data is the lifeblood of any business and in today’s data driven world, information is all-pervasive and, for many organisations, is in danger of reaching saturation point. Therefore, understanding what data you have, who is using it, how it is being stored, classified and shared, and whether it is company-sensitive, is not as easy as you might think. That’s because data gets saved in unusual places, employees move on and take data with them, or it simply gets forgotten or lost. The bottom line is that data sits on file servers and in departments in document stores and is not protected and often not recoverable because no one knows that it even exists.
But with the implementation of GDPR, CCPA and numerous other stringent data protection regulations enacted worldwide, the need to protect data has never been greater.
That said, organisations have limited resources to invest in safeguarding their data, there is not a bottomless fund to throw at the problem. This means that knowing exactly what data needs protecting will help the business to set priorities and develop a sound plan in order to allocate budget and other resources wisely, while minimising security and compliance costs.
A good jumping off point is to start by classifying your data. Data classification is the process of organising data into categories for its most effective and efficient use. Using data classification helps the organisation to regain control over its data. Likewise, by involving your users in data classification they will automatically become more data-aware, with a greater understanding of the policies and value of the organisation’s data.
So, here are my five key steps to more effective data protection:
First you need to build a strong foundation around your data, to understand exactly what you hold and the potential risks to its security. This process begins by identifying the types of data that are of greatest importance to the business so you can pinpoint where you need to focus protection and controls. IBM estimates that between 0.5 and 2 per cent of an organisation’s data is ‘critical’, in other words it has a significant financial value to the company. More often than not critical data is likely to be heavily protected, it is all the other data that people don’t think about as being valuable - such as customer lists, contracts and time-sensitive documents - that must be identified and protected. If you are not sure, think about the ramifications if a document was leaked or lost – would it harm the business?
Having identified data that needs safeguarding, you then need to undertake a discovery exercise to find out exactly what you have, where it is and who has access to it. The best thought through security policy is ineffective if the organisation doesn’t know what it holds, and therefore, what controls should be in place to protect that data. A discovery exercise will give you visibility of your data and how it is being accessed and used. This enables the protection, strategy and solutions to be built around the types of data found. It also provides an opportunity to cut retention costs.
