Using data classification as part of a strategy to secure corporate data assets is sometimes referred to as ‘locking up the crown jewels’. But data security neither starts nor ends with the act of controlling access to information. Nor should a security policy be limited to protecting only the most valuable data; even less critical information can damage the business if it’s lost or leaked at the wrong time.
First, you need to build a strong foundation of knowledge around your data, to understand exactly what you hold and the potential risks to its security. Picture your organisation as the Tower of London. If you don’t know where your crown jewels (and less sparkly assets) are you’ll end up locking every door – or leaving the wrong doors open, exposing them to risk.
This process begins with identifying the types of data that are of greatest importance to the business, so you can pinpoint where you need to focus protection and controls.
Your most valuable and confidential data (your crown jewels) might include:
- Data assets – such as the information on a CRM database
- Business-critical documents including strategic plans and agreements
- Documents or information that are subject to regulations
- Intellectual property (IP), such as product designs and technical specs
- Personal information – for instance employees’ details.
More often than not, however, a company’s most vulnerable point will not be its crown jewels; it’s likely they’ll already have been recognised and heavily protected. It’s the more everyday sensitive data that people don’t think about, like customer lists, contracts, or time sensitive documents such as company results and press releases that are most likely to be leaked or lost. This data must also be identified and protected.
A helpful way of determining the value of a piece of information – and the risks to be managed – is to think about the impact if it was leaked or lost. Would it harm the business, for example by damaging the brand, incurring a fine from the regulators (for breaching the EU GDPR, for example) or eroding competitive advantage? If it got into the public domain, would it expose your customers, partners or suppliers? Would it put an employee’s security or privacy at risk? Would you be breaching a contract?
Once you’ve defined the data that is most at risk, you can start to find out where your sensitive data is located.