Not all data is created equal. Companies have multiple tools at their disposal to protect their data from security threats. However, to make this job easier, it’s good to know which types of corporate data are especially significant. More-so: which parties in the organization hold the keys to access them.
Determining the value of risk associated with an organization’s documents and data stores is the first step towards creating corporate policies for document and data classification and control. These policies are the foundation for a corporate-wide data loss prevention (DLP) strategy. Then mix in technology tools to help ensure that truly valuable corporate content doesn’t end up in the wrong hands.
According to studies, up to 70% of IT professionals believe that at least half of their company’s data loss is due to unauthorized data access.
Much of the job of assessing the value of corporate documents and data can be an exercise in common sense. For IT teams undertaking the task, this involves asking some pretty practical questions.
Does the content contain:
Next, a risk level needs to be assigned to every document and data repository. The risk level helps determine which employees get to view specific content, who is authorized to make changes to it, and what kind security protection, such as passwords and encryption, it should have.
IT departments can create as many risk levels as they want, but for most companies, a three-tier program structured around low, medium and high risk is enough. Here are some guiding principles defining each of those risk levels:
Some businesses also may want to make a distinction between “High Risk” data that involves personal details of customers or employees, and “High Risk” data that involves business processes or information. It might even make sense to create an even higher risk designation that covers a very small number of the most sensitive documents and data pieces.
Ultimately, creating more risk levels means creating more sets of authorization credentials for more camps of employees. Each camp will have their own defining characteristics and limits. The job of managing it all can become too unwieldy.
How data gets classified and what kind of risk level gets assigned to it should never be viewed as permanent. Ideally, IT teams will be revisiting these classifications frequently. Either downgrading the risk level of certain data as it becomes public, or to upgrade the risk level on a certain business process as it comes to have more competitive value. Eventually, the IT team will also need to determine when it’s time to delete or destroy documents.
After completing value assessments and assigning risk values, the IT team can determine how to control access to the organization’s documents and data. This is called a DLP strategy: a mix of corporate policies and technology tools.
One method for controlling access is Role Based Access Control (RBAC). This concept has been around for about 25 years, since the earliest days of digital document and data storage. RBAC involves assigning employees different roles as they relate to specific documents and data, and granting them access to perform limited functions on them. This is entirely dependent on which role they’ve been assigned. One employee might have access to alter a piece of data, another might only have access to view it, and another with no access at all.
In terms of technology tools, companies can choose from a wide variety of hardware, software, and cloud-based DLP solutions. These include support functions such as firewalls, multi-factor authentication, biometric fingerprint-based authorization, and real-time monitoring against unauthorized access attempts.
However, all of these measures—assessing risk, classifying documents, controlling access through a comprehensive DLP program—are only as effective as the rest of the organization allows them to be. The IT team can develop policies and strategies, but they won’t mean much if employees don’t adhere to them. It’s important to get buy-in from all departments and all levels of the company. If that doesn’t happen, it increases the likelihood of data breaches. If that’s case, all data is created equal—because it’s all at risk.