By Danny Maher, CTO, HANDD Business Solutions
Data is like water. Let it flow unmanaged through your organization and it will flood every available places, finding its way onto unauthorised hard drives, printed paper and insecure Gmail accounts, eroding your cybersecurity in the process. You can bank on it flowing beyond your systems and into the hands of others.
Smart companies will channel data flows carefully from beginning to end. Think of a carefully-plumbed system with valves and shutoffs to ensure that it goes only where you want it to. This is the only way to stop it from falling into the wrong hands and hitting the headlines.
You can control your information like this by understanding its lifecycle within your company. Create a policy that documents and governs every document and record at each stage of its journey. Enforce this policy using a mixture of well-defined processes, properly-trained people, and technology tools that protect data and automatically catch mistakes.
There are several phases in this information lifecycle. Each of them carries its own threats and dangers to your data, but also presents its own opportunities for protecting information.
Creation is one of the most crucial stages for a data record, because this is where you can prepare it for the rest of its journey inside your company. Information comes from a variety of places, including documents created by your own employees. Understand where it enters your company and the form that it takes.
You can’t control data with a security policy if you don’t know what it represents or who should be accessing it. Use data classification tools to electronically link each data item to the relevant policy.
This classification takes the form of metadata. It describes a record’s key characteristics, including where it came from, how sensitive it is, who created it, and when. These classification tags become your data’s passport for the rest of its journey through the company, and will enable you to automate key decisions governing it.
Advanced classification could even cover which business processes a record supports, which customer it is about (if any), and which employee or department handles that record. That will help when managing requirements under GDPR, which many companies have yet to grasp.
The first decisions that you make about your data involve where you store it and how. In an ideal world, we would store all our records using strong encryption on high-performance solid-state drives. In practice, that’s prohibitively expensive, so we must be smarter about it.
Understanding which data is classified as sensitive enables administrators to automatically encrypt only those records that need it.
If we know which records support business processes that rarely need to access them, we can store them on lower-speed SATA drives or even tape. Equipped with the necessary metadata, your data management software can make those decisions for you.
Having stored your appropriately. how do you stop the wrong people from accessing it? Get that wrong, and an employee might pilfer it, as was the case with BUPA recently. Organisations can mitigate this risk using basic cybersecurity hygiene.
For starters, not everyone should have access to all data. Security administrators can use identity and access management (IAM) systems to define roles and responsibilities for everyone in the company, and then assign access privileges accordingly. This access should be on a least-privilege basis, so that each user can view and edit only what they need, and no more.
Use these IAM systems to log who accessed data and when. An audit trail can be useful for compliance purposes, and can also hold employees accountable for what they’re doing.
The next stage of the information lifecycle is closely linked to the last. Even if a company restricts data access to only those that need it, it still runs the risk of inappropriate sharing. This can happen maliciously or unwittingly. Employees frequently publish sensitive information by mistake, but the Information Commissioner’s Office is unlikely to be sympathetic when it analyzes such cases.
Handle data access particularly badly, and it doesn’t even have to be one of your own employees that goes rogue. Anthem’s latest breach occurred after an someone at a third party consulting firm took it upon himself to email himself thousands of the healthcare firm’s sensitive customer records.
As with other stages in the information lifecycle, use technology to reinforce well-defined processes here. If information is tagged with a certain sensitivity level, use tools such as data leak protection (DLP) to stop it leaving the organisation via channels like email, removable storage, or simple digital cut and paste.
Information rights management (IRM) tools can ensure that users only share information with authorised people, according to certain parameters. Your policy might dictate which devices can open it, and how long you can access it for.
Old data never dies; it just languishes unnoticed on hard drives that later crop up on eBay. When the time comes to retire records, do it properly. Their metadata will dictate whether you should archive them or destroy them. In the latter case, use secure disposal services that forensically wipe hard drives or destroy the physical media altogether.
Responsible data retirement punctuates your information governance process, eliminating the risk of records turning up in a dumpster somewhere (and your company turning up in a data breach story).
Data records are both valuable and dangerous. They can build your business if used efficiently to improve customer service and bolster your sales and marketing. They can also break your company if they turn up in the wrong place.
Talk to an expert about governing your data’s journey through the company as effectively as you govern your employees. With breach statistics growing, there’s no time like the present.