What kind of month would it be if there was not another news story about a data breach? This time it is the “Panama Papers” – the leaked documents from the law firm Mossack Fonseca. In an article posted to TechRepublic, James Sanders reviews how the outdated Fonseca IT infrastructure likely contributed significantly to the hack. With a 2009 version of Microsoft Exchange, a client portal (Dupral) from 2013 running on Apache from 2010, and finally a homepage built using a 2014 version of WordPress, the Fonseca infrastructure was enormously vulnerable to attack. Clearly, the Mossack Fonseca perimeter defenses were vulnerable.
But was it just the perimeter defenses that were behind the times? What about their data? Was their data up to date?
The defense of data ultimately has to start with the data itself. Without knowing what the data is and how damaging it would be to your organization if lost, it is not possible to organize a strategic defense. Limited IT resources may mean it is not possible to ensure that all of your systems are immediately updated with the latest security patches. But even with limitless IT resources (oh, to dream!), it makes sense to focus data protection efforts on the most important information you own.
So how do you upgrade your data? With identifying metadata.
By adding additional details about the information to the file’s metadata, such as the classification, information lifecycle details, and applicable regulatory codes, it becomes possible to focus data protection efforts where they are needed most. For example, highly sensitive material can be automatically encrypted or stored in locations that IT immediately updates with the latest security patches. Less important information can then be kept in locations that receive upgrades less frequently.
This report from Forrester outlines the critical importance of data discovery and classification to the success of data security and privacy programs. Forrester states that “classification is the foundation for all data security and privacy-related efforts, including DLP”. In other words, if your data is not classified it is outmoded and a security risk. Especially in a world where the traditional data protection perimeter has been eroded by mobiles and the cloud, being able to quickly identify data, where it resides, and who has access to it is critical to any information protection strategy.
So, when did you last upgrade your data?