05 Nov 2021 Data Classification: One Piece of the Puzzle
Implementing a Data Classification solution into your environment will do wonders for your cyber security stance. While Data Classification is the logical start of creating a security policy, it is just one piece of the puzzle. By simply marking information and giving it that all important identity, you’re on the right track, but what are the next steps?
By Daan Jacobs
Below are two other fundamental pieces of that puzzle you should be aware of.
1.End User Awareness
One of the pitfalls of implementing a classification solution, digitally or otherwise is its misuse by your employees. This tends to fall into two camps: over classified and under classified.
The danger with the security minded employee is over-classification. If I mark this as Top Secret or the highest possible level, then I cannot be wrong, and I can’t get in trouble. The problem being that data now is treated with heightened controls and influences the decision-making process within other platforms dealing with security.
At the other end of the scale are the employees who will purposely under-classify items. Making their jobs easier by allowing controls to be subverted in favour of a simpler life. That may be true, but they are effectively creating a security risk every time they do so and putting your organisation at risk.
The best solution is to look for a Data Classification tool that allows classifications to be ratified against the dataset being applied. That way if ‘Sensitive’ information is being marked as ’General Business’ for example, the technology can override the users’ decisions and educate them to the error of their ways in the process.
2. Once the correct classification is applied, what’s next?
What happens once the data is labelled and marked? I’m sure you’ll want to integrate your classification solution with other technologies to get the most out of classification. Data Classification solutions with rich policy engines can only do so much. Email release controls, preventing screen shares, preventing cloud uploads are all things that Data Classification tools can do. But have you thought about the wider risk of sensitive data outside of your organisation?
This is a risk we must live with, to do business we have to share information with other organisations. How do those other organisations know treat sensitive information with utmost care as well?
We need to at least make it clear to the recipient that this data isn’t just any data but in fact classified or sensitive, and the data should be treated as such.
The usage of email subject lines and watermarks in documents, immediately warns the recipient what this data means to the organisation and how they need to act.
To further minimise the risk of a data breach or incorrect treatment of data, consider Data Loss Prevention tools and/or Secure File Transfers for sensitive information. Sensitive information will not leave to organisation when an attempt is made to send it to the incorrect recipient and sensitive information is only send over a secure connection.
To sum up, a successful Data Classification project encompasses the right amount of technology, a solid understanding and awareness from the end users and an integration with the security eco system in your organisation.