Not all data is created equal. Companies have multiple tools at their disposal to protect their data from security threats. However, to make this job easier, it’s good to know which types of corporate data are especially significant. More-so: which parties in the organization hold the keys to access them.
Determining the value of risk associated with an organization’s documents and data stores is the first step towards creating corporate policies for document and data classification and control. These policies are the foundation for a corporate-wide data loss prevention (DLP) strategy. Then mix in technology tools to help ensure that truly valuable corporate content doesn’t end up in the wrong hands.
According to studies, up to 70% of IT professionals believe that at least half of their company’s data loss is due to unauthorized data access.
Determining Data Value
Much of the job of assessing the value of corporate documents and data can be an exercise in common sense. For IT teams undertaking the task, this involves asking some pretty practical questions.
Does the content contain:
- Information that is already publicly available through earnings reports, corporate news releases, or other public channels?
- Corporate intellectual property (IP) or proprietary business processes that provide a competitive edge?
- Details about merger negotiations or ongoing litigation that have yet to be made public, or even made known to employees outside of the executive level?
- Personal identification details of employees or customers, such a social security numbers, performance reviews, personal health data, or credit card information?
Next, a risk level needs to be assigned to every document and data repository. The risk level helps determine which employees get to view specific content, who is authorized to make changes to it, and what kind security protection, such as passwords and encryption, it should have.
IT departments can create as many risk levels as they want, but for most companies, a three-tier program structured around low, medium and high risk is enough. Here are some guiding principles defining each of those risk levels:
- Low Risk: This risk level consists of documents and data suitable for public knowledge. If it’s data that is already publicly available somewhere, like corporate earnings, it shouldn’t require gated access or other protection measures for employees or others to view it. Everyone can have a look, and no one needs to be nervous about that.
- Medium Risk: The middle tier is for documents and data regarding business processes that the company wouldn’t want released to the public at large. The data can be made known to most, if not all, employees on an internal basis. You probably wouldn’t lose your job if you accidentally released or deleted this data.
- High Risk: The highest risk level would be reserved for corporate data and documents that absolutely need to remain confidential. This is the kind of data that, if shared publicly or destroyed, could harm the company. This includes intellectual property, personnel data, customer details, or corporate account information. You most definitely should lose your job for posting this data on the Internet, or erasing it for eternity, even by accident.
Personal High Risk vs Corporate High Risk
Some businesses also may want to make a distinction between “High Risk” data that involves personal details of customers or employees, and “High Risk” data that involves business processes or information. It might even make sense to create an even higher risk designation that covers a very small number of the most sensitive documents and data pieces.
Ultimately, creating more risk levels means creating more sets of authorization credentials for more camps of employees. Each camp will have their own defining characteristics and limits. The job of managing it all can become too unwieldy.
How data gets classified and what kind of risk level gets assigned to it should never be viewed as permanent. Ideally, IT teams will be revisiting these classifications frequently. Either downgrading the risk level of certain data as it becomes public, or to upgrade the risk level on a certain business process as it comes to have more competitive value. Eventually, the IT team will also need to determine when it’s time to delete or destroy documents.
After completing value assessments and assigning risk values, the IT team can determine how to control access to the organization’s documents and data. This is called a DLP strategy: a mix of corporate policies and technology tools.
One method for controlling access is Role Based Access Control (RBAC). This concept has been around for about 25 years, since the earliest days of digital document and data storage. RBAC involves assigning employees different roles as they relate to specific documents and data, and granting them access to perform limited functions on them. This is entirely dependent on which role they’ve been assigned. One employee might have access to alter a piece of data, another might only have access to view it, and another with no access at all.
In terms of technology tools, companies can choose from a wide variety of hardware, software, and cloud-based DLP solutions. These include support functions such as firewalls, multi-factor authentication, biometric fingerprint-based authorization, and real-time monitoring against unauthorized access attempts.
However, all of these measures—assessing risk, classifying documents, controlling access through a comprehensive DLP program—are only as effective as the rest of the organization allows them to be. The IT team can develop policies and strategies, but they won’t mean much if employees don’t adhere to them. It’s important to get buy-in from all departments and all levels of the company. If that doesn’t happen, it increases the likelihood of data breaches. If that’s case, all data is created equal—because it’s all at risk.