Digitisation and cloud computing mean that employees have the potential to access some of their employer’s most valuable assets — sensitive data and intellectual property. Teams need clear guidelines on what information should be most protected.
Accessing and sharing important and sometimes very sensitive business information has become part of carrying out business as usual. Data classification makes it easier for people to identify different types of data and understand the most appropriate ways of securing and using them.
Tap into your skills
Suppose you’re prone to flights of fancy or have an active imagination. In that case, the words ‘data classification’ may conjure up images of government spy missions or messages that self-destruct after being read!
In terms of pragmatic cyber security practices, the reality is slightly less dramatic but nonetheless very effective. Data classification is the practice of identifying different types of data so that appropriate measures can be used to protect the more sensitive types of data.
And when you stop to think about it — many of us are already highly skilled at data classification in our everyday lives.
We self-apply aspects of data classification when deciding whether to share or reveal our personal information in interactions with other people and organisations.
The behaviour to protect sensitive personal information is almost instinctual. We exercise caution when revealing information that could be used against us in some manner or violate our privacy.
Someone’s personal system of data classification might look something like this:
Put sensitive data into a class of its own
Understanding and appreciating the power and value of an organisation’s data are crucial. Not all data is equally important.
The decision-making process many of us use to protect our personal data makes it easy to understand why data classification within an organisational context is a good idea.
Just as we wouldn’t share our bank details on our social networks, there are many types of data in our organisations that aren’t suitable for general sharing.
A data classification framework outlines what types of data an organisation holds and which data require the most protection. Explicitly setting this out in a framework means that everyone understands the rules.
Intellectual property is a high-value asset
Organisations operating within the financial or healthcare industries are subject to regulatory and privacy compliance requirements. Due to the sensitive nature of the data that they hold, these types of organisations are likely to have more complex data classification frameworks.
There is a more significant potential for negative impact or harm if sensitive data is exposed. When people work with these types of data, they must know how to protect it. Identifying sensitive data and selecting the most appropriate security measure available to use, store, and share it securely is a highly valuable skill.
However, it’s not only these types of organisations that can benefit from using data classification. The intellectual property held in many other organisations, including universities, manufacturing, and retail businesses, is a highly valuable asset.
It may not be as clear-cut in some organisations. Data should be classified taking into account the specific circumstances of each organisation, the industry they operate in, and the types of data they handle.
Data classification doesn’t prevent leaks and mistakes, but it helps identify what needs the most protection
Every organisation’s worst nightmare is to have sensitive data maliciously leaked or a careless error reveals trade secrets.
Email allows us to transmit information easily. Entire databases, scanned copies of sensitive documents, or any manner of sensitive information can be added as an email attachment and sent at the click of a mouse button.
Unfortunately, emails can get sent to the wrong recipients or sent to many recipients using CC (carbon copy) instead of BCC (blind carbon copy). This happens more often than you may think and leads to data leakage.
This type of error can have severe consequences for organisations and individuals whose data is compromised.
Whilst data classification can’t prevent this type of security breach from happening, if people are informed about the sensitivity of the data that they work with, they can make more appropriate decisions about how they handle it.
Seeing a document marked ‘Restricted’ or accessing a password-protected system should give any employee pause for thought. Take the time to consider –
- Is this data meant for internal use only?
- What’s the worst that could happen if this data became publicly available?
- What are the laws or compliance requirements around sharing this type of data?
- Is this data commercially sensitive?
Unintended exposure of sensitive information can have far-reaching legal, compliance, or privacy ramifications and impacts. The risk of this exposure exists wherever employees have access to data that requires protection.
How to start with data classification
Though data classification frameworks can seem daunting at first, setting one up for your organisation doesn’t have to be complex.
If data classification is new to your organisation and you don’t know where to begin, here are a few tips to get you and your team started:
- Do an inventory of what data your organisation collects, stores, or handles. Identify any data that requires higher levels of security. This includes data like personal information (of employees or customers), payment information, or medical details. It can be helpful to put the different types of data you come across in a table, that way you can start filling out the different classifications and tips for handling each category type. This is a great start to your organisation’s data classification policy and would be a handy “internal classified” table to share with your employees.
- Provide your employees with the tools they need to store internal, confidential, and restricted data. Depending on your organisation, an internal data storage tool could be Google Drive, Microsoft SharePoint, a web-browser based wiki or internal knowledge base software (like Confluence, Guru, or Tettra), or an intranet that’s only accessible inside your organisation’s office. You may use the same tools for handling both confidential and restricted data. However, you’ll need to set up more access controls so you can limit who has access. You might also store confidential and restricted data in other places, like databases and Software-as-a-Service (SaaS) tools. Wherever this data is stored, it’s key to limit access and keep those tools protected.
- Teach your team about the best ways to handle classified data. Each organisation will be different because we all handle different types of data and use different tools for storing, collecting, and handling it. Share with your team the types of data they can expect to see when working in your organisation, what level of classification each type has, how to handle and store this data, and what to do if the data is mishandled. Our new data classification course can be a great first step in covering these learning basics.
Help your people build their cyber security superpowers
Growing and embedding cyber security culture takes time and effort. And culture change needs the active participation of your team. Learning secure behaviours and practical skills means your team becomes your greatest defence against cyber attacks and avoids data leaks.
SafeStack Academy’s Security and Privacy Awareness programme can help your teams learn more about cyber security and what actions can help protect your most valuable data.
Our action-oriented learning helps you embed the basics of good cyber security practice into your daily routines.
The next course in our Security Awareness programme is about how data classification frameworks identify different categories of information and their required levels of protection.
This course covers various aspects of data classification, including:
- The benefits of data classification and its role in security compliance.
- Common data classification categories and their associated levels of sensitivity.
- Some general guidelines for secure handling of different categories of data.
Sign up for our SafeStack Academy Security and Privacy Awareness training today, or take it for a spin with a free 14-day trial.
We love to hear from you
If you enjoyed reading this blog post or if something sparked an interest, please share it with us. Drop us a line at firstname.lastname@example.org and let us know what you think.