There is no denying it, implementing a Data Classification (DC) solution into your environment will do wonders for your cyber security posture.

Any one of the recent blogs HANDD have published sing the virtues of how giving an identity to your data can tighten your security and make controlling data much easier.

That being said then, you may be surprised to hear us say: “Data Classification does not solve security!”

Whilst we are of the opinion that Data Classification is a keyway of creating a security policy at the point data is created, it is just one piece of the jigsaw. By simply marking information and giving it that all important identity we’ve raved about in previous pieces, you’re on the right track. But what does it actually mean and do?

Below are two other fundamental pieces of that puzzle you should be aware of.

1.End User Awareness

One of the pitfalls of implementing a classification solution, digitally or otherwise is its misuse by your employees. This tends to fall into two camps: over classified and under classified.

What we see is security minded folk overclassify things. If I mark this as Top Secret or the highest possible level, then I cannot be wrong, and I can’t get in trouble. The problem being that data now is treated with heightened controls (or at least should be!) and this creates misinformed decision making by other platforms you might have inside your security stack.

Conversely, we see others who will knowingly under classify items. Thus, making their jobs easier by allowing controls to be subverted in favour of a simpler life. That may be true, but they are effectively creating a security risk every time they do so, and you don’t need us to tell you this is a bad practice.

The best solution is to look for a DC toolset that allows classifications to be ratified against the dataset being applied, that way if ‘Sensitive’ information is being marked as ’General Business’ for example, the technology can override the users decision making process and educate them to the error of their ways in the process.

2. It’s marked, now what?

Have you thought about what happens once the data is labelled and marked? I’m sure you’ll want to team your classification solution with other technologies to get the best out of it (if not then you’re missing a beat!). DC solutions with rich policy engines can only do so much. Email release controls, preventing screen shares, preventing cloud uploads are all things that DC tooling can do in 2021. But have you thought about the wider risk of disseminating sensitive data outside of your organisation?    

This is a risk we have to live with, to do business we must share information with other organisations. How do those other organisations know to treat it with the care it warrants?

We need to at least make it clear to those recipients that this data isn’t just any data. It is important and we have to let them know.

By using things such a subject line markers and watermarks in documents, if anyone opens a piece of data it’s in their face as to what this data means to your organisation and how they need to think about it.

You could even go a step further, using encryption at rest for arguments sake or even look at a Digital Rights Management platform to transmit security controls into the document wherever it travels and whatever system or organisation it ends up in.

Conclusion

A successful DC project encompasses the right amount of technology, a solid understanding and awareness from the user community and an integration with the security eco system in your organisation.

HANDD’s team of consultants tie all these items together to deliver successful DC implementations to help keep organisation’s data safe, speak to the team of specialists on 08456 434 063.