Why Data Classification Should be Central to Every Organisation’s Security Strategy
In 2016 internet traffic surpassed the one zettabyte point that’s according to Samsung which equates to one billion terabytes worth of data, or 1 trillion gigabytes. In short that’s a lot of data and it’s a figure that will keep on growing. Data is at the heart of every business which is why data classification is so important but what does it mean and why should it be central to every organisation’s security strategy?
Data classification places a key identifier on your data and raises awareness to the end user as well as allowing it to be found easily and efficiently. But, even more important it ensures the correct handling and monitoring of sensitive data both in and outside of an organisation which is critical when it comes to protecting your most valuable data.
Whatever your vertical market or location the chances are there will be governing bodies, internal audits and mandates with which your company must comply. This combined with the EU General Data Protection Regulation (GDPR) which at just over a year away is edging closer at an alarming speed is a cause of great concern for organisations. GDPR will apply to organisations of all sizes so it’s time to start getting your house in order and data classification provides the ideal way to order and prioritise data based on its sensitivity. Which data does your company place the most value on? Is it your finance records, personal customer data or maybe the lunch menu? Placing a “metadata tag” onto a piece of data enables easy identification of your most sensitive assets and by appropriately protecting it you reduce the risk of falling foul of most compliance mandates.
2. Improve ROI of existing technologies
Being able to identify your organisation’s data also helps to improve the performance and achieve greater ROI on expensive security technologies already in place.
For example, most organisations have encryption technology (an EU GDPR compliance requirement) to ensure that information is protected while in motion or at rest. Adding metadata tags to sensitive content allows you to focus on encrypting the assets that are of most value rather than wasting time protecting the lunch menu.
Many organisations regularly use data governance and forensic solutions to clean up their legacy data to reduce storage costs and put large data sets in order. By employing a data classification solution for same task, you could bulk classify sensitive assets in tandem as they are discovered and ensure they too are protected and retained only as long as is absolutely necessary (think EU GDPR).
Data Loss Prevention (DLP) tools can also be enhanced by making it easier to intercept information being uploaded into the cloud or sent via email. Those familiar with DLP will be aware that creating rules is often cumbersome, consequently system overheads can increase and false positives can be created. The simple action of adding a “confidential” label into the metadata mean the DLP immediately knows that this data information should NOT leave the organisation and will block it avoiding the need to scan the entire content.
As soon as you have followed the process of identifying your data and the storage locations your security policy can be extended into Identity Access Management (IAM) solutions so that only those users with permitted access to it are allowed while those without are denied.
Finally, User Entity & Behaviour Analytics (UEBA) solutions provide a far more intelligent way of, monitoring and alerting than ever before and consequently a much clearer view of how users and machines are interacting with the most sensitive content so that users can be alerted when potential threats occur in real time.
3. End user awareness
People are the most powerful tool in an organisation’s armour and empowering them is the key to implementing a successful security strategy. The seemingly small action of adding visual labels such as headers and footers onto a document or email can raise end user awareness and help them in becoming more security focused.
We all recognise labels and their role in encouraging people to ‘err’ on the side of caution. ‘Do not open’, ‘handle with care’ and ‘contents flammable’ would make you think and change your normal behaviour. Similarly, visual labels and watermarks can be applied to data to alert the user to behave more cautiously for example if the content is marked as “internal only”.
A huge number of data leaks are accidental and could have been avoided if only a data classification solution had been in place to raise user awareness and deterring sensitive content from being stored on a USB or uploaded to third party web portals such as Dropbox and Box. Using visual labels also encourages users to be more responsible and aware when handling physical copies of data that have been printed out.
It’s safe to say that data classification is central to a well thought out security strategy. And, whether it’s automated or driven by the end user is up to you but either way the classification software must be on the end users’ desktops ensuring that they are at the heart of your security strategy.
Written by Danny Maher
Danny Maher is Chief Technology Officer at HANDD Business Solutions, an independent specialist in global data security