Digital systems generate massive amounts of data. However, not all data is equal – the more value the data has, the bigger the risks involved.
If your organization does not have a clear view of who can access data, why they have this access, and in what manner they can access it, the first step is to start a data classification process. This is the key to any effective cybersecurity management program.
Data classification is easier said than done. But it is the only way to develop a good understanding of all the data assets the organization has and to determine how these assets should be protected from risks. The more valuable data is, the more focus and investments it deserves.
Each phase requires a systematic approach. Most importantly, data classification is never only IT department’s responsibility. The whole organization must participate in the process. Additionally, data classification should be performed regularly to avoid gaps when the organization evolves. If you perform the classification but don’t follow up, you’re only halfway there.
Once the data has been classified, the next step is to consider and check who can access it and how well it is protected from unauthorized access. In many cases, organizations handle identification and authorization quite well based on the roles the employees have. There are plenty of tools available to manage this aspect of classification.
But there is one thing that many organizations miss in a data classification process: Visibility. The organization not only needs to see what data it has and where it is located. It also needs to know exactly who uses the data, why the data is accessed, when this happens, and how.
Without full real-time visibility and automatic ability to track data usage, it is practically impossible to prevent data loss. Automation of the identification and authorization process is also important in reducing the burden on resources.
Additionally, there’s always the human factor dilemma. Even if the technical protection follows best practices, people always tend to be the weakest link in cybersecurity, and they may break the chain.
As an example, let’s consider GDPR requirements that all organizations have been striving to fulfil. On their road to compliance, there have still been cases where employee practices have bypassed critical security considerations. People may find different customer databases very handy when they e.g. arrange an event and want to invite people. For that purpose, they can export files from secure systems that demand authorization and store them somewhere else for easy access later. Afterwards, the files are forgotten in shared folders, personal computers etc. – and this poses an obvious risk, as these files are also convenient targets for cyber thieves!
Any organization must have visibility to critical data no matter where it is located. Visibility is essential to ensure that data remains where it is supposed to remain. To avoid problems, it is probably best to deny all copying of sensitive data. In a case copying is allowed, the copies must be tracked automatically. No unidentified and unauthorized person should ever be able to access data. Trust me: you’ll sleep better when you know the what, why, who, and how of your data at all times.
Do you want to know more about data classification and how it is a strong tool for business risk management and fundamental for cyber security? If yes, please get in touch with me or my colleagues at Tieto Security!