We share data and digital information with the teams and people we work with just about every day. Sharing data is so second nature that we can sometimes overlook what type of data we’re working with and what the most appropriate way to share it is.
Data classification
A data classification framework makes it easier for everyone to recognise and safely work with different data types. Whatever the size of an organisation, developing and implementing a data classification scheme is a recommended practice.
Organising data into relevant categories makes it easier to give your team guidelines on the trusted ways of efficiently using, sharing, and protecting the data.
Data classification frameworks typically contain between three to five levels. The more regulated your industry, the more likely you’ll have increased levels of data classification.
Developing a data classification framework calls for a delicate balance between helpful detail and over-complexity. A framework like this should give enough detail for people to implement and follow but not be so complex that it stops people from using data. Quite a tall order, huh?
The four most basic levels of data classification are:
- Public
- Internal-only
- Confidential, and
- Restricted
Whether classified as confidential or restricted, sensitive data requires secure sharing methods.
What data do you need to protect?
If you don’t have a data classification framework in place or are unsure whether the data you’re sharing needs to be protected, start by asking yourself a few questions.
- Would I (or my organisation) mind if other people saw this data?
- What’s the worst that could happen if this data became publicly available?
- Can sharing this data harm someone or something?
In addition to trade or business implications, untimely and unauthorised access to sensitive data can have legal, compliance, or privacy implications. The risk of this exposure exists at all levels of the organisation, from administrative staff to executive members.
Ways of secure sharing
When sharing sensitive data, we need to share it in ways that guarantee it will be safe as we transfer it from one person to another.
Before sharing sensitive data, check your company’s cyber security policies or standards. If in doubt, ask your IT support person. Your workplace may have existing technology or methods for sharing sensitive data. If it does, use those instead of your personal storage and file-sharing accounts (like Dropbox, Google Drive, or similar).
Let’s say you need to share a report containing some highly sensitive information with an external customer. Data leakage or exposure is a risk— one that could have damaging consequences for organisations. As a general rule of thumb, sharing such a sensitive report using standard email communication is not advised.
If the data is essential to you, you need to maintain the ability to control access to it. Not only does this mean sharing access to it very cautiously, but also being able to revoke that access once it’s not needed anymore or if things go wrong.
Various tools exist for secure data sharing, and every organisation will use them differently depending on their context. Which tool you choose is less important than making sure you use its built-in capabilities to ensure you’re giving each user the appropriate level of access. For example, you may be able to automatically remove someone’s access to a set of data after a specific amount of time has passed.
It’s important to remember that once you share information with someone, there’s always a chance that it has been copied or shared with others, too. Even if the message, file, or image expires after a set time, the recipient may still be able to make copies of the information— say, by taking a photo of the message on a different device. This is one of many reasons why providing access to sensitive data is a decision that needs to be thought through carefully.
You can give different levels of access depending on the work that needs doing. For example, Google documents allow you to set access at “read-only”, “allow commenting”, or “allow editing” levels.
Some data sharing solutions also have auditing or logging, meaning the solution keeps a record of who accessed a file and when. If the information you’re working with is particularly sensitive, consider using this capability so you can investigate if needed.
Other considerations are whether you want the data to be printable, downloadable, or shareable by a recipient with others.
When sharing large amounts of data — like an extensive database — using file encryption or zip files with password protection is recommended. To decrypt or access the data, someone would need to have a password.
Whenever you use encrypted files or password-protected USB drives, the passwords should always be transmitted using a different medium than the actual data. So, for example, sharing the password verbally or sending it via text message.
Share securely to reduce risk
Sharing data is an integral part of how information flows through organisations and teams. Doing this securely and thoughtfully means we’re protecting the valuable information that belongs to our organisations and our customers, which goes a long way to building and maintaining trust.
Whether you’re sharing sensitive data internally or with external partners, there’s always a risk of cyber security breaches and data loss. The best ways to reduce that risk are by using secure sharing methods and taking extra precautions when we know we’re handling sensitive information.
Here are our top three tips for sharing data securely:
- Check with your IT support person for available tools in your work environment before using personal solutions or software.
- Consider the implications of information disclosure. If it could cause severe impacts, limit access to only those who need the information to do their work. This is known as the principle of least privilege, meaning information is shared on a need-to-know basis.
- Pick the right tool for the job. There are many ways to share data securely, and you can ask yourself a few questions and check your organisation’s policies to make sure you pick the right one.
To prevent data leaks, people are the best defence
Building a culture of cyber security awareness means always adding to and refining the tools we use to protect ourselves, our organisations, and our data against cyber-attacks and unauthorised access.
We want to help you establish your own culture of cyber security awareness and support. Helping teams to grow their knowledge about secure data sharing is a giant step in the right direction.
And that’s where SafeStack Academy’s Security Awareness programme comes in.
Our action-oriented learning helps you embed the basics of good cyber security practice into your daily routines.
Sharing data and documents securely
The next course in our Security Awareness programme is about identifying data that needs to be shared securely and using an appropriate secure sharing method.
We’ll go through the cyber security learning actions that can help, including:
- Considering the type of data you are sharing.
- Considering who you’re sharing the data with.
- Using an appropriate secure sharing tool.
- Data classification types.
- Closing the loops once sharing is complete.
Try it yourself
Staying up to date with cyber security practices has never been more important. We’d love to help you build a culture where everyone feels confident and empowered to stay secure online.
Request a 14-day free trial today to see how you can build your team’s cyber security superpowers.
We love to hear from you
If you enjoyed reading this blog post or if something sparked an interest, please share it with us. Drop us a line at support@safestack.io and let us know what you think.