It’s good to share, or is it?

Employee round-table discussion
Reading Time: 2 minutes

There are very few organisations which can do absolutely everything for themselves; can you think of any?

These days, organisations often rely, to some extent or other, on other organisations for their business to be successful.

They need clients for whom they can provide goods or services, they may need partner companies to work with collaboratively and present a joint front, and they will have a supply chain to provide them with yet more goods and supporting services. Therefore, there will inevitably be a need for every organisation to exchange information with third parties.

Classifying Data for Confidentiality

Of course, an organisation that classifies its data will have a good start in thinking about how they expect other organisations to handle, process, and protect any shared data. It would be especially helpful if everyone used the same terminology in the classification labels they used, but that is never going to happen.

For instance, we have seen the word CONFIDENTIAL being used to identify fairly sensitive government–owned information, which should be protected on classified systems, never touch the Internet, be transported in a locked briefcase, and have individual hard copies being numbered and subject to periodic mustering.

While at the same time, this classification is being used by some companies to refer to monthly sales figures and individual bonuses, or to planned office moves – information which would perhaps require a less stringent handling regime.

That said, the loss or compromise of either piece of data could prove career-limiting, but you’ll get my point.

And actually, my point here is that data classification isn’t everything.

The existence and operation by third parties of a “compatible” scheme is a good thing.  However, a better thing might be to spend some time and effort understanding:

  • How your chosen third parties will protect your data – how they will store and how they will process it?
  • Who can access it, from where, on what endpoints, under what sort of security regime?
  • Do they have any onward dependencies?
  • Have their systems been subject to independent review, testing and ongoing scrutiny?
  • Have your trusted suppliers put their suppliers through any level of due diligence?

If you don’t ask the questions you’ll never know.  And if you haven’t yet thought about asking those questions, now would be a good time to start…