Think about this…on that special day when we are born our parents give us a name. Makes sense, right? Having a name keeps you from getting mixed up with the other babies. If you are late for supper and your mom needs to find you right away, she calls your entire name just to make sure the right “Mike” comes home. Should you get lost, it would be pretty difficult for your parents to say to police: “Well, he is 7 years old but doesn’t have a name. See if he answers to ‘Steve’. We always liked that name…”
Your company’s data isn’t much different, is it? Without a unique identifier your sensitive data is subject to misuse or improper handling. Everything from securing, storing and retrieving your information is much more difficult, time consuming, and less efficient without first properly identifying—or classifying —your data.
Many organizations are beginning to see the value in “naming their data”, or data classification, and are starting to do something about. However, there are still some organizations out there that do not classify their data. Here is a top 10 list of excuses why organizations DO NOT classify their data “babies”.
- “Too busy.”
You are too busy because you are chasing and herding the data “kids” without clearly knowing their special needs. But properly identifying data is critical so that data security policies and technology systems can accurately manage your data for you.
- “It’s too difficult – we’re not sure where to begin…”
Classification is often seen a laborious and complex, but it doesn’t have to be. Start with a simple classification scheme and use technology to apply the classifications consistently.
- “We already do security training twice a year, that’s enough.”
So, are you saying there is a possibility that a new employee will have to wait 6 months for security training? You believe that no one in your organization ever makes mistakes or gets lulled into the daily routine, forgetting to double check that they are sharing and handling files securely?
Classifications make it possible to trigger critical policy alerts, and each time a file is put at risk, users are alerted and educated on the correct corporate policies that they should be applying—right now—not 6 months from now.
- “Our data is not that important – we don’t have any secrets.”
If you were my competitor, I would love to know about your sales plans, your marketing strategy, your customers, and your financial health. Every company has intellectual property and, especially in this digital age, just about every organization has to protect confidential customer information.
UPDATE: New York Times reports that even the smallest companies have something to lose: During Bakery Break-In, Only Recipes Are Taken
- “It sounds too good to be true, that classification can help in so many ways. What’s the catch?”
There is no catch. This is why industry analysts like Forrester, and other industry experts keep saying that classification is the foundation to data security. Without classification you are trying to hold up a data security infrastructure without having first laid the appropriate foundation.
- “We haven’t had a security breach… well, at least not yet.”
Are you sure? If you keep your eye on the news you will find that all it takes is one misaddressed email. Even more worrying, hackers are becoming more patient and sophisticated. The hackers that targeted Sony had system access without the Sony IT team knowing it, and long before the data was leaked.
- “I already protect my data, it’s protected… right?”
Only if it is never shared, never accessed from a mobile device, and it isn’t on your network but stuffed into some offline hard drive.
But, if you use and share your data, it is always at risk. Knowing what is the most sensitive helps you focus the highest security effort where it is needed most. It just isn’t possible to protect everything the same, especially when storage managers are beginning to say the word “Petabytes” as much as they say “Terabytes”.
- “We used to use labels for paper files, it’s too hard to implement in a digital world.”
In some cases it is possible to automatically classify a document or email and have the classification automatically trigger the application of the label, header, footer, watermark, or the subject line. No rubber stamps required.
- “No one else does it – why should we?”
Governments and military organizations have been classifying electronic documents for years. The technology is mature, easy to use and effective. In the commercial space, large enterprises such as Dell and Nokia are aggressively adopting classification plans and implementing classification tools.
- “Everything else in the world is labeled, (food, medicine, harmful chemicals) why bother labeling something else… like data?!”
Some medicines, when taken together, can cause serious harm to your health. Likewise, mixing sensitive information with the wrong person could cause serious harm to your organization. Don’t you want to make sure that your data security systems check the content, context, and classification of the document, as well as user attributes to make sure they can mix?
BONUS: “I’m not required to.”
…Yet. While it is true that some industries or some departments are not compelled to classify or mark the sensitivity of the documents they create, that day is coming. Increasingly, data breaches are happening all around us, and you can be sure tighter compliance legislation isn’t far behind. Don’t be caught unprepared. Data classification is gaining broader appeal as organizations of all shapes and sizes are recognizing the value in identifying data for greater protection and user accountability.
Whether it is to enhance existing data security controls or to streamline data lifecycle management, today’s smart organizations are deploying technology to assist with the identification of data as soon as it is born.