There’s a good reason that roughly 68 percent of business leaders feel the cybersecurity risks for their company are increasing, according to recent research by Accenture. They are increasing.
From phishing to incidental data exposure as a result of human error, data breaches are becoming increasingly common among organizations of all types. In the first half of 2020 alone, more than 36 billion corporate records were exposed by mistake, according to RiskBased Security.
Part of the problem is that most companies still struggle with identifying the full scope of the data generated by their organization, and fail to classify it based on sensitivity level. More than half of all data within the typical company is unclassified or untagged. Without understanding the sensitivity of data, it is hard to properly secure it.
Sensitivity classification is a foundation for proper data security, and the good news is that establishing a robust classification system is not as hard as it was even a decade ago.
There are five basic steps for implementing a comprehensive data sensitivity classification system.
Step 1: Make a Data Classification Plan
The first step is developing a plan for data classification that fits the needs of the organization.
Data classification is essential for risk mitigation, but other frequent use cases for it according to Gartner research include governance/compliance, efficiency and optimization, and analytics support. So defining classification objectives should be the starting point for your plan, including which systems are in scope for the initial classification process, and any regulatory frameworks for data that the company must follow.
Once those core considerations are defined, organizations should categorize data according to type, such as personally identifiable information or intellectual property, and define data classification levels.
For more on this step, read our article, How to Develop a Data Sensitivity Classification Plan.
Step 2: Define the Automated Classification Process
There are three ways that each piece of corporate data can get classified. Data can be manually classified by employees, it can be classified automatically by data discovery and security systems, or organizations can take a hybrid approach that combines both automated and manual classification.
As the heading for this step implies, most organizations will want at least some measure of data classification automation because complete manual classification is functionally impossible. Besides, there’s no point in making classification a manual process.
Most businesses that successfully classify data according to sensitivity take a hybrid approach that combines comprehensive automated data discovery and classification with an ongoing manual audit of data classification performed by the system.
There are several robust data discovery and classification solutions on the market, including Qohash’s cloud-based Qostodian platform that can uncover sensitive corporate data even on public cloud servers and personal computing devices within an employee’s home.
As part of this step, businesses also will define what data should be scanned first, the frequency of scanning, and the resources used for maintaining data classification.
Step 3: Specify Classification Criteria and Review
With a data classification solution in place, the third step is defining the criteria for classification, and the process for verifying correct classifications.
In terms of classification criteria, an organization will want to define the classification patterns and labels within the automated solution that will be required for correct classification. This will be easy or hard depending on the organization’s knowledge of its complete data footprint, the schema developed during the classification planning phase, and the automated data classification solution that has been chosen.
Businesses also should specify the process for reviewing the automated data classification as part of this step, and the process for validating its ongoing accuracy.
Classification accuracy typically is broken down into two measures, according to the Association for Information and Image Management (AIIM):
> What percentage of the automated solution’s data classifications are the same as a human would assign? Perfect precision means that all data is classified in the same way as what would be achieved by manual classification.
> A distinct but related metric, what percentage of all valid data is the automated solution able to classify correctly for a given data category? Perfect recall means that all corporate data intended for inclusion is classified correctly by the solution.
Step 4: Establish Overall Outcomes and Classified Data Usage
Data classification is not an end unto itself, so the next step is defining and setting up the analytics and security processes that will take place as a result of data classification. This is where the classification usage and overall outcomes are defined and implemented. From a data security perspective, this also is the payday for all the steps that came before.
Where possible, outcomes based on data classification should be automated so they can take place in real-time with minimal opportunity for latency between data creation and the use cases based on classification. This is especially critical for security processes built around sensitive data classification, because data such as intellectual property and personal identifying information requires immediate security action.
As part of this process, test and review outcomes prior to systems rollout to verify that they conform to all objectives specified in the organization’s data classification plan.
Step 5: Monitor and Maintain Classification
The final step is one of the most important.
Data classification is not one and done, so establish a process for discovering and classifying corporate data resources on an ongoing basis. This includes specifying the frequency of discovery and classification if it is not performed automatically in real-time.
Along with establishing an ongoing data classification process, businesses also should define a process for periodically reviewing data classification categories and the classification process overall.
If regulatory compliance is one of the objectives for the classification effort, this should include specifying a process for monitoring regulatory changes on an ongoing basis for continued data classification relevancy.
Ensuring that all sensitive corporate data is properly secured is not an instant process. But at the same time, it is easier than many businesses realize. All it takes is awareness of the corporate landscape, a little structured planning, and the right data automation technology in place.
Much of this process, from data discovery to automatic real-time classification of sensitive data, can be handled by Qohash’s Qostodian solution. Contact us for a Qostodian demo or guidance on how to simplify your company’s data security operation.
