2:30 PM -- "That's classified." It's a phrase we hear in spy movies and TV shows, or in conversations with government agencies. Yet, we seldom hear it used around businesses -- and maybe we should.
"Classified," when you think about it, is simply a term that indicates someone has evaluated a particular set of data and gauged its sensitivity. Highly classified data gets lots of access restrictions and special security measures. Non-classified data isn't sensitive and doesn't need much protection.
It's a simple idea, but most corporations don't practice it very well. According to a study published earlier this week by Forrester Research Inc. and RSA Security Inc. (Nasdaq: EMC), only 61 percent of companies surveyed have a data classification policy -- and nearly half of them said that policy is rarely enforced. More than half of the respondents said their data classification policies were "reasonably up to date but need some attention," and 18 percent said their policies were out of date. (See Enterprises Wrestle With Security Policies.)
Why do companies have so much trouble with data classification? A big reason is that many of them regard it as an IT function. They expect their technology people to evaluate the sensitivity of each data set and determine the appropriate security measures to take. This is an overwhelming task for an already-overburdened IT organization -- and highly inefficient, since IT people often don't know which data might be sensitive to the business.
Government agencies, by contrast, have predetermined policies for determining the security classifications of particular types of data. In those agencies, the level of classification is determined by the people who create or review the data -- not by the IT organization. This makes sense, since the people who develop the information are best qualified to judge the repercussions if it should leak out.
In business, however, the lack of good data classification policies is one of the chief reasons companies have difficulty preventing security breaches. IT can't practically secure every bit of data that exits the company, yet the security department is often given very little guidance on which data most needs protecting. As a result, some sensitive data is often overlooked and left in the clear.
If corporations are going to develop effective security strategies they need to first establish a common method for classifying data, which can be used by all employees. When a document or data set is created, the employee should be forced to make a determination as to how sensitive it might be, triggering the appropriate encryption or other methods of data protection.
True, this process requires some oversight, as employees themselves sometimes fail to recognize the sensitivity of the data they create. But by red-flagging data they know to be business-critical, employees could help IT find the most important information and secure it -- before it leaks out.
Tim Wilson, Site Editor, Dark Reading