What’s the value?

Data classification is hard.

When I was working in the realm of credit card data as a Qualified Security Assessor (QSA), one of the things that I always found interesting was how companies protected their credit card data versus the rest of the data in their organization. Often, businesses had placed many additional controls around the credit card data than around other data, mostly because of the requirements from the Payment Card Industry. However, when you look at the value of a credit card number, what they were protecting was the costume jewelry of data.

Instead, it should be the crown jewels of their enterprise, such as the key intellectual property and business intelligence that makes their business valuable. Why does a corporation spend so much on protecting costume jewelry and yet leave their crown jewels relatively open? Because they can’t tell the difference between the two.

What are the crown jewels? As Erkang Zheng puts it, they’re the “.01 to 2 percent of data that determines whether your enterprise will survive and thrive“. In other words, a tiny fraction of the data that is responsible for a huge portion of the value for the company, often up to 70% of the whole value of all the data in the company. Think of the communications between executives detailing the next corporate purchase or merger, or the details surrounding the next big project or product.

Businesses invest major amounts of money to develop these plans and the details can be worth millions to a competitor, but if they’re not protected any better than a credit card number that’s worth pennies, you can guarantee a motivated attacker could get to them.

Why aren’t we hearing about compromised intellectual property?

We’ve been hearing about the compromise of credit card and personal data for several years now, but we haven’t heard how many corporations have lost key intellectual property to attackers. The reason is simple: there are a number of laws around the globe that require businesses to disclose leaked credit card numbers but few, if any, that require businesses to disclose the leakage of intellectual property or trade secrets. In fact, it’s detrimental to the stock price of most businesses if they do disclose, making it very unlikely that any are going to willingly tell the public of a breach.

I have an analyst friend who once told me that most Data Leak Prevention (DLP) fails when it comes to the data discovery and identification step in the project. I think in large part it’s because most data classification efforts are started from a technical standpoint and try to shoehorn business processes into a system chosen based on the needs of a security team.

What should be happening instead is that the security teams understand the needs of the business, how the organization creates and manipulates data, then choose the solution that best fits the business needs. Make the selection of technologies one of the last steps.

Continuous review

Finally, the most important part of data classification and protection is the realization that it’s a continuing process, not something that can be done once and forgotten. It requires the enterprise to incorporate data classification into the daily procedures that make the business run. If the business loses sight of where the crown jewels are and why they’re being protected, they might just get stolen next time someone does a raid on the costume jewelry.

More from Data Protection

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Millions Lost in Minutes — Mitigating Public-Facing Attacks

In recent years, many high-profile companies have suffered destructive cybersecurity breaches. These public-facing assaults cost organizations millions of dollars in minutes, from stock prices to media partnerships. Fast Company, Rockstar, Uber, Apple and more have all been victims of these costly and embarrassing attacks. The total average cost of a data breach has increased by 2.6% since 2021 and is now $4.35 million. Organizations that don't deploy zero trust security models also incur an average of $1 million more in…

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…