When you go swimming, do you creep in slowly or jump right in? I’ve tried both and have decided that jumping in is by far the better way. A few seconds of shock at the temperature change and then I’m swimming happily. Why endure slow temperature change torture when the whole body adjusts quickly?
When it comes to implementing data classification it is also best to jump in fully and involve the entire enterprise. At least, it make sense if you are truly concerned about data security. If sensitive content is shared with a user without TITUS Classification, or should a user without TITUS Classification gain access to sensitive content, the policy enforcement and protections TITUS normally provides would be unavailable. By sparing some parts of your organization from change you are simply leaving data security gaps. So, if you aren’t thinking about deploying TITUS Classification enterprise-wide, here’s a baker’s dozen of reasons you may want to reconsider.
- Sensitive Data is Everywhere: If there is one thing the Sony breach taught us, it is that data which can damage an organization comes in many shapes and from every department. While the loss of intellectual property may impact sales and growth, content that can do damage to your reputation can have the same effect. All data should be identified so that it can be properly protected, managed, and deleted when it becomes a liability.
- Foster a Culture of Security and Accountability: Technology alone cannot ensure data security; users must be involved. The more security is hidden and automated, the more users will rely on it to save them from their own mistakes. Over-reliance on technology leads to user negligence and susceptibility to phishing and other attacks designed to lure users into compromising data security. Just as it is possible for digital attacks to start within a low security area of a network, fraud and data leaks can start with less protected employees. For example, a non-TITUS Classification user may receive a phone call such as this: “Hi, this VP So-and-so. I don’t seem to have the latest pricing figures for Product X and I have an important meeting with a customer in a few minutes. Could you please send the price list to my home email address? I am out of the office and am having corporate email issues.” A user without TITUS Classification targeted in this way might send the price list to the imposter. With TITUS, the user could be prevented from sending an internal document to an external email address, warned about the dangers, and provided safe remediation options.By asking users to stop, think, and consider the value of the information they are creating or sharing it is possible to enforce the message that data security is everyone’s responsibility. If only part of your organization is required to classify, the rest might then believe the data they handle is not valuable which in turn could lead to greater negligence and potential breaches. Give your users the tools they need to avoid making mistakes that could cost them their jobs. TITUS Classification helps well-intentioned employees follow security policy by providing targeted, interactive security education when handling email and documents – without disrupting everyday workflow.
- Enhance DLP Protections: Where DLP systems either block or permit the information from being shared, TITUS Classification provides informative alerts and warnings when a security violation occurs. Users are educated about the violation and are provided with options to remediate the problem. For example, an internal email is sent to 30 people but two of the recipients are outside the organization. Rather than just blocking the email, a pop-up warning from TITUS will tell the sender the nature of the violation, reveal the offending email addresses, and provide the user with multiple options. The remediation options could include automatic removal of the email address and send, return to the message for manual correction, or allowing the user to send the email anyway but prompt them to justify why. In addition, because classification metadata provides explicit information about the data’s sensitivity, the DLP system is able to make more precise decisions thereby reducing the number of false positives.
- Ensure Safe Recipients: Users without TITUS are susceptible to the same email address autocomplete error that has compromised many organizations. You meant to send that important email to Brenda but sent it by accident to Brad. TITUS is able to use the classification, content, sender and recipient attributes to verify if the sender is authorized to receive the information.
- Enforce Ethical Walls: There may be regulatory or business reasons a department or group should not be sharing information with other internal departments or groups. TITUS Classification can help enforce ethical walls by applying appropriate department/group metadata to the file and verify that recipients are entitled to the data. Users without TITUS Classification might inadvertently spill information across ethical walls as TITUS would not be there to ensure the virtual boundary is maintained.
- Avoid Secondary User Errors: Users accessing information they did not create may not understand the sensitivity of the files they are accessing. Without classification visual markings within the email or document (headers, footers, watermarks), and without metadata to enforce secure sharing policy, it is possible that a user may misconstrue the value of information and share it with unauthorized recipients.
- Augment Reporting and Insider Threat Detection: Effective identification of insider threats requires knowledge about how users are handling the most sensitive information. For example, you might notice that a user has sent an email to an external user which contained ten attachments. This might be out of the ordinary, but it is a threat? However, if you could tell if the attachments were classified as “public” or as “restricted,” the potential threat would be much more evident. Moreover, TITUS Classification is able to track if a user downgraded ten “restricted” files to “public” in order to attempt to bypass security, thereby revealing her/his mischievous intent.
- Enhanced Records Management and Defensible Deletion: As new content is created, the appropriate identification and retention schedule can be immediately applied as persistent metadata for proper lifecycle management. Time consuming and expensive eDiscovery projects can be avoided or scaled back when data is managed properly from the beginning of its life and is easily identified based on a metadata (not content) scan. Legal actions that require the location and preservation of data (legal hold) is also easier. Finally, data can be destroyed in accordance to corporate, industry, or government regulations to prevent it from becoming a potentially damaging liability.
- Apply Encryption and IRM Consistently: The application of encryption and rights management, such as Microsoft Rights Management Services (RMS), is not always easy for users, particularly when used infrequently. Users in “less critical” departments may still have need to encrypt some of the information they produce. The application of RMS can be confusing and lead to the use of the wrong RMS template. TITUS Classification ensures that the correct RMS template is automatically applied when the information is classified.
- “Protecting Everything” Is Not Feasible: As the amount of data grows it becomes too difficult and expensive to protect it all with the same vigour. While some information may need to be encrypted and stored on a secure, local server, not everything does. Encryption of all data is not a solution as it often over-complicates sharing and collaboration. By identifying your data it is possible to know where it should be stored, what level of protection it needs, and who should have access.
- Reduce Mobile Risks: Some information should never be shared with a mobile device, or only shared when the device is in specific geographies. When all of your data is classified you can be sure that only the right information is accessed from a mobile device when that device is in a secure location. Classification also enables secure sharing policies on the device itself. As with desktop policies, classification prevents email recipient errors and over-sharing of critical data with unauthorized apps or cloud storage services.
- Prepare for the Cloud: TITUS Classification can help to ensure that only appropriate data is uploaded to cloud services. And just as within your network, classification metadata simplifies auditing and eDiscovery, even in the cloud.
- Ensure Regulatory Compliance: TITUS Classification solutions help organizations comply with a variety of regulations and industry standards, such as ISO 27001, ITAR, EAR, NERC, and various government classification standards. As your business changes, or as regulations change and new ones come into force, classification metadata helps to ensure that data is immediately subordinate to required policy changes, simplifying compliance.