What’s the value?

Data classification is hard.

When I was working in the realm of credit card data as a Qualified Security Assessor (QSA), one of the things that I always found interesting was how companies protected their credit card data versus the rest of the data in their organization. Often, businesses had placed many additional controls around the credit card data than around other data, mostly because of the requirements from the Payment Card Industry. However, when you look at the value of a credit card number, what they were protecting was the costume jewelry of data.

Instead, it should be the crown jewels of their enterprise, such as the key intellectual property and business intelligence that makes their business valuable. Why does a corporation spend so much on protecting costume jewelry and yet leave their crown jewels relatively open? Because they can’t tell the difference between the two.

What are the crown jewels? As Erkang Zheng puts it, they’re the “.01 to 2 percent of data that determines whether your enterprise will survive and thrive“. In other words, a tiny fraction of the data that is responsible for a huge portion of the value for the company, often up to 70% of the whole value of all the data in the company. Think of the communications between executives detailing the next corporate purchase or merger, or the details surrounding the next big project or product.

Businesses invest major amounts of money to develop these plans and the details can be worth millions to a competitor, but if they’re not protected any better than a credit card number that’s worth pennies, you can guarantee a motivated attacker could get to them.

Why aren’t we hearing about compromised intellectual property?

We’ve been hearing about the compromise of credit card and personal data for several years now, but we haven’t heard how many corporations have lost key intellectual property to attackers. The reason is simple: there are a number of laws around the globe that require businesses to disclose leaked credit card numbers but few, if any, that require businesses to disclose the leakage of intellectual property or trade secrets. In fact, it’s detrimental to the stock price of most businesses if they do disclose, making it very unlikely that any are going to willingly tell the public of a breach.

I have an analyst friend who once told me that most Data Leak Prevention (DLP) fails when it comes to the data discovery and identification step in the project. I think in large part it’s because most data classification efforts are started from a technical standpoint and try to shoehorn business processes into a system chosen based on the needs of a security team.

What should be happening instead is that the security teams understand the needs of the business, how the organization creates and manipulates data, then choose the solution that best fits the business needs. Make the selection of technologies one of the last steps.

Continuous review

Finally, the most important part of data classification and protection is the realization that it’s a continuing process, not something that can be done once and forgotten. It requires the enterprise to incorporate data classification into the daily procedures that make the business run. If the business loses sight of where the crown jewels are and why they’re being protected, they might just get stolen next time someone does a raid on the costume jewelry.

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…