How Do You Classify Your Data?

Is your data classified? classify-your-dataOkay, how many of you read the title of this blog and thought – this must be a blog about highly sensitive data that is ‘classified’, like the CIA?  Quoting Merriam Webster, “classified” can mean –

1:  divided into classes or placed in a class <classified ads>

2:  withheld from general circulation for reasons of national security <classified information>

The household brand Target, recently had a major security breach where “approximately 40 million of its credit and debit cards swiped in stores may have been compromised by a data breach during the height of the holiday season.”*

This is a major example of a security breach of classified (definition 2) information that will have a direct impact on potentially millions, with tangential impact far beyond.

So how and why did this happen?  Well you better believe the experts at Target and credit card companies will be spending millions of dollars in the coming months to find out.

One thing we do know is criminals go after a certain type or “class” (definition 1) of data.  They don’t want innocuous information such as the paint color of the lines in the parking lot.  So the real key is to know what class of data you work with that may in fact be classified.  Large enterprises have entire departments devoted to data classification and security, but what about the small to mid-sized business?

Our small to mid-sized clients are aware and sensitive to security and data protection, however they do not have the skills or the budgets to deploy complex data classification teams.  So what to do?  Below are a few relatively easy tips a small to mid-sized business can follow -

  1. Become educated on the subject of data classification and its importance (hopefully this blog helps)
  2. Conduct a discovery session with your management team and technology department or vendor to identify the different types of data used by the company
  3. Classify the data types by the amount of sensitive information within it
  4. Discuss security risks associated with each data type
  5. Define a reasonable process and plan to secure the most sensitive types of data
  6. Identify and deploy any appropriate tools and technologies to ensure sensitive data is secure.

Many times we are asked to ensure data is secure and provide proof of such, without the owner of the data even knowing if the data should be secure.  This is a reactive approach to data security that can result in over or under investment in data security solutions because they are not tied directly to the actual business usage of the data and data classification.  If your business must comply with third-party compliance requirements, such as PCI, HIPAA, SEC, etc., then you are aware of the need, but do you know if you’re hitting the mark accurately.

The worst time to deploy new solutions is in reaction to a disaster or catastrophic event – like finding out all your credit card information has been compromised.  Reactive solutions are often hurried and exponentially more costly than taking proactive steps.  Simply knowing the “class” of information your company handles and is responsible for is a great first step at being proactive.  Fluid IT Services can certainly help you become classified!