noun_Email_707352 Breadcrumb arrow noun_917542_cc noun_Globe_1168332 Map point Play Untitled Retweet

Great way to improve security: classify your data

Digital systems generate massive amounts of data. However, not all data is equal – the more value the data has, the bigger the risks involved.

Oskar Ehrnström / August 22, 2019

Digital systems generate massive amounts of data. However, not all data is equal – the more value the data has, the bigger the risks involved. Therefore, valuable data also requires better protection. To determine the risk, it is essential to know who can access data, why, and how. Does your organization know the answers?

If your organization does not have a clear view of who can access data, why they have this access, and in what manner they can access it, the first step is to start a data classification process. This is the key to any effective cybersecurity management program. 

Data classification is easier said than done. But it is the only way to develop a good understanding of all the data assets the organization has and to determine how these assets should be protected from risks. The more valuable data is, the more focus and investments it deserves. 

As a process, classifying data can be split into five phases:   

1) identifying data 

2) specifying the location of data 

3) identifying data generating sources 

4) classifying data 

5) assessing the value of data. 

 

Each phase requires a systematic approach. Most importantly, data classification is never only IT department’s responsibility. The whole organization must participate in the process. Additionally, data classification should be performed regularly to avoid gaps when the organization evolves. If you perform the classification but don’t follow up, you’re only halfway there. 

Once the data has been classified, the next step is to consider and check who can access it and how well it is protected from unauthorized access. In many cases, organizations handle identification and authorization quite well based on the roles the employees have. There are plenty of tools available to manage this aspect of classification. 

But there is one thing that many organizations miss in a data classification process: VisibilityThe organization not only needs to see what data it has and where it is located. It also needs to know exactly who uses the datawhy the data is accessedwhen this happens, and how.  

Without full real-time visibility and automatic ability to track data usage, it is practically impossible to prevent data loss. Automation of the identification and authorization process is also important in reducing the burden on resources. 

 

Visibility can mitigate the effect of human factor 

Additionally, there’s always the human factor dilemma. Even if the technical protection follows best practices, people always tend to be the weakest link in cybersecurity, and they may break the chain. 

As an example, let’s consider GDPR requirements that all organizations have been striving to fulfilOn their road to compliance, there have still been cases where employee practices have bypassed critical security considerationsPeople may find different customer databases very handy when they e.g. arrange an event and want to invite people. For that purpose, they can export files from secure systems that demand authorization and store them somewhere else for easy access later. Afterwards, the files are forgotten in shared folders, personal computers etc. – and this poses an obvious risk, as these files are also convenient targets for cyber thieves! 

Any organization must have visibility to critical data no matter where it is located. Visibility is essential to ensure that data remains where it is supposed to remain. To avoid problems, it is probably best to deny all copying of sensitive data. In case copying is allowed, the copies must be tracked automatically. No unidentified and unauthorized person should ever be able to access data. Trust me: you’ll sleep better when you know the what, why, who, and how of your data at all times. 

Do you want to know more about data classification and how it is a strong tool for business risk management and fundamental for cyber security? If yes, please get in touch with me or my colleagues at Tieto Security! 

Oskar Ehrnström
Lead Business Development Manager

With over 20 years of experience in sales and marketing, and with 11 of those as a leader and trusted advisor within cybersecurity, Oskar Ehrnström drives business innovation and transformation within Tieto Security Services.

Share on Facebook Tweet Share on LinkedIn