitivity and the level of protection it needs to mitigate information security risks.
Clearly labelling data with the correct classification shows its value, helps everyone instantly understand its level of sensitivity and ensures it is handled securely.
It ensures data is handled correctly at every stage of its lifecycle.
Classifications allow you to organise data for retention, storage, budgets and ease of reference, and, perhaps most importantly, control who has access.
“Data classification is the cornerstone of information risk management.”
To adequately safeguard sensitive data, you must first know and understand what data you have and what risks it faces.
- What sensitive data does our organisation have?
- Where is sensitive data located?
- Who can access our organisation’s sensitive data?
- How would our organisation be affected if this data was leaked, destroyed or accessed by unauthorised persons?
Use these questions to help you assess your data and the threat landscape. This will form the basis of your classification levels and handling procedures.
Because not all data is created equal.
“A straightforward policy, with three or four classifications, is more manageable and more likely to help employees.”
Define and implement a data classification policy that includes objectives, data owners, classification categories, and handling instructions. Clearly define your classification procedures for each information type and ensure it can be easily understood by your employees.
By creating a process for where data is held and who handles it, you can also implement security controls based on its organisational value and associated risks.
But it’s important not to overload employees with too much information. A straightforward policy, with three or four classifications, is more manageable and more likely to help employees understand company requirements.
And when they understand, they will adhere.
Employees and classifications
Employees also need to understand that they are the first line of defence against data breaches – even those who think they don’t handle confidential information.
Everyone plays a key role in ensuring data is classified and handled securely. Empower employees to be your robust front-line defence against information security risks.
Educating employees about current threats to your organisation’s data and their role in keeping it safe is essential. Those who understand why they need to classify data are more likely to care and engage with information security.
Create unity by encouraging everyone to take responsibility for keeping information secure and promote your data classification policy as a tool to help them achieve this. If developed well, it will even make their lives easier.
Insider threats, both malicious and accidental, can be difficult to prevent as they develop from weaknesses in your frontline defence.
Disgruntled employees may intentionally steal data or human error due to a lack of training could result in information being divulged unintentionally or without knowledge.
Combine access management systems, the principle of least privilege, and data classification to help prevent employees from disseminating sensitive information they should not have access to.
“Educating employees about current threats to your organisation’s data and their role in keeping it safe is essential.”
Data classification has traditionally been a user-driver process, but many organisations are now opting for automated classification.
Automated classification can help ensure data is protected when it is created, modified, stored or shared.
It is efficient and can remove human error to ensure information is correctly classified. It can also organise information and reduce the risk of data loss.
However, automated tools can lead to less control over data. In cases where data may be difficult to classify, an automatic tool cannot interpret the context of information as a person can.
You may wish to consider combining an automated solution with a user-centric strategy.
Senior management support
But training employees only goes so far – you also need support from management and the board for data classification to be successful.
When top executives lead by example, it shows that the rules also apply to them and gives employees a clear incentive to follow policies
- Use classifications to improve information security by focusing on business-critical data.
- Implement straightforward policies, promote best security practices and educate employees to reinforce your classifications.
- Get support from senior management.
- Monitor, maintain and update your data classification policy to ensure you continue to meet the changing needs of your organisation.
- Adapt your data classification and wider cybersecurity strategy as threats to your data evolve.
Above all…Keep it clear. Keep it simple. Keep it secure.